mirror of
https://github.com/docker/compose.git
synced 2026-05-13 13:58:02 +00:00
2bbb88acf9
- https://github.com/golang/go/issues?q=milestone%3AGo1.26.3+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.26.2...go1.26.3 This release include 11 security fixes: - cmd/go: malicious module proxy can bypass checksum database A malicious module proxy could exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go command will download and execute a toolchain provided by the module proxy. A malicious module proxy can bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it, so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts go.sum files to contain accurate hashes of the current module's dependencies. A malicious proxy exploiting this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by running "rm go.sum ; go mod tidy ; go mod verify", which will revalidate all dependencies of the current module. The specific flaw in more detail: The go command consults the checksum database to validate downloaded modules, when a module is not listed in the go.sum file. It verifies that the module hash reported by the checksum database matches the hash of the downloaded module. If, however, the checksum database returns a successful response that contains no entry for the module, the go command incorrectly permitted validation to succeed. A module proxy may mirror or proxy the checksum database, in which case the go command will not connect to the checksum database directly. Checksums reported by the checksum database are cryptographically signed, so a malicious proxy cannot alter the reported checksum for a module. However, a proxy which returns an empty checksum response, or a checksum response for an unrelated module, could cause the go command to proceed as if a downloaded module has been validated. The go command now properly checks checksum database responses to ensure that the expected module signature is present, not just that if a signature is present it matches the expectation. Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue. This is CVE-2026-42501 and Go issue https://go.dev/issue/79070. - net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy did not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This could permit ReverseProxy to forward a request containing a query parameter that was not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" could forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function. ReverseProxy now avoids forwarding parameters that exceed the ParseQuery limit. This is CVE-2026-39825 and Go issue https://go.dev/issue/78948. - net: panic in Dial and LookupPort when handling NUL byte on Windows The Dial and LookupPort functions would panic on Windows when provided with an input containing a NUL (0). These functions now return an error rather than panicking. This is CVE-2026-39836 and Go issue https://go.dev/issue/79006. - net/mail: quadratic string concatenation in consumePhrase Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. This is CVE-2026-42499 and Go issue https://go.dev/issue/78987. - net/mail: quadratic string concatentation in consumeComment Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. This is CVE-2026-39820 and Go issue https://go.dev/issue/78566. - cmd/go: "go bug" follows symlinks in predictable temporary filenames The "go bug" command wrote to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory could create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink. The "go bug" command now uses os.MkdirTemp to create a safe working directory. Thanks to Harshit Gupta (Mr HAX) for reporting this issue. This is CVE-2026-39819 and Go issue https://go.dev/issue/78584. - cmd/go: "go tool pack" does not sanitize output paths The "go tool pack" subcommand is a minimal version of the Unix ar utility. It is used by the compiler as an internal tool with known-good inputs. The "pack" subcommand did not sanitize output filenames. When invoked to extract a malicious archive file, it could write files to arbitrary locations on the filesystem. The "pack" subcommand now refuses to extract files with names containing any directory components. Thanks to Harshit Gupta (Mr HAX) for reporting this issue. This is CVE-2026-39817 and Go issue https://go.dev/issue/78778. - net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. This allows potential DoS against a client by a malicious server. HTTP/2 transport now properly checks that the received SETTINGS_MAX_FRAME_SIZE is valid. Thanks to Marwan Atia (marwansamir688@gmail.com) for reporting this issue. This is CVE-2026-33814 and Go issue https://go.dev/issue/78476. - html/template: escaper bypass leads to XSS If a trusted template author were to write a tag containing an empty type attribute or a type attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block. Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue. This is CVE-2026-39826 and Go issue https://go.dev/issue/78981. - net: crash when handling long CNAME response When using LookupCNAME with the cgo DNS resolver, a very long CNAME response could trigger a double-free of C memory and a crash. The double-free has been fixed. Thanks to hamayanhamayan for reporting this issue. This is CVE-2026-33811 and Go issue https://go.dev/issue/78803. - html/template: bypass of meta content URL escaping causes XSS CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the = rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS. Dynamic inputs to a tag's attribute are now whitespace sanitized prior to escaping. Thanks to Samy Ghannad for reporting this issue. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
210 lines
6.8 KiB
Docker
210 lines
6.8 KiB
Docker
# syntax=docker/dockerfile:1
|
|
|
|
|
|
# Copyright 2020 Docker Compose CLI authors
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
ARG GO_VERSION=1.26.3
|
|
ARG XX_VERSION=1.9.0
|
|
ARG GOLANGCI_LINT_VERSION=v2.11.3
|
|
ARG ADDLICENSE_VERSION=v1.0.0
|
|
|
|
ARG BUILD_TAGS="e2e"
|
|
ARG DOCS_FORMATS="md,yaml"
|
|
ARG LICENSE_FILES=".*\(Dockerfile\|Makefile\|\.go\|\.hcl\|\.sh\)"
|
|
|
|
# xx is a helper for cross-compilation
|
|
FROM --platform=${BUILDPLATFORM} tonistiigi/xx:${XX_VERSION} AS xx
|
|
|
|
# osxcross contains the MacOSX cross toolchain for xx
|
|
FROM crazymax/osxcross:15.5-alpine AS osxcross
|
|
|
|
FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint
|
|
FROM ghcr.io/google/addlicense:${ADDLICENSE_VERSION} AS addlicense
|
|
|
|
FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION}-alpine3.22 AS base
|
|
COPY --from=xx / /
|
|
RUN apk add --no-cache \
|
|
clang \
|
|
docker \
|
|
file \
|
|
findutils \
|
|
git \
|
|
make \
|
|
protoc \
|
|
protobuf-dev
|
|
WORKDIR /src
|
|
ENV CGO_ENABLED=0
|
|
|
|
FROM base AS build-base
|
|
COPY go.* .
|
|
RUN --mount=type=cache,target=/go/pkg/mod \
|
|
--mount=type=cache,target=/root/.cache/go-build \
|
|
go mod download
|
|
|
|
FROM build-base AS vendored
|
|
RUN --mount=type=bind,target=.,rw \
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
go mod tidy && mkdir /out && cp go.mod go.sum /out
|
|
|
|
FROM scratch AS vendor-update
|
|
COPY --from=vendored /out /
|
|
|
|
FROM vendored AS vendor-validate
|
|
RUN --mount=type=bind,target=.,rw <<EOT
|
|
set -e
|
|
git add -A
|
|
cp -rf /out/* .
|
|
diff=$(git status --porcelain -- go.mod go.sum)
|
|
if [ -n "$diff" ]; then
|
|
echo >&2 'ERROR: Vendor result differs. Please vendor your package with "make go-mod-tidy"'
|
|
echo "$diff"
|
|
exit 1
|
|
fi
|
|
EOT
|
|
|
|
FROM build-base AS build
|
|
ARG BUILD_TAGS
|
|
ARG BUILD_FLAGS
|
|
ARG TARGETPLATFORM
|
|
RUN --mount=type=bind,target=. \
|
|
--mount=type=cache,target=/root/.cache \
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
--mount=type=bind,from=osxcross,src=/osxsdk,target=/xx-sdk \
|
|
xx-go --wrap && \
|
|
if [ "$(xx-info os)" == "darwin" ]; then export CGO_ENABLED=1; export BUILD_TAGS=fsnotify,$BUILD_TAGS; fi && \
|
|
make build GO_BUILDTAGS="$BUILD_TAGS" DESTDIR=/out && \
|
|
xx-verify --static /out/docker-compose
|
|
|
|
FROM build-base AS lint
|
|
ARG BUILD_TAGS
|
|
ENV GOLANGCI_LINT_CACHE=/cache/golangci-lint
|
|
RUN --mount=type=bind,target=. \
|
|
--mount=type=cache,target=/root/.cache \
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
--mount=type=cache,target=/cache/golangci-lint \
|
|
--mount=from=golangci-lint,source=/usr/bin/golangci-lint,target=/usr/bin/golangci-lint \
|
|
golangci-lint cache status && \
|
|
golangci-lint run --build-tags "$BUILD_TAGS" ./...
