From ea74fa2ba442eacb0812ad5983c305a16b6763bc Mon Sep 17 00:00:00 2001
From: Brad Rydzewski <bradley.rydzewski@harness.io>
Date: Fri, 8 Jan 2021 10:32:39 -0500
Subject: [PATCH] reduce restricted volume false positives

---
 engine/compiler/util.go      | 22 +++++++++++-----------
 engine/compiler/util_test.go | 20 ++++++++++++++++++++
 2 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/engine/compiler/util.go b/engine/compiler/util.go
index faed8cb..7e8325f 100644
--- a/engine/compiler/util.go
+++ b/engine/compiler/util.go
@@ -147,18 +147,18 @@ func isRestrictedVolume(path string) bool {
 	case path == "/":
 	case path == "/var":
 	case path == "/etc":
-	case strings.Contains(path, "/var/run"):
-	case strings.Contains(path, "/proc"):
-	case strings.Contains(path, "/mount"):
-	case strings.Contains(path, "/bin"):
-	case strings.Contains(path, "/usr/local/bin"):
-	case strings.Contains(path, "/usr/local/sbin"):
-	case strings.Contains(path, "/usr/bin"):
-	case strings.Contains(path, "/mnt"):
-	case strings.Contains(path, "/media"):
+	case strings.HasPrefix(path, "/var/run"):
+	case strings.HasPrefix(path, "/proc"):
+	case strings.HasPrefix(path, "/mount"):
+	case strings.HasPrefix(path, "/bin"):
+	case strings.HasPrefix(path, "/usr/local/bin"):
+	case strings.HasPrefix(path, "/usr/local/sbin"):
+	case strings.HasPrefix(path, "/usr/bin"):
+	case strings.HasPrefix(path, "/mnt"):
+	case strings.HasPrefix(path, "/media"):
 	case strings.Contains(path, "/sys"):
-	case strings.Contains(path, "/dev"):
-	case strings.Contains(path, "/etc/docker"):
+	case strings.HasPrefix(path, "/dev"):
+	case strings.HasPrefix(path, "/etc/docker"):
 	default:
 		return false
 	}
diff --git a/engine/compiler/util_test.go b/engine/compiler/util_test.go
index ba9f3e8..1fa995f 100644
--- a/engine/compiler/util_test.go
+++ b/engine/compiler/util_test.go
@@ -198,3 +198,23 @@ func Test_removeCloneDeps_CloneEnabled(t *testing.T) {
 		t.Log(diff)
 	}
 }
+
+func TestIsRestricedVolume(t *testing.T) {
+	tests := map[string]bool{
+		"/var/run":         true,
+		"//var/run":        true,
+		"/var/run/":        true,
+		"/var/run/.":       true,
+		"/var/run//":       true,
+		"/var/run/test/..": true,
+		"/var/./run":       true,
+		"/":                true,
+		"/drone":           false,
+		"/drone/var/run":   false,
+	}
+	for path, ok := range tests {
+		if got, want := isRestrictedVolume(path), ok; got != want {
+			t.Errorf("Want restriced %v for path %q", want, path)
+		}
+	}
+}