Skip to content

[artifact] only inspect artifact contents #26892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[artifact] only inspect artifact contents #26892

wants to merge 1 commit into from

Conversation

chrisroberts
Copy link
Member

Description

Artifact inspection would inspect the alloc directory for symlinks
pointing outside of the alloc directory. This can be problematic
for drivers like the raw exec driver which provide the root system
and will likely include symlinks.

Inspecting only the artifact after being fetched can be difficult if
the artifact is fetched to a pre-existing destination as it would
require discerning between new and old paths. Instead, if an artifact
is to be inspected, it is fetched to a temporary location. The isolated
artifact is then inspected before being moved to its final destination.

The behavior of the artifact getter will be inconsistent when artifact
inspection is enabled versus when it is disabled. This is due to the
behavior difference of go-getter with different sources. Because
go-getter does not behave consistently across different source types,
there will be situations where fetching errors may be encountered
when inspection is disabled but fetching is successful when enabled.

Testing & Reproduction steps

Reproduction steps are described in #26865

Links

Fixes #26865

Contributor Checklist

  • Changelog Entry If this PR changes user-facing behavior, please generate and add a
    changelog entry using the make cl command.
  • Testing Please add tests to cover any new functionality or to demonstrate bug fixes and
    ensure regressions will be caught.
  • Documentation If the change impacts user-facing functionality such as the CLI, API, UI,
    and job configuration, please update the Nomad website documentation to reflect this. Refer to
    the website README for docs guidelines. Please also consider whether the
    change requires notes within the upgrade guide.

Reviewer Checklist

  • Backport Labels Please add the correct backport labels as described by the internal
    backporting document.
  • Commit Type Ensure the correct merge method is selected which should be "squash and merge"
    in the majority of situations. The main exceptions are long-lived feature branches or merges where
    history should be preserved.
  • Enterprise PRs If this is an enterprise only PR, please add any required changelog entry
    within the public repository.
  • If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

@chrisroberts
[artifact] only inspect artifact contents
b7738b2 
Artifact inspection would inspect the alloc directory for symlinks
pointing outside of the alloc directory. This can be problematic
for drivers like the raw exec driver which provide the root system
and will likely include symlinks.

Inspecting only the artifact after being fetched can be difficult if
the artifact is fetched to a pre-existing destination as it would
require discerning between new and old paths. Instead, if an artifact
is to be inspected, it is fetched to a temporary location. The isolated
artifact is then inspected before being moved to its final destination.
@chrisroberts chrisroberts marked this pull request as ready for review October 8, 2025 20:53
@chrisroberts chrisroberts requested review from a team as code owners October 8, 2025 20:53
mismithhisler
mismithhisler reviewed Oct 9, 2025
View reviewed changes
client/allocrunner/taskrunner/getter/util.go
}
}

if err := mergeDirectories(env.Destination, finalDest); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the purpose of this merge so that we don't error or override contents that may already exist in the finalDest?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So go-getter has two behaviors based on the source used:

  1. unpack/place artifact files within an existing directory structure (overwriting files on collision)
  2. delete destination directory and unpack/place artifact files

This is using the first approach (and gets into some of the behavior inconsistencies noted in the description).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mismithhisler mismithhisler mismithhisler left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Tar artifact without symlink triggers sandbox escape check

2 participants

@chrisroberts @mismithhisler