From 24826435f8a34ba556f933447f2ca262fbf240e9 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Fri, 7 Feb 2025 12:00:41 -0500
Subject: [PATCH] Distinguish --mount=type=cache locations by ownership, too

Normally, we select and distinguish --mount=type=cache directories that
we create by either the "id" or "target" value used when mounting them,
but we should also be distinguishing them by the "uid" and "gid" flags,
or lack thereof.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
---
 internal/volumes/volumes.go           | 13 +++++++++----
 tests/conformance/conformance_test.go | 19 +++++++++++++++++++
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
index 42587f1bb..941d6f953 100644
--- a/internal/volumes/volumes.go
+++ b/internal/volumes/volumes.go
@@ -557,14 +557,19 @@ func GetCacheMount(sys *types.SystemContext, args []string, store storage.Store,
 			return newMount, "", "", "", nil, fmt.Errorf("unable to create build cache directory: %w", err)
 		}
 
+		ownerInfo := fmt.Sprintf(":%d:%d", uid, gid)
 		if id != "" {
-			// Don't let the user control where we place the directory.
-			dirID := digest.FromString(id).Encoded()[:16]
+			// Don't let the user try to inject pathname components by directly using
+			// the ID when constructing the cache directory location; distinguish
+			// between caches by ID and ownership
+			dirID := digest.FromString(id + ownerInfo).Encoded()[:16]
 			thisCacheRoot = filepath.Join(cacheParent, dirID)
 			buildahLockFilesDir = filepath.Join(cacheParent, BuildahCacheLockfileDir, dirID)
 		} else {
-			// Don't let the user control where we place the directory.
-			dirID := digest.FromString(newMount.Destination).Encoded()[:16]
+			// Don't let the user try to inject pathname components by directly using
+			// the target path when constructing the cache directory location;
+			// distinguish between caches by mount target location and ownership
+			dirID := digest.FromString(newMount.Destination + ownerInfo).Encoded()[:16]
 			thisCacheRoot = filepath.Join(cacheParent, dirID)
 			buildahLockFilesDir = filepath.Join(cacheParent, BuildahCacheLockfileDir, dirID)
 		}
diff --git a/tests/conformance/conformance_test.go b/tests/conformance/conformance_test.go
index 40c1cbf01..0e31009e6 100644
--- a/tests/conformance/conformance_test.go
+++ b/tests/conformance/conformance_test.go
@@ -3455,6 +3455,25 @@ var internalTestCases = []testCase{
 		dockerUseBuildKit: true,
 		buildArgs:         map[string]string{"SOURCE": "e/**/**/*sub/*.txt"},
 	},
+	{
+		name:              "mount-cache-by-ownership",
+		dockerUseBuildKit: true,
+		dockerfileContents: strings.Join([]string{
+			"FROM mirror.gcr.io/busybox",
+			"USER 10",
+			"RUN --mount=type=cache,uid=10,target=/cache touch /cache/10.txt",
+			"USER 0",
+			"RUN --mount=type=cache,target=/cache touch /cache/0.txt",
+			"RUN mkdir -m 770 /results /results/0 /results/10 /results/0+10",
+			"RUN chown -R 10 /results",
+			"RUN --mount=type=cache,target=/cache cp -a /cache/* /results/0",
+			"USER 10",
+			"RUN --mount=type=cache,uid=10,target=/cache cp -a /cache/* /results/10",
+			"USER 0",
+			"RUN --mount=type=cache,uid=10,target=/cache cp -a /cache/* /results/0+10",
+			"RUN touch -r /bin `find /results -print`",
+		}, "\n"),
+	},
 }
 
 func TestCommit(t *testing.T) {