Don't expand RUN heredocs ourselves, let the shell do it

When handling RUN instructions that use heredoc syntax, don't bother
interpolating environment variables and argument values, and let the
command that's running handle it.

Signed-off-by: Nalin Dahyabhai <[email protected]>

Author: nalind

go.mod

@@ -1,6 +1,8 @@
 module github.com/containers/buildah
 
-go 1.20
+go 1.21
+
+toolchain go1.21.9
 
 require (
 	github.com/containerd/containerd v1.7.13
@@ -12,9 +14,9 @@ require (
 	github.com/containers/storage v1.53.0
 	github.com/cyphar/filepath-securejoin v0.2.4
 	github.com/docker/distribution v2.8.3+incompatible
-	github.com/docker/docker v25.0.5+incompatible
+	github.com/docker/docker v26.0.0+incompatible
 	github.com/docker/go-units v0.5.0
-	github.com/fsouza/go-dockerclient v1.10.1
+	github.com/fsouza/go-dockerclient v1.11.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/moby/buildkit v0.12.5
@@ -88,7 +90,7 @@ require (
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/go-containerregistry v0.19.0 // indirect
 	github.com/google/go-intervals v0.0.2 // indirect
@@ -110,6 +112,7 @@ require (
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mistifyio/go-zfs/v3 v3.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/sys/mountinfo v0.7.1 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
@@ -158,3 +161,5 @@ require (
 )
 
 replace github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.1.0
+
+replace github.com/openshift/imagebuilder => github.com/nalind/openshift-imagebuilder v0.0.0-20240411201310-a050864f2395

go.sum

@@ -3102,6 +3102,13 @@ var internalTestCases = []testCase{
 		contextDir:        "multistage/copyback",
 		dockerUseBuildKit: true,
 	},
+
+	{
+		name:              "heredoc-quoting",
+		dockerfile:        "Dockerfile.heredoc-quoting",
+		dockerUseBuildKit: true,
+		fsSkip:            []string{"(dir):etc:(dir):hostname"}, // buildkit does not create a phantom /etc/hostname
+	},
 }
 
