From 0d1223c91bc0d7d7e99979d4cf7830978cebda53 Mon Sep 17 00:00:00 2001
From: mkosiarc <mkosiarc@redhat.com>
Date: Mon, 1 Jul 2024 10:33:11 +0200
Subject: [PATCH] Check broken symlinks and don't fail on them unnecessarily

Previously, we were using the -f option for the readlink command. This
means that if the symlink was broken (pointing to nonexistent file), the
file path was not evaluated and the readlink command failed which meant
that the git clone task failed as well.

By using the -m option, the symlink path will be evaluated every time.
This means that we will not break builds that contain broken symlinks
pointing to nonexistent files within the directory. However, if the
symlink is pointing to nonexistent file OUTSIDE of the repo, we will
fail the task, as expected to avoid security concerns.

STONEBLD-2492

Signed-off-by: mkosiarc <mkosiarc@redhat.com>
---
 task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml | 2 +-
 task/git-clone/0.1/git-clone.yaml               | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml
index ee94e893aa..7e1aa19cc4 100644
--- a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml
+++ b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml
@@ -263,7 +263,7 @@ spec:
         check_symlinks() {
           FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false
           while read symlink; do
-            target=$(readlink -f "$symlink")
+            target=$(readlink -m "$symlink")
             if ! [[ "$target" =~ ^$CHECKOUT_DIR ]]; then
               echo "The cloned repository contains symlink pointing outside of the cloned repository: $symlink"
               FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true
diff --git a/task/git-clone/0.1/git-clone.yaml b/task/git-clone/0.1/git-clone.yaml
index 53f101ca77..6fb6735920 100644
--- a/task/git-clone/0.1/git-clone.yaml
+++ b/task/git-clone/0.1/git-clone.yaml
@@ -265,7 +265,7 @@ spec:
         FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false
         while read symlink
         do
-          target=$(readlink -f "$symlink")
+          target=$(readlink -m "$symlink")
           if ! [[ "$target" =~ ^$CHECKOUT_DIR ]]; then
             echo "The cloned repository contains symlink pointing outside of the cloned repository: $symlink"
             FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true