Regression: Referencing relative tasks in pipeline broken in OpenShift Pipelines 1.20.3

[mikem-of]

We have a central repo where we store common tasks and pipelines.
The pipelines reference tasks via relative imports.

apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
  name: test-pipeline
  annotations:
    pipelinesascode.tekton.dev/task: "../../common/tasks/task.yaml"
spec:

Since 1.20.3 this now fails in a PipelineRun in Repo B with the following error:

There was an issue validating the commit: "error getting remote task from pipelinerun annotations: error getting remote task "../../common/tasks/task.yaml": path must not contain '..' due to auth vulnerability issue"

Note that it still works when referencing it from Repo A.

This looks like a regression and is now breaking all CI in our central pipeline repo.

[chmouel]

ack thanks for the detailled bug report we will have a look cc @openshift-pipelines/pipeline-as-code

[theakshaypant]

Spent some time looking at the issue and I believe the regression was introduced by 6e36620.

Per the comment added with the change

	// Only HTTP(S) URLs can serve as base for relative task resolution.
	// Hub catalog references (e.g., "catalog://resource:version") use a
	// different scheme where relative paths are meaningless.

So relative task resolution is only allowed for remote URLs after this change; hence the repo A to repo B works fine as described in the issue.

As for resolution of tasks within the same repo, no relative task resolution is done and taskURL is returned in a relative format. This relative path is used for fetch the file using the provider client; hence the failure of fetching relative task within repo B.

path must not contain '..' due to auth vulnerability issue"

Furthermore, the said commit was added in release-v0.37.7 which is part of downstream 1.20.3.

As a fix, I propose modifying the assembleTaskFQDNs function

diff --git a/pkg/resolve/remote.go b/pkg/resolve/remote.go
index 3b97caa20..36ac49a92 100644
--- a/pkg/resolve/remote.go
+++ b/pkg/resolve/remote.go
@@ -33,11 +33,14 @@ func assembleTaskFQDNs(pipelineURL string, tasks []string) ([]string, error) {
                return tasks, nil // no pipeline URL, return tasks as is
        }
 
-       // Only HTTP(S) URLs can serve as base for relative task resolution.
+       // Only HTTP(S) URLs and repository file paths can serve as base for relative task resolution.
        // Hub catalog references (e.g., "catalog://resource:version") use a
        // different scheme where relative paths are meaningless.
        lowered := strings.ToLower(pipelineURL)
-       if !strings.HasPrefix(lowered, "http://") && !strings.HasPrefix(lowered, "https://") {
+       isHTTP := strings.HasPrefix(lowered, "http://") || strings.HasPrefix(lowered, "https://")
+       isRepoPath := strings.Contains(pipelineURL, "/") && !strings.Contains(pipelineURL, "://")
+
+       if !isHTTP && !isRepoPath {
                return tasks, nil
        }

Ran a very basic script to test this resolution

	remotePipeline := "https://github.com/org/repo/.tekton/csharp/pipelines/pipeline.yaml"
	sameRepoPipeline := ".tekton/csharp/pipelines/pipeline.yaml"
	relativeTask := "../../common/tasks/task.yaml"

	result1, _ := assembleTaskFQDNs_before_6e36620(sameRepoPipeline, []string{relativeTask})
	fmt.Printf("Before 6e36620: same repo pipeline relative task: %v\n", result1)
	result2, _ := assembleTaskFQDNs_before_6e36620(remotePipeline, []string{relativeTask})
	fmt.Printf("Before 6e36620: remote pipeline relative task: %v\n", result2)

	result3, _ := assembleTaskFQDNs(sameRepoPipeline, []string{relativeTask})
	fmt.Printf("same repo pipeline relative task: %v\n", result3)
	result4, _ := assembleTaskFQDNs(remotePipeline, []string{relativeTask})
	fmt.Printf("remote pipeline relative task: %v\n", result4)

	result5, _ := assembleTaskFQDNs_PROPOSED(sameRepoPipeline, []string{relativeTask})
	fmt.Printf("Proposed: same repo pipeline relative task: %v\n", result5)
	result6, _ := assembleTaskFQDNs_PROPOSED(remotePipeline, []string{relativeTask})
	fmt.Printf("Proposed: remote pipeline relative task: %v\n", result6)

akpant@akpant-thinkpadp1gen7:~/code/tekton-pac/tmp$ go run task_resolution.go
Before 6e36620: same repo pipeline relative task: [.tekton/common/tasks/task.yaml]
Before 6e36620: remote pipeline relative task: [https://github.com/org/repo/.tekton/common/tasks/task.yaml]
same repo pipeline relative task: [../../common/tasks/task.yaml]
remote pipeline relative task: [https://github.com/org/repo/.tekton/common/tasks/task.yaml]
Proposed: same repo pipeline relative task: [.tekton/common/tasks/task.yaml]
Proposed: remote pipeline relative task: [https://github.com/org/repo/.tekton/common/tasks/task.yaml]

This change would retain the original intended fix to not allow relative resolution of pipelines in hub catalog while also fixing the resolution.

WDYT @openshift-pipelines/pipeline-as-code ?

[chmouel]

LGTM. this use case should have been handled in my commit, we just need a e2e validating this behaviour for the next refactor, please submit a PR and we can release a fix

[mikem-of]

@chmouel Thanks for picking this up; any idea in what OpenShift Pipelines version this patch will land?

[chmouel]

@mikem-of we don't have an ETA yet but this has been prioritized..

[theakshaypant]

Created downstream ticket to track this SRVKP-11021