[release/0.11] Update golang CI version + containerd version to v1.6.36

.github/workflows/ci.yml

@@ -4,7 +4,7 @@ on:
   - pull_request
 
 env:
-  GO_VERSION: "1.20.x"
+  GO_VERSION: "1.21.x"
   GOTESTSUM_VERSION: "latest"
 
 jobs:
@@ -38,9 +38,9 @@ jobs:
           # sometimes go cache causes issues with lint
           cache: false
 
-      - uses: golangci/golangci-lint-action@v3
+      - uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.52
+          version: v1.54
           args: >-
             --verbose
             --max-issues-per-linter=0

.github/workflows/release.yml

@@ -5,7 +5,7 @@ on:
       - 'v*'
 
 env:
-  GO_VERSION: "1.18.x"
+  GO_VERSION: "1.21.x"
 
 jobs:
   build:

cmd/containerd-shim-runhcs-v1/pod_test.go

@@ -391,9 +391,6 @@ func Test_pod_DeleteTask_TaskID_Not_Created(t *testing.T) {
 	setupTestTaskInPod(t, p)
 	setupTestTaskInPod(t, p)
 
-	seed := time.Now().UnixNano()
-	source := rand.New(rand.NewSource(seed))
-
-	err := p.KillTask(context.Background(), strconv.Itoa((int)(source.Uint64())), "", 0xf, true)
+	err := p.KillTask(context.Background(), strconv.Itoa(rand.Int()), "", 0xf, true)
 	verifyExpectedError(t, nil, err, errdefs.ErrNotFound)
 }

cmd/containerd-shim-runhcs-v1/task_hcs_test.go

@@ -14,18 +14,16 @@ import (
 
 func setupTestHcsTask(t *testing.T) (*hcsTask, *testShimExec, *testShimExec) {
 	t.Helper()
-	seed := time.Now().UnixNano()
-	source := rand.New(rand.NewSource(seed))
 
-	initExec := newTestShimExec(t.Name(), t.Name(), int(source.Uint64()))
+	initExec := newTestShimExec(t.Name(), t.Name(), int(rand.Int31()))
 	lt := &hcsTask{
 		events: newFakePublisher(),
 		id:     t.Name(),
 		init:   initExec,
 		closed: make(chan struct{}),
 	}
-	secondExecID := strconv.FormatInt((int64)(source.Uint64()), 10)
-	secondExec := newTestShimExec(t.Name(), secondExecID, int(source.Int31()))
+	secondExecID := strconv.Itoa(rand.Int())
+	secondExec := newTestShimExec(t.Name(), secondExecID, int(rand.Int31()))
 	lt.execs.Store(secondExecID, secondExec)
 	return lt, initExec, secondExec
 }

ext4/tar2ext4/tar2ext4.go

@@ -148,7 +148,7 @@ func ConvertTarToExt4(r io.Reader, w io.ReadWriteSeeker, options ...Option) erro
 
 			var typ uint16
 			switch hdr.Typeflag {
-			case tar.TypeReg, tar.TypeRegA:
+			case tar.TypeReg:
 				typ = compactext4.S_IFREG
 			case tar.TypeSymlink:
 				typ = compactext4.S_IFLNK

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/cenkalti/backoff/v4 v4.2.0
 	github.com/containerd/cgroups v1.1.0
 	github.com/containerd/console v1.0.3
-	github.com/containerd/containerd v1.6.33
+	github.com/containerd/containerd v1.6.36
 	github.com/containerd/errdefs v0.1.0
 	github.com/containerd/go-runc v1.0.0
 	github.com/containerd/ttrpc v1.1.2