 func TestCommit(t *testing.T) {

tests/conformance/conformance_test.go

@@ -0,0 +1,215 @@
+FROM busybox
+ARG argA=argvA
+ENV varA=valueA
+
+# An argument, an environment variable, and one set in the heredoc
+RUN <<EOF
+varB=valueB
+touch /run-argA=$argA.unquoted1.txt
+touch /run-varA=$varA.unquoted1.txt
+touch /run-varB=$varB.unquoted1.txt
+EOF
+
+# An argument, an environment variable, and one set in the heredoc
+RUN <<EOF
+varB=valueB
+touch /run-argA="$argA".unquoted2.txt
+touch /run-varA="$varA".unquoted2.txt
+touch /run-varB="$varB".unquoted2.txt
+EOF
+
+# An argument, an environment variable overridden in the heredoc, and one set in the heredoc
+RUN <<EOF
+varA=valueA2
+varB=valueB
+touch /run-argA="$argA".unquoted3.txt
+touch /run-varA="$varA".unquoted3.txt
+touch /run-varB="$varB".unquoted3.txt
+EOF
+
+# An overridden argument, an environment variable overridden in the heredoc, and one set in the heredoc
+RUN <<EOF
+argA=argvA2
+varA=valueA2
+varB=valueB
+touch /run-argA="$argA".unquoted4.txt
+touch /run-varA="$varA".unquoted4.txt
+touch /run-varB="$varB".unquoted4.txt
+EOF
+
+# An argument, an environment variable, and one set in the heredoc
+RUN <<"EOF"
+varB=valueB
+touch /run-argA=$argA.quoted1.txt
+touch /run-varA=$varA.quoted1.txt
+touch /run-varB=$varB.quoted1.txt
+EOF
+
+# An argument, an environment variable, and one set in the heredoc
+RUN <<"EOF"
+varB=valueB
+touch /run-argA="$argA".quoted2.txt
+touch /run-varA="$varA".quoted2.txt
+touch /run-varB="$varB".quoted2.txt
+EOF
+
+# An argument, an environment variable overridden in the heredoc, and one set in the heredoc
+RUN <<"EOF"
+varA=valueA2
+varB=valueB
+touch /run-argA="$argA".quoted3.txt
+touch /run-varA="$varA".quoted3.txt
+touch /run-varB="$varB".quoted3.txt
+EOF
+
+# An overridden argument, an environment variable overridden in the heredoc, and one set in the heredoc
+RUN <<"EOF"
+argA=argvA2
+varA=valueA2
+varB=valueB
+touch /run-argA="$argA".quoted4.txt
+touch /run-varA="$varA".quoted4.txt
+touch /run-varB="$varB".quoted4.txt
+EOF
+
+# An argument, an environment variable, and one set in the heredoc
+COPY <<EOF /copy-unquoted1.txt
+varB=valueB
+touch /argA=$argA
+touch /varA=$varA
+touch /varB=$varB
+EOF
+
+# An argument, an environment variable, and one set in the heredoc
+COPY <<EOF /copy-unquoted2.txt
+varB=valueB
+argA="$argA"
+varA="$varA"
+varB="$varB"
+EOF
+
+# An argument, an environment variable overridden in the heredoc, and one set in the heredoc
+COPY <<EOF /copy-unquoted3.txt
+varA=valueA2
+varB=valueB
+argA="$argA"
+varA="$varA"
+varB="$varB"
+EOF
+
+# An overridden argument, an environment variable overridden in the heredoc, and one set in the heredoc
+COPY <<EOF /copy-unquoted4.txt
+argA=argvA2
+varA=valueA2
+varB=valueB
+argA="$argA"
+varA="$varA"
+varB="$varB"
+EOF
+
+# An argument, an environment variable, and one set in the heredoc
+COPY <<"EOF" /copy-quoted1.txt
+varB=valueB
+argA=$argA
+varA=$varA
+varB=$varB
+EOF
+
+# An argument, an environment variable, and one set in the heredoc
+COPY <<"EOF" /copy-quoted2.txt
+varB=valueB
+argA="$argA"
+varA="$varA"
+varB="$varB"
+EOF
+
+# An argument, an environment variable overridden in the heredoc, and one set in the heredoc
+COPY <<"EOF" /copy-quoted3.txt
+varA=valueA2
+varB=valueB
+argA="$argA"
+varA="$varA"
+varB="$varB"
+EOF
+
+# An overridden argument, an environment variable overridden in the heredoc, and one set in the heredoc
+COPY <<"EOF" /copy-quoted4.txt
+argA=argvA2
+varA=valueA2
+varB=valueB
+argA="$argA"
+varA="$varA"
+varB="$varB"
+EOF
+
+# An argument, an environment variable, and one set in the heredoc
+ADD <<EOF /add-unquoted1.txt
+varB=valueB
+touch /argA=$argA
+touch /varA=$varA
+touch /varB=$varB
+EOF
+
+# An argument, an environment variable, and one set in the heredoc
+ADD <<EOF /add-unquoted2.txt
+varB=valueB
+argA="$argA"
+varA="$varA"
+varB="$varB"
+EOF
+
+# An argument, an environment variable overridden in the heredoc, and one set in the heredoc
+ADD <<EOF /add-unquoted3.txt
+varA=valueA2
+varB=valueB
+argA="$argA"
+varA="$varA"
+varB="$varB"
+EOF
+
+# An overridden argument, an environment variable overridden in the heredoc, and one set in the heredoc
+ADD <<EOF /add-unquoted4.txt
+argA=argvA2
+varA=valueA2
+varB=valueB
+argA="$argA"
+varA="$varA"
+varB="$varB"
+EOF
+
+# An argument, an environment variable, and one set in the heredoc
+ADD <<"EOF" /add-quoted1.txt
+varB=valueB
+argA=$argA
+varA=$varA
+varB=$varB
+EOF
+
+# An argument, an environment variable, and one set in the heredoc
+ADD <<"EOF" /add-quoted2.txt
+varB=valueB
+argA="$argA"
+varA="$varA"
+varB="$varB"
+EOF
+
+# An argument, an environment variable overridden in the heredoc, and one set in the heredoc
+ADD <<"EOF" /add-quoted3.txt
+varA=valueA2
+varB=valueB
+argA="$argA"
+varA="$varA"
+varB="$varB"
+EOF
+
+# An overridden argument, an environment variable overridden in the heredoc, and one set in the heredoc
+ADD <<"EOF" /add-quoted4.txt
+argA=argvA2
+varA=valueA2
+varB=valueB
+argA="$argA"
+varA="$varA"
+varB="$varB"
+EOF
+
+RUN touch -r /etc/passwd /*.txt

