From 5951d9b0eeb8e1c9507d3581d6542440e037d332 Mon Sep 17 00:00:00 2001
From: Tejal Desai <tejaldesai@google.com>
Date: Fri, 24 Jan 2020 15:54:44 -0800
Subject: [PATCH 1/2] add /tmp/apt-key to whitelist for Dockerfiles which use 
 command

---
 pkg/snapshot/layered_map.go |  9 ++++++++-
 pkg/util/fs_util.go         | 19 +++++++++++++++----
 pkg/util/fs_util_test.go    |  8 ++++++++
 3 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/pkg/snapshot/layered_map.go b/pkg/snapshot/layered_map.go
index 56e8da4f09..0097b57a57 100644
--- a/pkg/snapshot/layered_map.go
+++ b/pkg/snapshot/layered_map.go
@@ -20,11 +20,13 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"os"
 	"path/filepath"
 	"strings"
 
 	"github.com/GoogleContainerTools/kaniko/pkg/timing"
 	"github.com/GoogleContainerTools/kaniko/pkg/util"
+	"github.com/sirupsen/logrus"
 )
 
 type LayeredMap struct {
@@ -113,13 +115,18 @@ func (l *LayeredMap) Add(s string) error {
 // from the current layered map by its hashing function.
 // Returns true if the file is changed.
 func (l *LayeredMap) CheckFileChange(s string) (bool, error) {
-	oldV, ok := l.Get(s)
 	t := timing.Start("Hashing files")
 	defer timing.DefaultRun.Stop(t)
 	newV, err := l.hasher(s)
 	if err != nil {
+		// if this file does not exist in the new layer return.
+		if os.IsNotExist(err) {
+			logrus.Tracef("%s detected as changed but does not exist", s)
+			return false, nil
+		}
 		return false, err
 	}
+	oldV, ok := l.Get(s)
 	if ok && newV == oldV {
 		return false, nil
 	}
diff --git a/pkg/util/fs_util.go b/pkg/util/fs_util.go
index 7aa91adffc..7cadce1a32 100644
--- a/pkg/util/fs_util.go
+++ b/pkg/util/fs_util.go
@@ -26,6 +26,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"syscall"
 	"time"
@@ -61,6 +62,12 @@ var initialWhitelist = []WhitelistEntry{
 		Path:            "/etc/mtab",
 		PrefixMatchOnly: false,
 	},
+	{
+		// we whitelist /tmp/apt-key-gpghome, since the apt keys are added temporarily in this directory.
+		// from the base image
+		Path:            "/tmp/apt-key-gpghome",
+		PrefixMatchOnly: true,
+	},
 }
 
 var whitelist = initialWhitelist
@@ -674,7 +681,7 @@ func excludeFile(path, buildcontext string) bool {
 	return match
 }
 
-// HasFilepathPrefix checks  if the given file path begins with prefix
+// HasFilepathPrefix checks if the given file path begins with prefix
 func HasFilepathPrefix(path, prefix string, prefixMatchOnly bool) bool {
 	prefix = filepath.Clean(prefix)
 	prefixArray := strings.Split(prefix, "/")
@@ -687,11 +694,15 @@ func HasFilepathPrefix(path, prefix string, prefixMatchOnly bool) bool {
 	if prefixMatchOnly && len(pathArray) == len(prefixArray) {
 		return false
 	}
+
 	for index := range prefixArray {
-		if prefixArray[index] == pathArray[index] {
-			continue
+		m, err := regexp.MatchString(prefixArray[index], pathArray[index])
+		if err != nil {
+			return false
+		}
+		if !m {
+			return false
 		}
-		return false
 	}
 	return true
 }
diff --git a/pkg/util/fs_util_test.go b/pkg/util/fs_util_test.go
index 2919426ce7..ac55688635 100644
--- a/pkg/util/fs_util_test.go
+++ b/pkg/util/fs_util_test.go
@@ -259,6 +259,14 @@ func Test_CheckWhitelist(t *testing.T) {
 			},
 			want: false,
 		},
+		{
+			name: "prefix match only ",
+			args: args{
+				path:      "/tmp/apt-key-gpghome.xft/gpg.key",
+				whitelist: []WhitelistEntry{{"/tmp/apt-key-gpghome.*", true}},
+			},
+			want: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

From e0322042c715ea6b8e85764a36ba7e029e3d53c5 Mon Sep 17 00:00:00 2001
From: Tejal Desai <tejaldesai@google.com>
Date: Fri, 24 Jan 2020 22:12:37 -0800
Subject: [PATCH 2/2] use filepath.Match instead of regex

---
 pkg/util/fs_util.go      | 3 +--
 pkg/util/fs_util_test.go | 1 +
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/util/fs_util.go b/pkg/util/fs_util.go
index 7cadce1a32..0e03fa5fcc 100644
--- a/pkg/util/fs_util.go
+++ b/pkg/util/fs_util.go
@@ -26,7 +26,6 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
-	"regexp"
 	"strings"
 	"syscall"
 	"time"
@@ -696,7 +695,7 @@ func HasFilepathPrefix(path, prefix string, prefixMatchOnly bool) bool {
 	}
 
 	for index := range prefixArray {
-		m, err := regexp.MatchString(prefixArray[index], pathArray[index])
+		m, err := filepath.Match(prefixArray[index], pathArray[index])
 		if err != nil {
 			return false
 		}
diff --git a/pkg/util/fs_util_test.go b/pkg/util/fs_util_test.go
index ac55688635..d3640553d4 100644
--- a/pkg/util/fs_util_test.go
+++ b/pkg/util/fs_util_test.go
@@ -66,6 +66,7 @@ func Test_DetectFilesystemWhitelist(t *testing.T) {
 		{"/sys", false},
 		{"/var/run", false},
 		{"/etc/mtab", false},
+		{"/tmp/apt-key-gpghome", true},
 	}
 	actualWhitelist := whitelist
 	sort.Slice(actualWhitelist, func(i, j int) bool {