go.sum

@@ -215,8 +215,8 @@ github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0
 github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s=
 github.com/containerd/containerd v1.6.1/go.mod h1:1nJz5xCZPusx6jJU8Frfct988y0NpumIq9ODB0kLtoE=
 github.com/containerd/containerd v1.6.6/go.mod h1:ZoP1geJldzCVY3Tonoz7b1IXk8rIX0Nltt5QE4OMNk0=
-github.com/containerd/containerd v1.6.33 h1:8FYSFoV3UbizMgX7IKcP0GGAFw4+V3VPLo/CiU765WU=
-github.com/containerd/containerd v1.6.33/go.mod h1:Om5z+jDo6b8RkAxWf0ukj9JrPS/RYdhXNPwkZuuIyMk=
+github.com/containerd/containerd v1.6.36 h1:Bcj0ZXqgIs6GG+YbaKkMX3Dap0JsIVG4UYFOLRo7iX4=
+github.com/containerd/containerd v1.6.36/go.mod h1:gSufNaPbqri6ifEQ3eihFSXoGwqTENkqB7j//aEgE0s=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=

internal/cmd/io_binary.go

@@ -28,6 +28,8 @@ const (
 	binaryCmdStartTimeout = 10 * time.Second
 )
 
+var ErrUnsafePath = errors.New("path is unsafe")
+
 // NewBinaryIO runs a custom binary process for pluggable shim logging driver.
 //
 // Container's IO will be redirected to the logging driver via named pipes, which are
@@ -122,14 +124,19 @@ func NewBinaryIO(ctx context.Context, id string, uri *url.URL) (_ UpstreamIO, er
 }
 
 // sanitizePath parses the URL object and returns a clean path to the logging driver
-func sanitizePath(uri *url.URL) string {
+func sanitizePath(uri *url.URL) (string, error) {
 	path := filepath.Clean(uri.Path)
 
+	// avoid UNC paths (e.g. `\\server\share\`)
+	if strings.HasPrefix(path, `\\`) {
+		return "", ErrUnsafePath
+	}
+
 	if strings.Contains(path, `:\`) {
-		return strings.TrimPrefix(path, "\\")
+		return strings.TrimPrefix(path, "\\"), nil
 	}
 
-	return path
+	return path, nil
 }
 
 func newBinaryCmd(ctx context.Context, uri *url.URL, envs []string) (*exec.Cmd, error) {
@@ -145,7 +152,10 @@ func newBinaryCmd(ctx context.Context, uri *url.URL, envs []string) (*exec.Cmd,
 		}
 	}
 
-	execPath := sanitizePath(uri)
+	execPath, err := sanitizePath(uri)
+	if err != nil {
+		return nil, err
+	}
 
 	cmd := exec.CommandContext(ctx, execPath, args...)
 	cmd.Env = append(cmd.Env, envs...)

internal/cmd/io_binary_test.go

@@ -4,6 +4,7 @@ package cmd
 
 import (
 	"context"
+	"errors"
 	"net/url"
 	"testing"
 )
@@ -24,11 +25,6 @@ func Test_newBinaryCmd_Key_Value_Pair(t *testing.T) {
 			urlString: "binary:///executable?-key=value",
 			expected:  `\executable -key value`,
 		},
-		{
-			name:      "Path_With_Back_Slashes",
-			urlString: `binary:///\executable?-key=value`,
-			expected:  `\executable -key value`,
-		},
 		{
 			name:      "Clean_Path_With_Dots_And_Multiple_Fwd_Slashes",
 			urlString: "binary:///../path/to///to/../executable",
@@ -70,6 +66,45 @@ func Test_newBinaryCmd_Key_Value_Pair(t *testing.T) {
 	}
 }
 
+func Test_newBinaryCmd_Unsafe_Path(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	type config struct {
+		name          string
+		urlString     string
+		expectedError error
+	}
+
+	for _, cfg := range []*config{
+		{
+			name:          "UNC_Path_With_Back_Slashes",
+			urlString:     `binary:///\server\share\executable`,
+			expectedError: ErrUnsafePath,
+		},
+		{
+			name:          "UNC_Path_With_Forward_Slashes",
+			urlString:     `binary:////server/share/executable`,
+			expectedError: ErrUnsafePath,
+		},
+	} {
+		t.Run(cfg.name, func(t *testing.T) {
+			u, err := url.Parse(cfg.urlString)
+			if err != nil {
+				t.Fatalf("failed to parse url: %s", cfg.urlString)
+			}
+
+			_, err = newBinaryCmd(ctx, u, nil)
+			if err == nil {
+				t.Fatalf("no error was returned")
+			}
+			if !errors.Is(err, cfg.expectedError) {
+				t.Fatalf("expected error: %s, actual: %s", cfg.expectedError, err)
+			}
+		})
+	}
+}
+
 func Test_newBinaryCmd_Empty_Path(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

internal/cmd/io_npipe.go

@@ -6,7 +6,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"math/rand"
 	"net"
 	"sync"
 	"syscall"
@@ -20,11 +19,6 @@ import (
 	"golang.org/x/sys/windows"
 )
 
