From e100be620edac7335738c7b22f7a34bf1be165ac Mon Sep 17 00:00:00 2001
From: Natasha Sarkar <natashasarkar@google.com>
Date: Fri, 20 Aug 2021 10:07:32 -0700
Subject: [PATCH] move check for working dir for exec functions

---
 kyaml/fn/runtime/container/container.go      | 15 +++++++++++---
 kyaml/fn/runtime/container/container_test.go | 13 +++++++++++-
 kyaml/fn/runtime/exec/exec.go                | 21 ++++++++++----------
 kyaml/fn/runtime/exec/exec_test.go           |  9 +++++++--
 kyaml/runfn/runfn.go                         |  4 ----
 5 files changed, 42 insertions(+), 20 deletions(-)

diff --git a/kyaml/fn/runtime/container/container.go b/kyaml/fn/runtime/container/container.go
index e36d44ed1..99ad88be3 100644
--- a/kyaml/fn/runtime/container/container.go
+++ b/kyaml/fn/runtime/container/container.go
@@ -5,6 +5,7 @@ package container
 
 import (
 	"fmt"
+	"os"
 
 	runtimeexec "sigs.k8s.io/kustomize/kyaml/fn/runtime/exec"
 	"sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil"
@@ -139,19 +140,27 @@ func (c Filter) GetExit() error {
 }
 
 func (c *Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
-	c.setupExec()
+	if err := c.setupExec(); err != nil {
+		return nil, err
+	}
 	return c.Exec.Filter(nodes)
 }
 
-func (c *Filter) setupExec() {
+func (c *Filter) setupExec() error {
 	// don't init 2x
 	if c.Exec.Path != "" {
-		return
+		return nil
 	}
+	wd, err := os.Getwd()
+	if err != nil {
+		return err
+	}
+	c.Exec.WorkingDir = wd
 
 	path, args := c.getCommand()
 	c.Exec.Path = path
 	c.Exec.Args = args
+	return nil
 }
 
 // getArgs returns the command + args to run to spawn the container
diff --git a/kyaml/fn/runtime/container/container_test.go b/kyaml/fn/runtime/container/container_test.go
index 4f3ae388a..53cb2b784 100644
--- a/kyaml/fn/runtime/container/container_test.go
+++ b/kyaml/fn/runtime/container/container_test.go
@@ -6,6 +6,8 @@ package container
 import (
 	"bytes"
 	"fmt"
+	"github.com/stretchr/testify/require"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -128,7 +130,7 @@ metadata:
 			instance := NewContainer(tt.containerSpec, tt.UIDGID)
 			instance.Exec.FunctionConfig = cfg
 			instance.Env = append(instance.Env, "KYAML_TEST=FOO")
-			instance.setupExec()
+			assert.NoError(t, instance.setupExec())
 
 			tt.expectedArgs = append(tt.expectedArgs,
 				runtimeutil.NewContainerEnvFromStringSlice(instance.Env).GetDockerFlags()...)
@@ -173,6 +175,8 @@ metadata:
 	instance.Exec.FunctionConfig = cfg
 	instance.Exec.Path = "sed"
 	instance.Exec.Args = []string{"s/Deployment/StatefulSet/g"}
+	instance.Exec.WorkingDir = getWorkingDir(t)
+
 	output, err := instance.Filter(input)
 	if !assert.NoError(t, err) {
 		t.FailNow()
@@ -219,6 +223,7 @@ func TestFilter_ExitCode(t *testing.T) {
 	instance := Filter{}
 	instance.Exec.Path = "/not/real/command"
 	instance.Exec.DeferFailure = true
+	instance.Exec.WorkingDir = getWorkingDir(t)
 	_, err := instance.Filter(nil)
 	if !assert.NoError(t, err) {
 		t.FailNow()
@@ -231,3 +236,9 @@ func TestFilter_ExitCode(t *testing.T) {
 		t.FailNow()
 	}
 }
+
+func getWorkingDir(t *testing.T) string {
+	wd, err := os.Getwd()
+	require.NoError(t, err)
+	return wd
+}
diff --git a/kyaml/fn/runtime/exec/exec.go b/kyaml/fn/runtime/exec/exec.go
index 628d3dac8..f5a0b384c 100644
--- a/kyaml/fn/runtime/exec/exec.go
+++ b/kyaml/fn/runtime/exec/exec.go
@@ -38,16 +38,17 @@ func (c *Filter) Run(reader io.Reader, writer io.Writer) error {
 	cmd.Stdin = reader
 	cmd.Stdout = writer
 	cmd.Stderr = os.Stderr
-	if c.WorkingDir != "" {
-		if !filepath.IsAbs(c.WorkingDir) {
-			return errors.Errorf(
-				"relative working directory %s not allowed", c.WorkingDir)
-		}
-		if c.WorkingDir == "/" {
-			return errors.Errorf(
-				"root working directory '/' not allowed")
-		}
-		cmd.Dir = c.WorkingDir
+	if c.WorkingDir == "" {
+		return errors.Errorf("no working directory set for exec function")
 	}
+	if !filepath.IsAbs(c.WorkingDir) {
+		return errors.Errorf(
+			"relative working directory %s not allowed", c.WorkingDir)
+	}
+	if c.WorkingDir == "/" {
+		return errors.Errorf(
+			"root working directory '/' not allowed")
+	}
+	cmd.Dir = c.WorkingDir
 	return cmd.Run()
 }
diff --git a/kyaml/fn/runtime/exec/exec_test.go b/kyaml/fn/runtime/exec/exec_test.go
index c878ed993..415c98351 100644
--- a/kyaml/fn/runtime/exec/exec_test.go
+++ b/kyaml/fn/runtime/exec/exec_test.go
@@ -4,15 +4,19 @@
 package exec_test
 
 import (
+	"os"
 	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"sigs.k8s.io/kustomize/kyaml/fn/runtime/exec"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
 func TestFunctionFilter_Filter(t *testing.T) {
+	wd, err := os.Getwd()
+	require.NoError(t, err)
 	var tests = []struct {
 		name           string
 		input          []string
@@ -51,8 +55,9 @@ metadata:
 			},
 			expectedError: "",
 			instance: exec.Filter{
-				Path: "sed",
-				Args: []string{"s/Deployment/StatefulSet/g"},
+				Path:       "sed",
+				Args:       []string{"s/Deployment/StatefulSet/g"},
+				WorkingDir: wd,
 			},
 		},
 	}
diff --git a/kyaml/runfn/runfn.go b/kyaml/runfn/runfn.go
index 05f57f8ff..217156da6 100644
--- a/kyaml/runfn/runfn.go
+++ b/kyaml/runfn/runfn.go
@@ -510,10 +510,6 @@ func (r *RunFns) ffp(spec runtimeutil.FunctionSpec, api *yaml.RNode, currentUser
 	}
 
 	if r.EnableExec && spec.Exec.Path != "" {
-		if r.WorkingDir == "" {
-			return nil, fmt.Errorf("no working directory set for exec function")
-		}
-
 		ef := &exec.Filter{
 			Path:       spec.Exec.Path,
 			WorkingDir: r.WorkingDir,