search

camdencheek / tree-sitter-dockerfile

A tree-sitter grammar for Dockerfile
MIT License
71 stars 20 forks source link

Add support for undocumented `LABEL key value` in addition to `LABEL key=value key2=value2` #31

Open mjambon opened 1 year ago

mjambon commented 1 year ago

We're told that docker supports an alternate, undocumented syntax for declaring image labels. This syntax supports at least one key/value pair using whitespace as the separator between the key and the value rather than an equal sign.

LABEL key value

The original report we got for semgrep is here: https://github.com/returntocorp/semgrep/issues/7211

I think it's appropriate to support this feature even though it's not documented because people are using it successfully with docker.

We need to figure out, probably by direct experimentation, whether the following is supported:

camdencheek commented 1 year ago

Sure enough, seems fairly widely used. Based on the parser, it looks like only LABEL key value is supported. No mutiple space-separated pairs and (by extension) no mixed-syntax pairs.

camdencheek commented 1 year ago

If I'm reading that correctly, if the first word (space-delimited or quoted string) does not contain an =, then everything up to the first whitespace (not necessarily the end of the first word 🤔) is the key and everything after the first whitespace is the value.

mjambon commented 1 year ago

Nice. Here's what I tried:

# Test label assignments with these commands:
#
#   id=$(docker build . | tee log | tail -n1 | cut -f3 -d' ') && cat log && docker image inspect --format='' "$id" | grep -A 15 Labels
#

FROM debian

# All the following are valid instructions. Their effect may not be obvious.
LABEL a1=b
LABEL a2 b
LABEL a3 "b c"
LABEL "ab" c
LABEL a4 =b
LABEL a5 = b
LABEL a6 b=c
LABEL a10 "=b"
LABEL a11 b a12 c
LABEL a13 b c

# Errors:
# LABEL "a b" c
# LABEL "a7=b" "a8=c"
# LABEL a9"=b"

Output:

$ id=$(docker build . | tee log | tail -n1 | cut -f3 -d' ') && cat log && docker image inspect --format='' "$id" | grep -A 15 Labels
Sending build context to Docker daemon   2.56kB
Step 1/11 : FROM debian
 ---> 1b686a95ddbf
Step 2/11 : LABEL a1=b
 ---> Using cache
 ---> 62ba9f107457
Step 3/11 : LABEL a2 b
 ---> Using cache
 ---> c50ab8fe7d9c
Step 4/11 : LABEL a3 "b c"
 ---> Using cache
 ---> bfd73ffdbaf7
Step 5/11 : LABEL "ab" c
 ---> Using cache
 ---> e094bd167266
Step 6/11 : LABEL a4 =b
 ---> Using cache
 ---> f1aca2ae6e1a
Step 7/11 : LABEL a5 = b
 ---> Using cache
 ---> df3727083b8c
Step 8/11 : LABEL a6 b=c
 ---> Using cache
 ---> f35523f4dab8
Step 9/11 : LABEL a10 "=b"
 ---> Using cache
 ---> 5154d425bc55
Step 10/11 : LABEL a11 b a12 c
 ---> Using cache
 ---> 5d4e1bb8ac4d
Step 11/11 : LABEL a13 b c
 ---> Using cache
 ---> 913cd2ac4584
Successfully built 913cd2ac4584
            "Labels": {
                "a1": "b",
                "a10": "=b",
                "a11": "b a12 c",
                "a13": "b c",
                "a2": "b",
                "a3": "b c",
                "a4": "=b",
                "a5": "= b",
                "a6": "b=c",
                "ab": "c"
            }
        },
        "DockerVersion": "19.03.12",
        "Author": "",
        "Config": {
--
            "Labels": {
                "a1": "b",
                "a10": "=b",
                "a11": "b a12 c",
                "a13": "b c",
                "a2": "b",
                "a3": "b c",
                "a4": "=b",
                "a5": "= b",
                "a6": "b=c",
                "ab": "c"
            }
        },
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 114059234,