From 1bfa7c8fed53c45d33123601d8017a800787efcc Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Fri, 19 Jul 2024 21:34:55 +0200
Subject: [PATCH] vendor: github.com/moby/sys/symlink v0.3.0

full diff: https://github.com/moby/sys/compare/symlink/v0.2.0...symlink/v0.3.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 go.mod                                        |  2 +-
 go.sum                                        |  5 +-
 vendor/github.com/moby/sys/symlink/README.md  |  6 --
 vendor/github.com/moby/sys/symlink/doc.go     | 13 +++-
 vendor/github.com/moby/sys/symlink/fs.go      | 70 ++++++++++++-------
 .../github.com/moby/sys/symlink/fs_windows.go | 12 ++++
 vendor/modules.txt                            |  4 +-
 7 files changed, 73 insertions(+), 39 deletions(-)
 delete mode 100644 vendor/github.com/moby/sys/symlink/README.md

diff --git a/go.mod b/go.mod
index 0d70881f1..83512967f 100644
--- a/go.mod
+++ b/go.mod
@@ -46,7 +46,7 @@ require (
 	github.com/moby/sys/mountinfo v0.7.2
 	github.com/moby/sys/sequential v0.5.0
 	github.com/moby/sys/signal v0.7.1
-	github.com/moby/sys/symlink v0.2.0
+	github.com/moby/sys/symlink v0.3.0
 	github.com/moby/sys/user v0.1.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
diff --git a/go.sum b/go.sum
index 84316ce11..01f1d072a 100644
--- a/go.sum
+++ b/go.sum
@@ -220,8 +220,8 @@ github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5
 github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
 github.com/moby/sys/signal v0.7.1 h1:PrQxdvxcGijdo6UXXo/lU/TvHUWyPhj7UOpSo8tuvk0=
 github.com/moby/sys/signal v0.7.1/go.mod h1:Se1VGehYokAkrSQwL4tDzHvETwUZlnY7S5XtQ50mQp8=
-github.com/moby/sys/symlink v0.2.0 h1:tk1rOM+Ljp0nFmfOIBtlV3rTDlWOwFRhjEeAhZB0nZc=
-github.com/moby/sys/symlink v0.2.0/go.mod h1:7uZVF2dqJjG/NsClqul95CqKOBRQyYSNnJ6BMgR/gFs=
+github.com/moby/sys/symlink v0.3.0 h1:GZX89mEZ9u53f97npBy4Rc3vJKj7JBDj/PN2I22GrNU=
+github.com/moby/sys/symlink v0.3.0/go.mod h1:3eNdhduHmYPcgsJtZXW1W4XUJdZGBIkttZ8xKqPUJq0=
 github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg=
 github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -422,7 +422,6 @@ golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
diff --git a/vendor/github.com/moby/sys/symlink/README.md b/vendor/github.com/moby/sys/symlink/README.md
deleted file mode 100644
index 8dba54fd0..000000000
--- a/vendor/github.com/moby/sys/symlink/README.md
+++ /dev/null
@@ -1,6 +0,0 @@
-Package symlink implements EvalSymlinksInScope which is an extension of filepath.EvalSymlinks,
-as well as a Windows long-path aware version of filepath.EvalSymlinks
-from the [Go standard library](https://golang.org/pkg/path/filepath).
-
-The code from filepath.EvalSymlinks has been adapted in fs.go.
-Please read the LICENSE.BSD file that governs fs.go and LICENSE.APACHE for fs_test.go.
diff --git a/vendor/github.com/moby/sys/symlink/doc.go b/vendor/github.com/moby/sys/symlink/doc.go
index d2de7ecda..7c22ca275 100644
--- a/vendor/github.com/moby/sys/symlink/doc.go
+++ b/vendor/github.com/moby/sys/symlink/doc.go
@@ -1,4 +1,11 @@
-// Package symlink implements EvalSymlinksInScope which is an extension of
-// filepath.EvalSymlinks, as well as a Windows long-path aware version of
-// filepath.EvalSymlinks from the Go standard library (https://golang.org/pkg/path/filepath).
+// Package symlink implements [FollowSymlinkInScope] which is an extension
+// of [path/filepath.EvalSymlinks], as well as a Windows long-path aware
+// version of [path/filepath.EvalSymlinks] from the Go standard library.
+//
+// The code from [path/filepath.EvalSymlinks] has been adapted in fs.go.
+// Read the [LICENSE.BSD] file that governs fs.go and [LICENSE.APACHE] for
+// fs_unix_test.go.
+//
+// [LICENSE.APACHE]: https://github.com/moby/sys/blob/symlink/v0.2.0/symlink/LICENSE.APACHE
+// [LICENSE.BSD]: https://github.com/moby/sys/blob/symlink/v0.2.0/symlink/LICENSE.APACHE
 package symlink
diff --git a/vendor/github.com/moby/sys/symlink/fs.go b/vendor/github.com/moby/sys/symlink/fs.go
index 244b0096b..6b8266138 100644
--- a/vendor/github.com/moby/sys/symlink/fs.go
+++ b/vendor/github.com/moby/sys/symlink/fs.go
@@ -2,7 +2,13 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE.BSD file.
 
