diff options
| author | Aditya Rajan <arajan@redhat.com> | 2021-11-30 14:15:53 +0530 |
|---|---|---|
| committer | Aditya Rajan <arajan@redhat.com> | 2021-11-30 15:44:10 +0530 |
| commit | c80a2e4495f877bc0f6a522e99b511de6c0d525d (patch) | |
| tree | cdddb70203a49f8f0a9a3789651e689d2b700e59 /test | |
| parent | e7204178e175d8ad619faa626ba284c777886cd3 (diff) | |
| download | podman-c80a2e4495f877bc0f6a522e99b511de6c0d525d.tar.gz podman-c80a2e4495f877bc0f6a522e99b511de6c0d525d.tar.bz2 podman-c80a2e4495f877bc0f6a522e99b511de6c0d525d.zip | |
podman-remote: prevent leaking secret into image
Prevents temp secrets leaking into image by moving it away from context
directory to parent builder directory. Builder directory automatically
gets cleaned up when we are done with the build.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Diffstat (limited to 'test')
| -rw-r--r-- | test/e2e/build/Dockerfile.with-secret-verify-leak | 3 | ||||
| -rw-r--r-- | test/e2e/build_test.go | 16 |
2 files changed, 19 insertions, 0 deletions
diff --git a/test/e2e/build/Dockerfile.with-secret-verify-leak b/test/e2e/build/Dockerfile.with-secret-verify-leak new file mode 100644 index 000000000..0957ac6a6 --- /dev/null +++ b/test/e2e/build/Dockerfile.with-secret-verify-leak @@ -0,0 +1,3 @@ +FROM alpine +COPY * / +RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret diff --git a/test/e2e/build_test.go b/test/e2e/build_test.go index ad401ca83..c541f25ae 100644 --- a/test/e2e/build_test.go +++ b/test/e2e/build_test.go @@ -82,6 +82,22 @@ var _ = Describe("Podman build", func() { Expect(session).Should(Exit(0)) }) + It("podman build with a secret from file and verify if secret file is not leaked into image", func() { + session := podmanTest.Podman([]string{"build", "-f", "build/Dockerfile.with-secret-verify-leak", "-t", "secret-test-leak", "--secret", "id=mysecret,src=build/secret.txt", "build/"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + Expect(session.OutputToString()).To(ContainSubstring("somesecret")) + + session = podmanTest.Podman([]string{"run", "--rm", "secret-test-leak", "ls"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + Expect(session.OutputToString()).To(Not(ContainSubstring("podman-build-secret"))) + + session = podmanTest.Podman([]string{"rmi", "secret-test-leak"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + }) + It("podman build with logfile", func() { logfile := filepath.Join(podmanTest.TempDir, "logfile") session := podmanTest.Podman([]string{"build", "--pull-never", "--tag", "test", "--logfile", logfile, "build/basicalpine"}) |