From 42bf3c0e2be754595d0a0dde10e02463b0ceff09 Mon Sep 17 00:00:00 2001
From: Yutaro <34850155+yutaroyamanaka@users.noreply.github.com>
Date: Sat, 1 Apr 2023 08:07:50 +0900
Subject: [PATCH] prevent all uses of YAML aliases from being overwritten by a
 transformer (#5096)

* return copied Node

* add a test case about imageTagTransformer for anchor scenario

* add TestPatchTransformerAnchor

* TestReplacementTransformerAnchor
---
 kyaml/yaml/rnode.go                           |  6 +-
 .../ImageTagTransformer_test.go               | 43 +++++++++++++
 .../patchtransformer/PatchTransformer_test.go | 62 +++++++++++++++++++
 .../ReplacementTransformer_test.go            | 54 ++++++++++++++++
 4 files changed, 164 insertions(+), 1 deletion(-)

diff --git a/kyaml/yaml/rnode.go b/kyaml/yaml/rnode.go
index fc28ba771..266b4153f 100644
--- a/kyaml/yaml/rnode.go
+++ b/kyaml/yaml/rnode.go
@@ -1007,7 +1007,11 @@ func deAnchor(yn *yaml.Node) (res *yaml.Node, err error) {
 	case yaml.ScalarNode:
 		return yn, nil
 	case yaml.AliasNode:
-		return deAnchor(yn.Alias)
+		result, err := deAnchor(yn.Alias)
+		if err != nil {
+			return nil, err
+		}
+		return CopyYNode(result), nil
 	case yaml.MappingNode:
 		toMerge, err := removeMergeTags(yn)
 		if err != nil {
diff --git a/plugin/builtin/imagetagtransformer/ImageTagTransformer_test.go b/plugin/builtin/imagetagtransformer/ImageTagTransformer_test.go
index d7fb18679..0c438948e 100644
--- a/plugin/builtin/imagetagtransformer/ImageTagTransformer_test.go
+++ b/plugin/builtin/imagetagtransformer/ImageTagTransformer_test.go
@@ -409,6 +409,49 @@ spec:
 `)
 }
 
+func TestImageTagTransformerAnchor(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t).
+		PrepBuiltin("ImageTagTransformer")
+	defer th.Reset()
+
+	rm := th.LoadAndRunTransformer(`
+apiVersion: builtin
+kind: ImageTagTransformer
+metadata:
+  name: notImportantHere
+imageTag:
+  name: nginx
+  newName: my-nginx
+fieldSpecs:
+- path: spec/template/spec/containers[]/image
+`, `
+group: apps
+apiVersion: v1
+kind: Deployment
+metadata:
+  name: &name nginx
+spec:
+  template:
+    spec:
+      containers:
+      - image: *name
+        name: *name
+`)
+	th.AssertActualEqualsExpectedNoIdAnnotations(rm, `
+apiVersion: v1
+group: apps
+kind: Deployment
+metadata:
+  name: nginx
+spec:
+  template:
+    spec:
+      containers:
+      - image: my-nginx
+        name: nginx
+`)
+}
+
 func TestImageTagTransformerTagWithBraces(t *testing.T) {
 	th := kusttest_test.MakeEnhancedHarness(t).
 		PrepBuiltin("ImageTagTransformer")
diff --git a/plugin/builtin/patchtransformer/PatchTransformer_test.go b/plugin/builtin/patchtransformer/PatchTransformer_test.go
index 9f94263d6..619d24c36 100644
--- a/plugin/builtin/patchtransformer/PatchTransformer_test.go
+++ b/plugin/builtin/patchtransformer/PatchTransformer_test.go
@@ -828,3 +828,65 @@ spec:
           protocol: TCP
 `)
 }
+
+func TestPatchTransformerAnchor(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t).
+		PrepBuiltin("PatchTransformer")
+	defer th.Reset()
+
+	th.RunTransformerAndCheckResult(`
+apiVersion: builtin
+kind: PatchTransformer
+metadata:
+  name: test-transformer
+patch: |-
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: test-deployment
+  spec:
+    selector:
+      matchLabels:
+        app: &name test-label
+    template:
+      metadata:
+        labels:
+          app: *name
+target:
+  kind: Deployment
+  name: test-deployment
+`, `apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: &name test-deployment
+spec:
+  selector:
+    matchLabels:
+      app: *name
+  template:
+    metadata:
+      labels:
+        app: *name
+    spec:
+      containers:
+      - image: test-image
+        name: *name
+`, `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-deployment
+spec:
+  selector:
+    matchLabels:
+      app: test-label
+  template:
+    metadata:
+      labels:
+        app: test-label
+    spec:
+      containers:
+      - image: test-image
+        name: test-deployment
+`)
+}
diff --git a/plugin/builtin/replacementtransformer/ReplacementTransformer_test.go b/plugin/builtin/replacementtransformer/ReplacementTransformer_test.go
index 13bb9a369..c96343d6b 100644
--- a/plugin/builtin/replacementtransformer/ReplacementTransformer_test.go
+++ b/plugin/builtin/replacementtransformer/ReplacementTransformer_test.go
@@ -174,6 +174,60 @@ spec:
 `)
 }
 
+func TestReplacementTransformerAnchor(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t).
+		PrepBuiltin("ReplacementTransformer")
+	defer th.Reset()
+
+	rm := th.LoadAndRunTransformer(`
+apiVersion: builtin
+kind: ReplacementTransformer
+metadata:
+  name: notImportantHere
+replacements:
+- source:
+    kind: Deployment
+    fieldPath: spec.template.spec.containers.0.name
+  targets:
+  - select:
+      kind: Deployment
+    fieldPaths:
+    - spec.template.spec.containers.1.name
+`, `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: &name origin
+spec:
+  template:
+    spec:
+      containers:
+      - image: foobar:1
+        name: replaced
+      - image: foobar:1
+        name: *name
+      - image: foobar:1
+        name: *name
+`)
+
+	th.AssertActualEqualsExpected(rm, `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: origin
+spec:
+  template:
+    spec:
+      containers:
+      - image: foobar:1
+        name: replaced
+      - image: foobar:1
+        name: replaced
+      - image: foobar:1
+        name: origin
+`)
+}
+
 func TestReplacementTransformerComplexType(t *testing.T) {
 	th := kusttest_test.MakeEnhancedHarness(t).
 		PrepBuiltin("ReplacementTransformer")