-// This code is a modified version of path/filepath/symlink.go from the Go standard library.
+// This code is a modified version of path/filepath/symlink.go from the Go
+// standard library in [docker@fa3ec89], which was based on [go1.3.3],
+// with Windows implementatinos being added in [docker@9b648df].
+//
+// [docker@fa3ec89]: https://github.com/moby/moby/commit/fa3ec89515431ce425f924c8a9a804d5cb18382f
+// [go1.3.3]: https://github.com/golang/go/blob/go1.3.3/src/pkg/path/filepath/symlink.go
+// [docker@9b648df]: https://github.com/moby/moby/commit/9b648dfac6453de5944ee4bb749115d85a253a05
 
 package symlink
 
@@ -14,8 +20,34 @@ import (
 	"strings"
 )
 
-// FollowSymlinkInScope is a wrapper around evalSymlinksInScope that returns an
-// absolute path. This function handles paths in a platform-agnostic manner.
+// FollowSymlinkInScope evaluates symbolic links in "path" within a scope "root"
+// and returns a result guaranteed to be contained within the scope "root" at
+// the time of the call. It returns an error of either "path" or "root" cannot
+// be converted to an absolute path.
+//
+// Symbolic links in "root" are not evaluated and left as-is. Errors encountered
+// while attempting to evaluate symlinks in path are returned, but non-existing
+// paths are valid and do not constitute an error. "path" must contain "root"
+// as a prefix, or else an error is returned. Trying to break out from "root"
+// does not constitute an error, instead resolves the path within "root".
+//
+// Example:
+//
+//	// If "/foo/bar" is a symbolic link to "/outside":
+//	FollowSymlinkInScope("/foo/bar", "/foo") // Returns "/foo/outside" instead of "/outside"
+//
+// IMPORTANT: It is the caller's responsibility to call FollowSymlinkInScope
+// after relevant symbolic links are created to avoid Time-of-check Time-of-use
+// (TOCTOU) race conditions ([CWE-367]). No additional symbolic links must be
+// created after evaluating, as those could potentially make a previously-safe
+// path unsafe.
+//
+// For example, if "/foo/bar" does not exist, FollowSymlinkInScope("/foo/bar", "/foo")
+// evaluates the path to "/foo/bar". If one makes "/foo/bar" a symbolic link to
+// "/baz" subsequently, then "/foo/bar" should no longer be considered safely
+// contained in "/foo".
+//
+// [CWE-367]: https://cwe.mitre.org/data/definitions/367.html
 func FollowSymlinkInScope(path, root string) (string, error) {
 	path, err := filepath.Abs(filepath.FromSlash(path))
 	if err != nil {
@@ -28,23 +60,9 @@ func FollowSymlinkInScope(path, root string) (string, error) {
 	return evalSymlinksInScope(path, root)
 }
 
