forbid chained onbuild, from & maintainer triggers

This changes the way onbuild works: - forbids the chaining of onbuild instructions - forbids the use of `onbuild from` - forbids the use of `onbuild maintainer` It also makes docker throw errors when encountering such triggers when executing the triggers during `FROM`. Three tests have been added: - ensure that chained onbuild (`onbuild onbuild`) is forbidden - ensure that `onbuild from` is forbidden - ensure that `onbuild maintainer` is forbidden Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2022-11-09 12:21:53 -05:00 · 2014-02-20 17:16:45 +02:00 · 2014-02-20 17:16:45 +02:00 · b829e96cde
commit b829e96cde
parent d45538f243
3 changed files with 60 additions and 0 deletions
--- a/buildfile.go
+++ b/buildfile.go
@ -117,6 +117,14 @@ func (b *buildFile) CmdFrom(name string) error {
 		fmt.Fprintf(b.errStream, "# Executing %d build triggers\n", nTriggers)
 	}
 	for n, step := range b.config.OnBuild {
+		splitStep := strings.Split(step, " ")
+		stepInstruction := strings.ToUpper(strings.Trim(splitStep[0], " "))
+		switch stepInstruction {
+		case "ONBUILD":
+			return fmt.Errorf("Source image contains forbidden chained `ONBUILD ONBUILD` trigger: %s", step)
+		case "MAINTAINER", "FROM":
+			return fmt.Errorf("Source image contains forbidden %s trigger: %s", stepInstruction, step)
+		}
 		if err := b.BuildStep(fmt.Sprintf("onbuild-%d", n), step); err != nil {
 			return err
 		}
@ -128,6 +136,14 @@ func (b *buildFile) CmdFrom(name string) error {
 // The ONBUILD command declares a build instruction to be executed in any future build
 // using the current image as a base.
 func (b *buildFile) CmdOnbuild(trigger string) error {
+	splitTrigger := strings.Split(trigger, " ")
+	triggerInstruction := strings.ToUpper(strings.Trim(splitTrigger[0], " "))
+	switch triggerInstruction {
+	case "ONBUILD":
+		return fmt.Errorf("Chaining ONBUILD via `ONBUILD ONBUILD` isn't allowed")
+	case "MAINTAINER", "FROM":
+		return fmt.Errorf("%s isn't allowed as an ONBUILD trigger", triggerInstruction)
+	}
 	b.config.OnBuild = append(b.config.OnBuild, trigger)
 	return b.commit("", b.config.Cmd, fmt.Sprintf("ONBUILD %s", trigger))
 }
--- a/docs/sources/reference/builder.rst
+++ b/docs/sources/reference/builder.rst
@ -466,6 +466,8 @@ For example you might add something like this:
    ONBUILD RUN /usr/local/bin/python-build --dir /app/src
    [...]

+.. warning:: Chaining ONBUILD instructions using `ONBUILD ONBUILD` isn't allowed.
+.. warning:: ONBUILD may not trigger FROM or MAINTAINER instructions.

 .. _dockerfile_examples:

--- a/integration/buildfile_test.go
+++ b/integration/buildfile_test.go
@ -924,3 +924,45 @@ func TestBuildOnBuildTrigger(t *testing.T) {
 	}
 	// FIXME: test that the 'foobar' file was created in the final build.
 }
+
+func TestBuildOnBuildForbiddenChainedTrigger(t *testing.T) {
+	_, err := buildImage(testContextTemplate{`
+	from {IMAGE}
+	onbuild onbuild run echo test
+	`,
+		nil, nil,
+	},
+		t, nil, true,
+	)
+	if err == nil {
+		t.Fatal("Error should not be nil")
+	}
+}
+
+func TestBuildOnBuildForbiddenFromTrigger(t *testing.T) {
+	_, err := buildImage(testContextTemplate{`
+	from {IMAGE}
+	onbuild from {IMAGE}
+	`,
+		nil, nil,
+	},
+		t, nil, true,
+	)
+	if err == nil {
+		t.Fatal("Error should not be nil")
+	}
+}
+
+func TestBuildOnBuildForbiddenMaintainerTrigger(t *testing.T) {
+	_, err := buildImage(testContextTemplate{`
+	from {IMAGE}
+	onbuild maintainer test
+	`,
+		nil, nil,
+	},
+		t, nil, true,
+	)
+	if err == nil {
+		t.Fatal("Error should not be nil")
+	}
+}