Skip to content

avoid predictable OCI temp store#8853

Open
br0x2 wants to merge 1 commit into
open-policy-agent:mainfrom
br0x2:fix/oci-private-temp-store
Open

avoid predictable OCI temp store#8853
br0x2 wants to merge 1 commit into
open-policy-agent:mainfrom
br0x2:fix/oci-private-temp-store

Conversation

@br0x2

@br0x2 br0x2 commented Jul 3, 2026

Copy link
Copy Markdown

Why the changes in this PR are needed?

The OCI bundle and discovery download paths used a deterministic default
OCI store under the process temp directory when persistence_directory was
not configured. In a shared temp directory, that made the store location
predictable before OPA initialized the local OCI layout.

This PR follows up on a report discussed with the OPA maintainers, where
Anders Eknert confirmed this can be handled as a regular public issue/PR
because it assumes local access to the system.

What are the changes in this PR?

This changes the non-persistent default OCI store handling so OPA no longer
uses a fixed shared temp path for bundle/discovery OCI downloads. When callers
do not provide a store path, download.NewOCI now creates a private temporary
OCI store directory.

The existing persistence_directory behavior is preserved: when configured,
OPA still stores OCI state below <persistence_directory>/oci.

This also adds regression coverage for the default and explicit OCI store path
behavior.

Notes to assist PR review:

Tested with:

GOMODCACHE=/ssd1/CCS/recurbug/verifies/build/go-mod-cache GOCACHE=/tmp/opa-gocache /tmp/opa-go/go/bin/go test ./v1/download ./v1/plugins/bundle ./v1/plugins/discovery

Further comments:

I kept this PR focused on the default non-persistent OCI store path and did
not include unrelated bundle or discovery refactoring.

Signed-off-by: kimdu0 <dino700072@gmail.com>
@sspaink

sspaink commented Jul 6, 2026

Copy link
Copy Markdown
Member

Before this goes further, could you help clarify who wrote the commit?

The PR is opened by the GitHub account br0x2, but the commit is authored and signed off by a different identity — kimdu0 dino700072@gmail.com. Are br0x2 and kimdu0 the same person, or is this being submitted on someone else's behalf? Just want to make sure the sign-off and authorship line up so this is easy to verify per the contributing guidelines.

@br0x2

br0x2 commented Jul 7, 2026

Copy link
Copy Markdown
Author

@sspaink Yes, they are the same person.

I accidentally authored and signed off the commit using my other GitHub identity (kimdu0) while opening the PR from my br0x2 account.
Both accounts belong to me, and the contribution is entirely my own. Sorry for the confusion, and thank you for checking.

FYI, I originally reported this vulnerability via email under the title "OPA default OCI store predictable temp symlink overwrite", and this PR contains the proposed fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants