Conversation
necusjz
requested review from
evelyn-ys,
jiasli,
jsntcy,
kairu-ms,
wangzelin007 and
zhoxing-ms
as code owners
️✔️Azure CLI Extensions Breaking Change Test
|
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
There was a problem hiding this comment.
Pull request overview
This PR reverts the confcom extension from version 1.5.0 back to 1.4.5 due to bugs introduced in PR #9477. The revert removes recently added fragment management commands and restores previous test infrastructure.
Key Changes
- Revert version from 1.5.0 to 1.4.5 in setup.py and remove 1.5.0 entry from index.json
- Remove
confcom fragment pushandconfcom fragment attachcommands and their implementations - Restore previous test infrastructure for certificate chain generation and tar file handling
- Remove genpolicy-settings.json configuration file and inline BUNDLE_ID constant in rules.rego
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| src/index.json | Removes the 1.5.0 extension entry from the registry index |
| src/confcom/setup.py | Reverts version number from 1.5.0 to 1.4.5 |
| src/confcom/HISTORY.rst | Removes 1.5.0 release notes |
| src/confcom/azext_confcom/custom.py | Removes fragment push/attach command implementations and reverts upload_fragment logic |
| src/confcom/azext_confcom/commands.py | Removes fragment command group registrations |
| src/confcom/azext_confcom/_params.py | Removes fragment command parameter definitions |
| src/confcom/azext_confcom/_help.py | Removes fragment command help documentation |
| src/confcom/azext_confcom/command/fragment_push.py | Deletes entire fragment push command implementation file |
| src/confcom/azext_confcom/command/fragment_attach.py | Deletes entire fragment attach command implementation file |
| src/confcom/azext_confcom/tests/latest/test_confcom_acifragmentgen.py | Deletes entire test file for fragment generation |
| src/confcom/azext_confcom/tests/latest/test_confcom_virtual_node.py | Reverts certificate chain generation to use local directory and shell=True |
| src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py | Similar certificate chain generation changes and tar file path handling |
| src/confcom/azext_confcom/tests/latest/test_confcom_tar.py | Changes tar file output path from temp directory to test directory |
| src/confcom/azext_confcom/tests/latest/test_confcom_arm.py | Simplifies Docker cleanup by removing fcntl-based locking |
| src/confcom/azext_confcom/data/rules.rego | Inlines BUNDLE_ID regex pattern instead of using constant |
| src/confcom/azext_confcom/data/genpolicy-settings.json | Deletes entire configuration file |
| src/confcom/samples/certs/create_certchain.sh | Removes output path parameter support, uses script directory only |
| linter_exclusions.yml | Removes linter exclusions for fragment commands |
Comments suppressed due to low confidence (1)
src/confcom/azext_confcom/data/rules.rego:485
- In
allow_by_bundle_or_sandbox_id,bundle_idis derived from the untrusted annotationi_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"]and is no longer constrained to a safe[a-z0-9]{64}format before being substituted into paths and regexes (e.g.,allow_root_path,mount_source_allows,allow_mount_point). Without this validation, an attacker who can influence that annotation can inject../segments or regex metacharacters so that root paths and mount sources outside the intended bundle directory still satisfy these checks, enabling unauthorized host filesystem access via path traversal. You should reintroduce a strict pattern check onbundle_id(and/or explicitly reject values containing traversal or regex metacharacters) before using it in path or regex construction so that only canonical bundle IDs are accepted.
bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"]
bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "")
key := "io.kubernetes.cri.sandbox-id"
p_regex := p_oci.Annotations[key]
sandbox_id := i_oci.Annotations[key]
print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex)
regex.match(p_regex, sandbox_id)
allow_root_path(p_oci, i_oci, bundle_id)
every i_mount in input.OCI.Mounts {
allow_mount(p_oci, i_mount, bundle_id, sandbox_id)
}
allow_storages(p_storages, i_storages, bundle_id, sandbox_id)
| with tempfile.TemporaryDirectory() as folder: | ||
| filename = os.path.join(folder, "oci.tar") | ||
| filename2 = os.path.join(folder, "oci2.tar") | ||
| filename2 = os.path.join(self.path, "oci2.tar") |
There was a problem hiding this comment.
The change in filename2 path from os.path.join(folder, "oci2.tar") to os.path.join(self.path, "oci2.tar") means the tar file will be created in the test directory instead of the temporary directory. This could cause test artifacts to persist in the repository and may lead to race conditions when tests run in parallel. The file should be created in the temporary directory to ensure proper cleanup and avoid conflicts.
| arg_list, | ||
| check=False, | ||
| shell=False, | ||
| shell=True, |
There was a problem hiding this comment.
Setting shell=True with a list as the first argument can be a security risk and may not work as expected on all platforms. When shell=True is used, the command should be passed as a single string, not a list. Additionally, shell=True can introduce security vulnerabilities if any input is not properly sanitized. Consider using shell=False (the original value) or converting the arg_list to a string if shell features are truly needed.
| arg_list, | ||
| check=False, | ||
| shell=False, | ||
| shell=True, |
There was a problem hiding this comment.
Setting shell=True with a list as the first argument can be a security risk and may not work as expected on all platforms. When shell=True is used, the command should be passed as a single string, not a list. Additionally, shell=True can introduce security vulnerabilities if any input is not properly sanitized. Consider using shell=False (the original value) or converting the arg_list to a string if shell features are truly needed.
| "version": "1.5.0" | ||
| }, | ||
| "sha256Digest": "1ca9b8f1e6d2f526666fe86ca86f7ed8a0b4455ae10df311def0471d3d8467b6" | ||
| } |
There was a problem hiding this comment.
The PR description states "You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify src/index.json." However, this PR modifies src/index.json to remove the 1.5.0 entry. While this is appropriate for a revert to remove a problematic version from the index, it creates an inconsistency with the stated guidelines in the PR description. Consider adding a note in the PR description explaining why the index.json was modified in this case.
| if upload_fragment and image_target: | ||
| oras_proxy.attach_fragment_to_image(image_target, out_path) | ||
| elif upload_fragment: | ||
| oras_proxy.push_fragment_to_registry(feed, out_path) |
There was a problem hiding this comment.
The reverted logic for upload_fragment has changed behavior: it now requires image_target to be explicitly specified to attach a fragment to an image, otherwise it pushes a standalone fragment to the feed. Users who were relying on the 1.5.0 behavior of automatically attaching to the first image in the input may experience unexpected behavior changes. Consider documenting this behavior change in the HISTORY.rst or providing a migration guide for users upgrading from 1.5.0 back to 1.4.5.
| with tempfile.TemporaryDirectory() as folder: | ||
| filename = os.path.join(folder, "oci.tar") | ||
| filename2 = os.path.join(folder, "oci2.tar") | ||
| filename2 = os.path.join(self.path, "oci2.tar") |
There was a problem hiding this comment.
The change in filename2 path from os.path.join(folder, "oci2.tar") to os.path.join(self.path, "oci2.tar") means the tar file will be created in the test directory instead of the temporary directory. This could cause test artifacts to persist in the repository and may lead to race conditions when tests run in parallel. The file should be created in the temporary directory to ensure proper cleanup and avoid conflicts.
3 participants
This checklist is used to make sure that common guidelines for a pull request are followed.
Related command
#9477 introduced bugs, temporarily revert.
General Guidelines
azdev style <YOUR_EXT>locally? (pip install azdevrequired)python scripts/ci/test_index.py -qlocally? (pip install wheel==0.30.0required)For new extensions:
About Extension Publish
There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update
src/index.jsonautomatically.You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify
src/index.json.