Nomad version

1.10.5

Operating system and Environment details

Arch Linux

Issue

When one tries to download a tar artifact with filesystem isolation disabled the deployment fails the artifact inspection introduced in #26608.

Reproduction steps

Create a tar file and upload it somewhere:

touch bar
tar --owner=0 --group=0 cvf foo.tar ./bar

The created tar file should look like this:

./bar0000664000000000000000000000000015067231533010375 0ustar  rootroot

Disable the filesystem isolation on the nomad client you test this on:

client {
  artifact {
    disable_filesystem_isolation = true
    disable_artifact_inspection = false
  }
}

Run the following job file:

job "test" {
  type = "service"

  group "test" {
    count = 1

    task "test" {
      driver = "exec"
      config {
        command = "sleep"
        args = [
          "inf"
        ]
      }

      artifact {
        source = "https://fb.hash.works/UWmjs/foo.tar"
      }

      resources {
        cpu   = 100
        memory = 100
      }
    }
  }
}

Expected Result

The artifact inspection succeeds since the artifact does not link outside the alloc root.

Actual Result

The artifact inspection fails:

failed to download artifact "https://fb.hash.works/UWmjs/foo.tar": artifact includes symlink that resolves outside of sandbox

Tests

I tried to replicate this as a go test in sandbox_test.go, but this is green:

	t.Run("no-symlink-in-tar", func(t *testing.T) {
		artifact := &structs.TaskArtifact{
			RelativeDest: "local/no-symlink",
			GetterSource: "https://fb.hash.works/UWmjs/foo.tar",
		}

		ac := artifactConfig(2 * time.Second)
		sbox := New(ac, logger)

		_, taskDir := SetupDir(t)
		env := noopTaskEnv(taskDir)
		sbox.ac.DisableFilesystemIsolation = true

		err = sbox.Get(env, artifact, "nobody")
		must.NoError(t, err)
	})