reduce restricted volume false positives

engine/compiler/util.go

@@ -147,18 +147,18 @@ func isRestrictedVolume(path string) bool {
 	case path == "/":
 	case path == "/var":
 	case path == "/etc":
-	case strings.Contains(path, "/var/run"):
+	case strings.HasPrefix(path, "/var/run"):
-	case strings.Contains(path, "/proc"):
+	case strings.HasPrefix(path, "/proc"):
-	case strings.Contains(path, "/mount"):
+	case strings.HasPrefix(path, "/mount"):
-	case strings.Contains(path, "/bin"):
+	case strings.HasPrefix(path, "/bin"):
-	case strings.Contains(path, "/usr/local/bin"):
+	case strings.HasPrefix(path, "/usr/local/bin"):
-	case strings.Contains(path, "/usr/local/sbin"):
+	case strings.HasPrefix(path, "/usr/local/sbin"):
-	case strings.Contains(path, "/usr/bin"):
+	case strings.HasPrefix(path, "/usr/bin"):
-	case strings.Contains(path, "/mnt"):
+	case strings.HasPrefix(path, "/mnt"):
-	case strings.Contains(path, "/media"):
+	case strings.HasPrefix(path, "/media"):
 	case strings.Contains(path, "/sys"):
-	case strings.Contains(path, "/dev"):
+	case strings.HasPrefix(path, "/dev"):
-	case strings.Contains(path, "/etc/docker"):
+	case strings.HasPrefix(path, "/etc/docker"):
 	default:
 		return false
 	}

engine/compiler/util_test.go

@@ -198,3 +198,23 @@ func Test_removeCloneDeps_CloneEnabled(t *testing.T) {
 		t.Log(diff)
 	}
 }
+
+func TestIsRestricedVolume(t *testing.T) {
+	tests := map[string]bool{
+		"/var/run":         true,
+		"//var/run":        true,
+		"/var/run/":        true,
+		"/var/run/.":       true,
+		"/var/run//":       true,
+		"/var/run/test/..": true,
+		"/var/./run":       true,
+		"/":                true,
+		"/drone":           false,
+		"/drone/var/run":   false,
+	}
+	for path, ok := range tests {
+		if got, want := isRestrictedVolume(path), ok; got != want {
+			t.Errorf("Want restriced %v for path %q", want, path)
+		}
+	}
+}