fix: comma in entrypoint and cmd (#663)

bazel-contrib · Aug 7, 2024 · 9c50a4a · 9c50a4a
1 parent e389dde
commit 9c50a4a
Show file tree

Hide file tree

Showing 5 changed files with 115 additions and 20 deletions.
diff --git a/docs/image.md b/docs/image.md
diff --git a/examples/assertion/BUILD.bazel b/examples/assertion/BUILD.bazel
@@ -519,6 +519,94 @@ assert_oci_config(
     image = ":case16",
 )
 
+# Case 17: an entrypoint and cmd with , in it
+oci_image(
+    name = "case17",
+    architecture = "arm64",
+    cmd = [
+        '--permitted-system-keys="MY_HOST_V1,MY_HOST_V2"',
+    ],
+    entrypoint = [
+        "/docker-entrypoint.sh",
+        '--permitted-system-keys="MY_HOST_V1,MY_HOST_V2"',
+    ],
+    os = "linux",
+)
+
+assert_oci_config(
+    name = "test_case17",
+    cmd_eq = [
+        '--permitted-system-keys="MY_HOST_V1,MY_HOST_V2"',
+    ],
+    entrypoint_eq = [
+        "/docker-entrypoint.sh",
+        '--permitted-system-keys="MY_HOST_V1,MY_HOST_V2"',
+    ],
+    image = ":case17",
+)
+
+# Case 18: an entrypoint and with \n in it
+oci_image(
+    name = "case18",
+    architecture = "arm64",
+    cmd = ['--permitted-system-keys="MY_HOST_V1\nMY_HOST_V2"'],
+    entrypoint = ["/docker-entrypoint.sh"],
+    os = "linux",
+)
+
+assert_oci_config(
+    name = "test_case18",
+    cmd_eq = ['--permitted-system-keys="MY_HOST_V1\nMY_HOST_V2"'],
+    entrypoint_eq = ["/docker-entrypoint.sh"],
+    image = ":case18",
+)
+
+# Case 19: an entrypoint with escaped \n in it
+oci_image(
+    name = "case19",
+    architecture = "arm64",
+    entrypoint = [
+        "/docker-entrypoint.sh",
+        '--permitted-system-keys="MY_HOST_V1\\nMY_HOST_V2"',
+    ],
+    os = "linux",
+)
+
+assert_oci_config(
+    name = "test_case19",
+    entrypoint_eq = [
+        "/docker-entrypoint.sh",
+        '--permitted-system-keys="MY_HOST_V1\\nMY_HOST_V2"',
+    ],
+    image = ":case19",
+)
+
+# Case 20: an entrypoint with \t and \n in it
+case20_shell = '''
+#!/usr/bin/env bash
+set -o pipefail -o errexit -o nounset
+string="\t\t\n\n\\n"
+'''
+
+oci_image(
+    name = "case20",
+    architecture = "arm64",
+    entrypoint = [
+        "bash",
+        case20_shell,
+    ],
+    os = "linux",
+)
+
+assert_oci_config(
+    name = "test_case20",
+    entrypoint_eq = [
+        "bash",
+        case20_shell,
+    ],
+    image = ":case20",
+)
+
 # build them as test.
 build_test(
     name = "test",

diff --git a/oci/defs.bzl b/oci/defs.bzl
@@ -22,6 +22,17 @@ oci_image_rule = _oci_image
 oci_image_index = _oci_image_index
 oci_push_rule = _oci_push
 
+def _write_nl_seperated_file(name, kind, elems, forwarded_kwargs):
+    label = "_{}_write_{}".format(name, kind)
+    write_file(
+        name = label,
+        out = "_{}.{}.txt".format(name, kind),
+        # %5Cn is the uri escaped newline
+        content = [elem.replace("\n", "%5Cn") for elem in elems],
+        **forwarded_kwargs
+    )
+    return label
+
 def oci_image(name, labels = None, annotations = None, env = None, cmd = None, entrypoint = None, exposed_ports = None, volumes = None, **kwargs):
     """Macro wrapper around [oci_image_rule](#oci_image_rule).
 
