Fix #2237: consider /workspace as a sensitive dir

Signed-off-by: Anthony Dahanne <[email protected]>
buildpacks · Jul 29, 2024 · 825617b · 825617b
1 parent 2aa2cf5
commit 825617b
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 5 deletions.
diff --git a/pkg/client/build_test.go b/pkg/client/build_test.go
@@ -2925,6 +2925,8 @@ api = "0.2"
 						"/cnb/nested",
 						"/layers",
 						"/layers/nested",
+						"/workspace",
+						"/workspace/bindings",
 					} {
 						p := p
 						it(fmt.Sprintf("warns when mounting to '%s'", p), func() {
@@ -2997,7 +2999,7 @@ api = "0.2"
 
 					when("mounting onto cnb spec'd dir", func() {
 						for _, p := range []string{
-							`/cnb`, `/cnb/buildpacks`, `/layers`,
+							`/cnb`, `/cnb/buildpacks`, `/layers`, `/workspace`,
 						} {
 							p := p
 							it(fmt.Sprintf("warns when mounting to '%s'", p), func() {
@@ -3067,7 +3069,7 @@ api = "0.2"
 
 					when("mounting onto cnb spec'd dir", func() {
 						for _, p := range []string{
-							`c:\cnb`, `c:\cnb\buildpacks`, `c:\layers`,
+							`c:\cnb`, `c:\cnb\buildpacks`, `c:\layers`, `c:\workspace`,
 						} {
 							p := p
 							it(fmt.Sprintf("warns when mounting to '%s'", p), func() {

diff --git a/pkg/client/process_volumes.go b/pkg/client/process_volumes.go
@@ -29,9 +29,9 @@ func processVolumes(imgOS string, volumes []string) (processed []string, warning
 			return nil, nil, errors.Wrapf(err, "platform volume %q has invalid format", v)
 		}
 
-		sensitiveDirs := []string{"/cnb", "/layers"}
+		sensitiveDirs := []string{"/cnb", "/layers", "/workspace"}
 		if imgOS == "windows" {
-			sensitiveDirs = []string{`c:/cnb`, `c:\cnb`, `c:/layers`, `c:\layers`}
+			sensitiveDirs = []string{`c:/cnb`, `c:\cnb`, `c:/layers`, `c:\layers`, `c:/workspace`, `c:\workspace`}
 		}
 		for _, p := range sensitiveDirs {
 			if strings.HasPrefix(strings.ToLower(volume.Spec.Target), p) {

diff --git a/pkg/client/process_volumes_darwin.go b/pkg/client/process_volumes_darwin.go
@@ -17,7 +17,7 @@ func processVolumes(imgOS string, volumes []string) (processed []string, warning
 		if err != nil {
 			return nil, nil, err
 		}
-		sensitiveDirs := []string{"/cnb", "/layers"}
+		sensitiveDirs := []string{"/cnb", "/layers", "/workspace"}
 		if imgOS == "windows" {
 			sensitiveDirs = []string{`c:/cnb`, `c:\cnb`, `c:/layers`, `c:\layers`}
 		}