Parse the last line of stdout for UID/GID

Stan Hurequested to merge
sh-strip-last-line-id into main

What does this MR do?

A Docker container can run commands on entrypoint that output to stdout. For example, suppose you had an entrypoint script that does this:

echo "Hello world"

exec "@$"

If FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR is enabled, this results in an error:

image UID: parsing "id -u" output: strconv.Atoi: parsing "Hello world\n1000": invalid syntax (stderr: )

Fix this by reading the last line of stdout.

This came out of investigation of a failed dast job that was ultimately fixed with https://gitlab.com/gitlab-org/security-products/analyzers/browserker/-/merge_requests/1679.

How to validate locally

  1. I created this entrypoint.sh:
#!/bin/bash

echo "Hello world"

exec "$@"

  1. Run chmod +x entrypoint.sh

  2. Create this Dockerfile:

FROM registry.gitlab.com/security-products/dast:6

COPY entrypoint.sh /browserker

  1. docker build . -t test:latest

  2. In my runners.docker config I set:

  [runners.docker]
    helper_image = "docker.io/library/gitlab-runner-helper:local"
    pull_policy = "if-not-present"
  1. Rebuilt the helper and binary and configured a job to use test:latest.
Edited by Stan Hu

Merge request reports