tests/conformance/testdata/Dockerfile.heredoc-quoting

@@ -324,7 +324,7 @@ github.com/distribution/reference
 github.com/docker/distribution/registry/api/errcode
 github.com/docker/distribution/registry/api/v2
 github.com/docker/distribution/registry/client/auth/challenge
-# github.com/docker/docker v25.0.5+incompatible
+# github.com/docker/docker v26.0.0+incompatible
 ## explicit
 github.com/docker/docker/api
 github.com/docker/docker/api/types
@@ -346,7 +346,6 @@ github.com/docker/docker/api/types/versions
 github.com/docker/docker/api/types/volume
 github.com/docker/docker/client
 github.com/docker/docker/errdefs
-github.com/docker/docker/image/spec/specs-go/v1
 github.com/docker/docker/internal/multierror
 github.com/docker/docker/pkg/archive
 github.com/docker/docker/pkg/homedir
@@ -375,8 +374,8 @@ github.com/felixge/httpsnoop
 # github.com/fsnotify/fsnotify v1.7.0
 ## explicit; go 1.17
 github.com/fsnotify/fsnotify
-# github.com/fsouza/go-dockerclient v1.10.1
-## explicit; go 1.20
+# github.com/fsouza/go-dockerclient v1.11.0
+## explicit; go 1.21
 github.com/fsouza/go-dockerclient
 # github.com/go-jose/go-jose/v3 v3.0.3
 ## explicit; go 1.12
@@ -439,8 +438,8 @@ github.com/gogo/protobuf/proto
 # github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
 ## explicit
 github.com/golang/groupcache/lru
-# github.com/golang/protobuf v1.5.3
-## explicit; go 1.9
+# github.com/golang/protobuf v1.5.4
+## explicit; go 1.17
 github.com/golang/protobuf/proto
 # github.com/google/go-cmp v0.6.0
 ## explicit; go 1.13
@@ -539,6 +538,9 @@ github.com/moby/buildkit/frontend/dockerfile/command
 github.com/moby/buildkit/frontend/dockerfile/parser
 github.com/moby/buildkit/frontend/dockerfile/shell
 github.com/moby/buildkit/util/stack
+# github.com/moby/docker-image-spec v1.3.1
+## explicit; go 1.18
+github.com/moby/docker-image-spec/specs-go/v1
 # github.com/moby/patternmatcher v0.6.0
 ## explicit; go 1.19
 github.com/moby/patternmatcher
@@ -639,7 +641,7 @@ github.com/opencontainers/selinux/go-selinux
 github.com/opencontainers/selinux/go-selinux/label
 github.com/opencontainers/selinux/pkg/pwalk
 github.com/opencontainers/selinux/pkg/pwalkdir
-# github.com/openshift/imagebuilder v1.2.6
+# github.com/openshift/imagebuilder v1.2.6 => github.com/nalind/openshift-imagebuilder v0.0.0-20240411201310-a050864f2395
 ## explicit; go 1.19
 github.com/openshift/imagebuilder
 github.com/openshift/imagebuilder/dockerclient
@@ -1008,3 +1010,4 @@ tags.cncf.io/container-device-interface/pkg/parser
 ## explicit; go 1.19
 tags.cncf.io/container-device-interface/specs-go
 # github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.1.0
+# github.com/openshift/imagebuilder => github.com/nalind/openshift-imagebuilder v0.0.0-20240411201310-a050864f2395