Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jsonnet parser cannot handle relative imports #939

Open
coord-e opened this issue Apr 11, 2024 · 5 comments · May be fixed by #1044
Open

Jsonnet parser cannot handle relative imports #939

coord-e opened this issue Apr 11, 2024 · 5 comments · May be fixed by #1044
Labels
enhancement New feature or request

Comments

@coord-e
Copy link

coord-e commented Apr 11, 2024
edited
Loading

Jsonnet has an import construct to load other jsonnet files. The following configuration successfully evaluates as follows:

# config/main.jsonnet
local data = import './data.libsonnet';
{
  data: data
}
# config/data.libsonnet
{
  hello: "world"
}
$ jsonnet config/main.jsonnet
{
   "data": {
      "hello": "world"
   }
}

However, conftest cannot handle relative imports (in directories other than .).

$ conftest test config/main.jsonnet
Error: running test: parse configurations: parser unmarshal: evaluate anonymous snippet: RUNTIME ERROR: couldn't open import "./data.libsonnet": no match locally or in the Jsonnet library paths
        1:14-39 thunk <data> from <$>
        3:9-13  object <anonymous>
        Field "data"
        During manifestation
, path: config/main.jsonnet

Although the specification seems not specifying how the import-ed relative paths are resolved, most jsonnet implementations handle these paths as if they're relative to the import-ing file.

We can work around this by jsonnet config/main.jsonnet | conftest test -, but native support is better in context of data.conftest.file support, nicer error reportings, etc.

Version information

$ conftest -v
Conftest: 0.51.0
OPA: 0.63.0
@jalseth jalseth added the enhancement New feature or request label Apr 17, 2024
@jalseth
Copy link
Member

jalseth commented Apr 17, 2024

It seems the current implementation uses the EvaluateAnonymousSnippet function which is likely the reason it does not attempt to import other files. EvaluateFile also exists which likely has the desired behavior but doesn't work well with the conftest's parser interface. Additional investigation and testing will be needed before we can add this.

@jalseth
Copy link
Member

jalseth commented Apr 30, 2024

After some testing, it looks like the import path in the jsonnet config is relative to $PWD, not main.jsonnet. If you import ./config/data.libsonnet it works as expected.

@jalseth jalseth closed this as completed Apr 30, 2024
@coord-e
Copy link
Author

coord-e commented Apr 30, 2024

it looks like the import path in the jsonnet config is relative to $PWD, not main.jsonnet. If you import ./config/data.libsonnet it works as expected.

that is indeed behavior of conftest's jsonnet parser, but isn't that of the most jsonnet CLI implementation (such as google/go-jsonnet, google/jsonnet, etc). my request is to align conftest's import behavior to accept the exactly same jsonnet configuration as the known existing jsonnet implementation accepts.

@jalseth jalseth reopened this Apr 30, 2024
@jalseth
Copy link
Member

jalseth commented Apr 30, 2024

I would welcome a PR.

thevilledev added a commit to thevilledev/conftest that referenced this issue Jan 16, 2025
@thevilledev
fix: jsonnet imports and add path restrictions
fceb97c 
Fix Jsonnet imports and add path restrictions to prevent unauthorized file
access through import/importstr/importbin directives. Previously relative
imports were not working and arbitrary files could be accessed. With this
implementation imports beyond current working directory are blocked.

Fixes open-policy-agent#939

Signed-off-by: Ville Vesilehto <[email protected]>
thevilledev added a commit to thevilledev/conftest that referenced this issue Jan 16, 2025
@thevilledev
fix: jsonnet imports and add path restrictions
e9e7bc3 
Fix Jsonnet imports and add path restrictions to prevent unauthorized file
access through import/importstr/importbin directives. Previously relative
imports were not working and arbitrary files could be accessed. With this
implementation imports beyond current working directory are blocked.

Fixes open-policy-agent#939

Signed-off-by: Ville Vesilehto <[email protected]>
thevilledev added a commit to thevilledev/conftest that referenced this issue Jan 16, 2025
@thevilledev
fix: jsonnet imports and add path restrictions
92f2bb8 
Fix Jsonnet imports and add path restrictions to prevent path traversal
through import/importstr/importbin directives. Previously relative
imports were not working and arbitrary files could be accessed. With this
implementation imports beyond current working directory are blocked.

Fixes open-policy-agent#939

Signed-off-by: Ville Vesilehto <[email protected]>
@thevilledev thevilledev linked a pull request Jan 20, 2025 that will close this issue
Open
@thevilledev
Copy link
Contributor

I would welcome a PR.

I have a proposal in #1044 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: enable relative jsonnet imports by setting a path-aware importer thevilledev/conftest
3 participants
@thevilledev @coord-e @jalseth