@@ -81,24 +92,20 @@ def oci_image(name, labels = None, annotations = None, env = None, cmd = None, e
         env = env_label
 
     if types.is_list(cmd):
-        cmd_label = "_{}_write_cmd".format(name)
-        write_file(
-            name = cmd_label,
-            out = "_{}.cmd.txt".format(name),
-            content = [",".join(cmd)],
-            **forwarded_kwargs
+        cmd = _write_nl_seperated_file(
+            name = name,
+            kind = "cmd",
+            elems = cmd,
+            forwarded_kwargs = forwarded_kwargs,
         )
-        cmd = cmd_label
 
     if types.is_list(entrypoint):
-        entrypoint_label = "_{}_write_entrypoint".format(name)
-        write_file(
-            name = entrypoint_label,
-            out = "_{}.entrypoint.txt".format(name),
-            content = [",".join(entrypoint)],
-            **forwarded_kwargs
+        entrypoint = _write_nl_seperated_file(
+            name = name,
+            kind = "entrypoint",
+            elems = entrypoint,
+            forwarded_kwargs = forwarded_kwargs,
         )
-        entrypoint = entrypoint_label
 
     if types.is_list(exposed_ports):
         exposed_ports_label = "_{}_write_exposed_ports".format(name)

diff --git a/oci/private/image.bzl b/oci/private/image.bzl
@@ -69,8 +69,8 @@ _attrs = {
         The authors recommend [dive](https://github.com/wagoodman/dive) to explore the layering of the resulting image.
     """),
     # See: https://github.com/opencontainers/image-spec/blob/main/config.md#properties
-    "entrypoint": attr.label(doc = "A file containing a comma separated list to be used as the `entrypoint` to execute when the container starts. These values act as defaults and may be replaced by an entrypoint specified when creating a container. NOTE: Setting this attribute will reset the `cmd` attribute", allow_single_file = True),
-    "cmd": attr.label(doc = "A file containing a comma separated list to be used as the `command & args` of the container. These values act as defaults and may be replaced by any specified when creating a container.", allow_single_file = True),
+    "entrypoint": attr.label(doc = "A file containing a newline separated list to be used as the `entrypoint` to execute when the container starts. These values act as defaults and may be replaced by an entrypoint specified when creating a container. NOTE: Setting this attribute will reset the `cmd` attribute", allow_single_file = True),
+    "cmd": attr.label(doc = "A file containing a newline separated list to be used as the `command & args` of the container. These values act as defaults and may be replaced by any specified when creating a container.", allow_single_file = True),
     "env": attr.label(doc = """\
 A file containing the default values for the environment variables of the container. These values act as defaults and are merged with any specified when creating a container. Entries replace the base environment variables if any of the entries has conflicting keys.
 To merge entries with keys specified in the base, `${KEY}` or `$KEY` syntax may be used.

diff --git a/oci/private/image.sh b/oci/private/image.sh
@@ -146,13 +146,13 @@ for ARG in "$@"; do
     CONFIG=$(jq --argjson envs "${env}" '.config.Env = ($envs | map("\(.key)=\(.value)"))' <<<"$CONFIG")
     ;;
   --cmd=*)
-    CONFIG=$(jq --rawfile cmd "${ARG#--cmd=}" '.config.Cmd = ($cmd | split(",|\n"; "") | map(select(. | length > 0)))' <<<"$CONFIG")
+    CONFIG=$(jq --rawfile cmd "${ARG#--cmd=}" '.config.Cmd = ($cmd | split("\n") | map(select(. | length > 0)) | map(. | sub("%5Cn"; "\n"; "g")))' <<<"$CONFIG")
     ;;
   --entrypoint=*)
     # NOTE: setting entrypoint deletes `.config.Cmd` which is consistent with crane and Dockerfile behavior.
     # See: https://github.com/bazel-contrib/rules_oci/issues/649
     # See: https://github.com/google/go-containerregistry/blob/c3d1dcc932076c15b65b8b9acfff1d47ded2ebf9/cmd/crane/cmd/mutate.go#L107
-    CONFIG=$(jq --rawfile entrypoint "${ARG#--entrypoint=}" '.config.Cmd = null | .config.Entrypoint = ($entrypoint | split(",|\n"; "") | map(select(. | length > 0)))' <<<"$CONFIG")
+    CONFIG=$(jq --rawfile entrypoint "${ARG#--entrypoint=}" '.config.Cmd = null | .config.Entrypoint = ($entrypoint | split("\n") | map(select(. | length > 0)) | map(. | sub("%5Cn"; "\n"; "g")))' <<<"$CONFIG")
     ;;
   --exposed-ports=*)
     CONFIG=$(jq --rawfile ep "${ARG#--exposed-ports=}" '.config.ExposedPorts = ($ep | split(",") | map({key: ., value: {}}) | from_entries)' <<<"$CONFIG")