-// evalSymlinksInScope will evaluate symlinks in `path` within a scope `root` and return
-// a result guaranteed to be contained within the scope `root`, at the time of the call.
-// Symlinks in `root` are not evaluated and left as-is.
-// Errors encountered while attempting to evaluate symlinks in path will be returned.
-// Non-existing paths are valid and do not constitute an error.
-// `path` has to contain `root` as a prefix, or else an error will be returned.
-// Trying to break out from `root` does not constitute an error.
-//
-// Example:
-//   If /foo/bar -> /outside,
-//   FollowSymlinkInScope("/foo/bar", "/foo") == "/foo/outside" instead of "/outside"
-//
-// IMPORTANT: it is the caller's responsibility to call evalSymlinksInScope *after* relevant symlinks
-// are created and not to create subsequently, additional symlinks that could potentially make a
-// previously-safe path, unsafe. Example: if /foo/bar does not exist, evalSymlinksInScope("/foo/bar", "/foo")
-// would return "/foo/bar". If one makes /foo/bar a symlink to /baz subsequently, then "/foo/bar" should
-// no longer be considered safely contained in "/foo".
+// evalSymlinksInScope evaluates symbolic links in "path" within a scope "root"
+// and returns a result guaranteed to be contained within the scope "root" at
+// the time of the call. Refer to [FollowSymlinkInScope] for details.
 func evalSymlinksInScope(path, root string) (string, error) {
 	root = filepath.Clean(root)
 	if path == root {
@@ -132,11 +150,15 @@ func evalSymlinksInScope(path, root string) (string, error) {
 	return filepath.Clean(root + filepath.Clean(string(filepath.Separator)+b.String())), nil
 }
 
+// EvalSymlinks is a modified version of [path/filepath.EvalSymlinks] from
+// the Go standard library with support for Windows long paths (paths prepended
+// with "\\?\"). On non-Windows platforms, it's an alias for [path/filepath.EvalSymlinks].
+//
 // EvalSymlinks returns the path name after the evaluation of any symbolic
-// links.
-// If path is relative the result will be relative to the current directory,
-// unless one of the components is an absolute symbolic link.
-// This version has been updated to support long paths prepended with `\\?\`.
+// links. If path is relative, the result will be relative to the current
+// directory, unless one of the components is an absolute symbolic link.
+//
+// EvalSymlinks calls [path/filepath.Clean] on the result.
 func EvalSymlinks(path string) (string, error) {
 	return evalSymlinks(path)
 }
diff --git a/vendor/github.com/moby/sys/symlink/fs_windows.go b/vendor/github.com/moby/sys/symlink/fs_windows.go
index 87fd1b885..819b72894 100644
--- a/vendor/github.com/moby/sys/symlink/fs_windows.go
+++ b/vendor/github.com/moby/sys/symlink/fs_windows.go
@@ -1,3 +1,15 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE.BSD file.
+
+// This code is a modified version of [path/filepath/symlink_windows.go]
+// and [path/filepath/symlink.go] from the Go 1.4.2 standard library, and
+// added in [docker@9b648df].
+//
+// [path/filepath/symlink_windows.go]: https://github.com/golang/go/blob/go1.4.2/src/path/filepath/symlink_windows.go
+// [path/filepath/symlink.go]: https://github.com/golang/go/blob/go1.4.2/src/path/filepath/symlink.go
+// [docker@9b648df]: https://github.com/moby/moby/commit/9b648dfac6453de5944ee4bb749115d85a253a05
+
 package symlink
 
 import (
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 120913eaf..f30dc1b2f 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -361,8 +361,8 @@ github.com/moby/sys/sequential
 # github.com/moby/sys/signal v0.7.1
 ## explicit; go 1.17
 github.com/moby/sys/signal
-# github.com/moby/sys/symlink v0.2.0
-## explicit; go 1.16
+# github.com/moby/sys/symlink v0.3.0
+## explicit; go 1.17
 github.com/moby/sys/symlink
 # github.com/moby/sys/user v0.1.0
 ## explicit; go 1.17