-func init() {
-	// Need to seed for the rng in backoff.NextBackoff()
-	rand.Seed(time.Now().UnixNano())
-}
-
 // NewNpipeIO creates connected upstream io. It is the callers responsibility to validate that `if terminal == true`, `stderr == ""`. retryTimeout
 // refers to the timeout used to try and reconnect to the server end of the named pipe if the connection is severed. A value of 0 for retryTimeout
 // is treated as an infinite timeout.

internal/winapi/utils.go

@@ -4,7 +4,6 @@ package winapi
 
 import (
 	"errors"
-	"reflect"
 	"syscall"
 	"unsafe"
 
@@ -14,11 +13,7 @@ import (
 // Uint16BufferToSlice wraps a uint16 pointer-and-length into a slice
 // for easier interop with Go APIs
 func Uint16BufferToSlice(buffer *uint16, bufferLength int) (result []uint16) {
-	hdr := (*reflect.SliceHeader)(unsafe.Pointer(&result))
-	hdr.Data = uintptr(unsafe.Pointer(buffer))
-	hdr.Cap = bufferLength
-	hdr.Len = bufferLength
-
+	result = unsafe.Slice(buffer, bufferLength)
 	return
 }
 

test/go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/Microsoft/hcsshim v0.10.0-rc.3
 	github.com/containerd/cgroups v1.1.0
-	github.com/containerd/containerd v1.6.33
+	github.com/containerd/containerd v1.6.36
 	github.com/containerd/errdefs v0.1.0
 	github.com/containerd/go-runc v1.0.0
 	github.com/containerd/log v0.1.0

test/go.sum

@@ -271,8 +271,8 @@ github.com/containerd/containerd v1.6.1/go.mod h1:1nJz5xCZPusx6jJU8Frfct988y0Npu
 github.com/containerd/containerd v1.6.6/go.mod h1:ZoP1geJldzCVY3Tonoz7b1IXk8rIX0Nltt5QE4OMNk0=
 github.com/containerd/containerd v1.6.18/go.mod h1:1RdCUu95+gc2v9t3IL+zIlpClSmew7/0YS8O5eQZrOw=
 github.com/containerd/containerd v1.6.23/go.mod h1:UrQOiyzrLi3n4aezYJbQH6Il+YzTvnHFbEuO3yfDrM4=
-github.com/containerd/containerd v1.6.33 h1:8FYSFoV3UbizMgX7IKcP0GGAFw4+V3VPLo/CiU765WU=
-github.com/containerd/containerd v1.6.33/go.mod h1:Om5z+jDo6b8RkAxWf0ukj9JrPS/RYdhXNPwkZuuIyMk=
+github.com/containerd/containerd v1.6.36 h1:Bcj0ZXqgIs6GG+YbaKkMX3Dap0JsIVG4UYFOLRo7iX4=
+github.com/containerd/containerd v1.6.36/go.mod h1:gSufNaPbqri6ifEQ3eihFSXoGwqTENkqB7j//aEgE0s=
 github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cECdGN1O8G9bgKTlLhuPJimka6Xb/Gg7vYzCTNVxhvo=

vendor/modules.txt

@@ -36,7 +36,7 @@ github.com/containerd/cgroups/stats/v1
 # github.com/containerd/console v1.0.3
 ## explicit; go 1.13
 github.com/containerd/console
-# github.com/containerd/containerd v1.6.33
+# github.com/containerd/containerd v1.6.36
 ## explicit; go 1.19
 github.com/containerd/containerd/api/events
 github.com/containerd/containerd/api/services/ttrpc/events/v1