From 19c6495a66eb3db7f156e954d3c65221dd752a4a Mon Sep 17 00:00:00 2001 From: Julio <13398285+ggjulio@users.noreply.github.com> Date: Wed, 8 Jan 2025 19:39:40 +0100 Subject: [PATCH] Fix out-of-bound symlink for gitops tools (#2073) Summary: Fix out-of-bound symlink for gitops tools I'm working on deploying pixie cloud via gitops. For security reasons argocd block the deployment if an out of bound symlink is detected in the monorepo. ``` Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = repository contains out-of-bounds symlinks. file: src/common/system/testdata/proc/123/fd/1 ``` Changing the dummy symlink to a relative path that don't leave the root fixes the issue. Relevant Issues: N/A Type of change: /kind bug Test Plan: the items below - [x] Use my fork to test if the updated symlink path still block the argocd app deployment. - [x] Related unit test still pass Additional documentation: see the links below - https://github.com/argoproj/argo-cd/issues/12593#issuecomment-2575569453 - https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/2.4-2.5/#out-of-bounds-symlinks-now-blocked-at-fetch Signed-off-by: GitHub --- src/common/system/proc_parser_test.cc | 6 ++---- src/common/system/testdata/proc/123/fd/1 | 2 +- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/src/common/system/proc_parser_test.cc b/src/common/system/proc_parser_test.cc index 08b93666200..7d2baaa5315 100644 --- a/src/common/system/proc_parser_test.cc +++ b/src/common/system/proc_parser_test.cc @@ -289,8 +289,6 @@ TEST_F(ProcParserTest, read_pid_metadata_null) { parser_->GetPIDCmdline(456)); } -// This test does not work because bazel uses symlinks itself, -// which then causes ReadProcPIDFDLink to resolve the wrong link. TEST_F(ProcParserTest, read_proc_fd_link) { PX_SET_FOR_SCOPE(FLAGS_proc_path, GetPathToTestDataFile("testdata/proc")); { @@ -299,7 +297,7 @@ TEST_F(ProcParserTest, read_proc_fd_link) { ASSERT_OK( fs::CreateSymlinkIfNotExists("/dev/null", GetPathToTestDataFile("testdata/proc/123/fd/0"))); ASSERT_OK( - fs::CreateSymlinkIfNotExists("/foobar", GetPathToTestDataFile("testdata/proc/123/fd/1"))); + fs::CreateSymlinkIfNotExists("./foobar", GetPathToTestDataFile("testdata/proc/123/fd/1"))); ASSERT_OK(fs::CreateSymlinkIfNotExists("socket:[12345]", GetPathToTestDataFile("testdata/proc/123/fd/2"))); } @@ -313,7 +311,7 @@ TEST_F(ProcParserTest, read_proc_fd_link) { s = parser_->ReadProcPIDFDLink(123, 1, &out); EXPECT_OK(s); - EXPECT_EQ("/foobar", out); + EXPECT_EQ("./foobar", out); s = parser_->ReadProcPIDFDLink(123, 2, &out); EXPECT_OK(s); diff --git a/src/common/system/testdata/proc/123/fd/1 b/src/common/system/testdata/proc/123/fd/1 index 35c6569f1ca..764718a6738 120000 --- a/src/common/system/testdata/proc/123/fd/1 +++ b/src/common/system/testdata/proc/123/fd/1 @@ -1 +1 @@ -/foobar \ No newline at end of file +./foobar \ No newline at end of file