|
|
|
|
FROM build-base AS test
|
|
ARG CGO_ENABLED=0
|
|
ARG BUILD_TAGS
|
|
RUN --mount=type=bind,target=. \
|
|
--mount=type=cache,target=/root/.cache \
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
rm -rf /tmp/coverage && \
|
|
mkdir -p /tmp/coverage && \
|
|
rm -rf /tmp/report && \
|
|
mkdir -p /tmp/report && \
|
|
go run gotest.tools/gotestsum@latest --format testname --junitfile "/tmp/report/report.xml" -- -tags "$BUILD_TAGS" -v -cover -covermode=atomic $(go list $(TAGS) ./... | grep -vE 'e2e') -args -test.gocoverdir="/tmp/coverage" && \
|
|
go tool covdata percent -i=/tmp/coverage
|
|
|
|
FROM scratch AS test-coverage
|
|
COPY --from=test --link /tmp/coverage /
|
|
COPY --from=test --link /tmp/report /
|
|
|
|
FROM base AS license-set
|
|
ARG LICENSE_FILES
|
|
RUN --mount=type=bind,target=.,rw \
|
|
--mount=from=addlicense,source=/app/addlicense,target=/usr/bin/addlicense \
|
|
find . -regex "${LICENSE_FILES}" | xargs addlicense -c 'Docker Compose CLI' -l apache && \
|
|
mkdir /out && \
|
|
find . -regex "${LICENSE_FILES}" | cpio -pdm /out
|
|
|
|
FROM scratch AS license-update
|
|
COPY --from=set /out /
|
|
|
|
FROM base AS license-validate
|
|
ARG LICENSE_FILES
|
|
RUN --mount=type=bind,target=. \
|
|
--mount=from=addlicense,source=/app/addlicense,target=/usr/bin/addlicense \
|
|
find . -regex "${LICENSE_FILES}" | xargs addlicense -check -c 'Docker Compose CLI' -l apache -ignore validate -ignore testdata -ignore resolvepath -v
|
|
|
|
FROM base AS docsgen
|
|
WORKDIR /src
|
|
RUN --mount=target=. \
|
|
--mount=target=/root/.cache,type=cache \
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
go build -o /out/docsgen ./docs/yaml/main/generate.go
|
|
|
|
FROM --platform=${BUILDPLATFORM} alpine AS docs-build
|
|
RUN apk add --no-cache rsync git
|
|
WORKDIR /src
|
|
COPY --from=docsgen /out/docsgen /usr/bin
|
|
ARG DOCS_FORMATS
|
|
RUN --mount=target=/context \
|
|
--mount=target=.,type=tmpfs <<EOT
|
|
set -e
|
|
rsync -a /context/. .
|
|
docsgen --formats "$DOCS_FORMATS" --source "docs/reference"
|
|
mkdir /out
|
|
cp -r docs/reference /out
|
|
EOT
|
|
|
|
FROM scratch AS docs-update
|
|
COPY --from=docs-build /out /out
|
|
|
|
FROM docs-build AS docs-validate
|
|
RUN --mount=target=/context \
|
|
--mount=target=.,type=tmpfs <<EOT
|
|
set -e
|
|
rsync -a /context/. .
|
|
git add -A
|
|
rm -rf docs/reference/*
|
|
cp -rf /out/* ./docs/
|
|
if [ -n "$(git status --porcelain -- docs/reference)" ]; then
|
|
echo >&2 'ERROR: Docs result differs. Please update with "make docs"'
|
|
git status --porcelain -- docs/reference
|
|
exit 1
|
|
fi
|
|
EOT
|
|
|
|
FROM scratch AS binary-unix
|
|
COPY --link --from=build /out/docker-compose /
|
|
FROM binary-unix AS binary-darwin
|
|
FROM binary-unix AS binary-linux
|
|
FROM scratch AS binary-windows
|
|
COPY --link --from=build /out/docker-compose /docker-compose.exe
|
|
FROM binary-$TARGETOS AS binary
|
|
# enable scanning for this stage
|
|
ARG BUILDKIT_SBOM_SCAN_STAGE=true
|
|
|
|
FROM --platform=$BUILDPLATFORM alpine AS releaser
|
|
WORKDIR /work
|
|
ARG TARGETOS
|
|
ARG TARGETARCH
|
|
ARG TARGETVARIANT
|
|
RUN --mount=from=binary \
|
|
mkdir -p /out && \
|
|
# TODO: should just use standard arch
|
|
TARGETARCH=$([ "$TARGETARCH" = "amd64" ] && echo "x86_64" || echo "$TARGETARCH"); \
|
|
TARGETARCH=$([ "$TARGETARCH" = "arm64" ] && echo "aarch64" || echo "$TARGETARCH"); \
|
|
cp docker-compose* "/out/docker-compose-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}$(ls docker-compose* | sed -e 's/^docker-compose//')"
|
|
|
|
FROM scratch AS release
|
|
COPY --from=releaser /out/ /
|
|
|
|
FROM --platform=$BUILDPLATFORM alpine AS module-releaser
|
|
WORKDIR /work
|
|
ARG TARGETOS
|
|
RUN --mount=from=binary \
|
|
mkdir -p /cli-plugins/compose/$TARGETOS && \
|
|
cp docker-compose* "/cli-plugins/compose/$TARGETOS/docker-compose$(ls docker-compose* | sed -e 's/^docker-compose//')"
|
|
|
|
FROM scratch AS module
|
|
ARG TARGETOS
|
|
COPY --from=module-releaser /cli-plugins/compose/$TARGETOS /cli-plugins/compose/$TARGETOS
|
|
COPY ./desktop-module/module-metadata.json /
|
|
COPY LICENSE /
|