Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document danger of using COPY and ADD instructions #760

Merged
merged 1 commit into from
Jan 7, 2021
Merged

Document danger of using COPY and ADD instructions #760

merged 1 commit into from
Jan 7, 2021

Conversation

fkorotkov
Copy link
Contributor

No description provided.

@fkorotkov fkorotkov merged commit a84e79b into master Jan 7, 2021
@fkorotkov fkorotkov deleted the copy-add-danger branch January 7, 2021 19:22
@fkorotkov fkorotkov mentioned this pull request Jan 7, 2021
Closed
RDIL
RDIL reviewed Jan 7, 2021
View reviewed changes
docs/guide/docker-builder-vm.md
!!! warning "Danger of using `COPY` and `ADD` instructions"
Cirrus doesn't include files added or copied into a container image in the cache key. This means that for a public repository
a potential bad actor can create a PR with malicious scripts included into a container, wait for it to be cached and then
reset the PR so it looks harmful.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That doesn't sound quite right... you mean reset the PR so it doesn't look harmful?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reset PR branch. Like modify scripts that are added to not look harmful.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think @RDIL meant "s/harmful/not harmful/". Maybe it's good to add one or two sentences about the consequences, e.g., what a malicious script could do.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, yeah, some other folks noticed it and I fixed the harmfull thing in 51474e1

@fkorotkov fkorotkov mentioned this pull request Jan 7, 2021
Closed
@JeremyRand JeremyRand mentioned this pull request Aug 1, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RDIL RDIL RDIL left review comments

@real-or-random real-or-random real-or-random left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fkorotkov @real-or-random @RDIL