Generate script heredoc to prevent collisions

tektoncd · Oct 22, 2019 · 585e04a · 585e04a
1 parent 3e95011
commit 585e04a
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 12 deletions.
diff --git a/examples/taskruns/step-script.yaml b/examples/taskruns/step-script.yaml
@@ -32,6 +32,15 @@ spec:
  #!/usr/bin/env bash
  /workspace/hello
 
+ - name: contains-eof
+ image: ubuntu
+ script: |
+ #!/usr/bin/env bash
+ cat > file << EOF
+ this file has some contents
+ EOF
+ cat file
+
  - name: node
  image: node
  script: |

diff --git a/pkg/reconciler/taskrun/resources/pod.go b/pkg/reconciler/taskrun/resources/pod.go
@@ -305,16 +305,25 @@ func MakePod(images pipeline.Images, taskRun *v1alpha1.TaskRun, taskSpec v1alpha
  // Append to the place-scripts script to place the
  // script file in a known location in the scripts volume.
  tmpFile := filepath.Join(scriptsDir, names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(fmt.Sprintf("script-%d", i)))
- // NOTE: quotes around 'EOF' are important. Without
- // them, ${}s in the file are interpreted as env vars
- // and likely end up replaced with empty strings. See
+ // heredoc is the "here document" placeholder string
+ // used to cat script contents into the file. Typically
+ // this is the string "EOF" but if this value were
+ // "EOF" it would prevent users from including the
+ // string "EOF" in their own scripts. Instead we
+ // randomly generate a string to (hopefully) prevent
+ // collisions.
+ heredoc := names.SimpleNameGenerator.RestrictLengthWithRandomSuffix("script-heredoc-randomly-generated")
+ // NOTE: quotes around the heredoc string are
+ // important. Without them, ${}s in the file are
+ // interpreted as env vars and likely end up replaced
+ // with empty strings. See
  // https://stackoverflow.com/a/27921346
  placeScriptsStep.Args[1] += fmt.Sprintf(`tmpfile="%s"
 touch ${tmpfile} && chmod +x ${tmpfile}
-cat > ${tmpfile} << 'EOF'
+cat > ${tmpfile} << '%s'
 %s
-EOF
-`, tmpFile, s.Script)
+%s
+`, tmpFile, heredoc, s.Script, heredoc)
  // The entrypoint redirecter has already run on this
  // step, so we just need to replace the image's
  // entrypoint (if any) with the script to run.

diff --git a/pkg/reconciler/taskrun/resources/pod_test.go b/pkg/reconciler/taskrun/resources/pod_test.go
@@ -512,15 +512,15 @@ print("Hello from Python")`,
  TTY: true,
  Args: []string{"-args", `tmpfile="/builder/scripts/script-0-mssqb"
 touch ${tmpfile} && chmod +x ${tmpfile}
-cat > ${tmpfile} << 'EOF'
+cat > ${tmpfile} << 'script-heredoc-randomly-generated-78c5n'
 echo hello from step one
-EOF
-tmpfile="/builder/scripts/script-1-78c5n"
+script-heredoc-randomly-generated-78c5n
+tmpfile="/builder/scripts/script-1-6nl7g"
 touch ${tmpfile} && chmod +x ${tmpfile}
-cat > ${tmpfile} << 'EOF'
+cat > ${tmpfile} << 'script-heredoc-randomly-generated-j2tds'
 #!/usr/bin/env python
 print("Hello from Python")
-EOF
+script-heredoc-randomly-generated-j2tds
 `},
  VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount},
  }},
@@ -543,7 +543,7 @@ EOF
  Name: "step-two",
  Image: "image",
  Command: []string{"entrypointer"},
- Args: []string{"wait-file", "out-file", "-entrypoint", "/builder/scripts/script-1-78c5n"},
+ Args: []string{"wait-file", "out-file", "-entrypoint", "/builder/scripts/script-1-6nl7g"},
  Env: implicitEnvVars,
  VolumeMounts: append([]corev1.VolumeMount{{Name: "i-have-a-volume-mount"}}, append(implicitVolumeMounts, scriptsVolumeMount)...),
  WorkingDir: workspaceDir,