Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[BUG] Temporary file leak and race condition in "bridge convert" #13482

Copy link
Copy link
Closed
#13483
Closed
[BUG] Temporary file leak and race condition in "bridge convert"#13482
#13483
Copy link
Labels
kind/bugstatus/0-triage
@htoyoda18

Description

@htoyoda18
htoyoda18
opened on Dec 29, 2025
Issue body actions

Description

The convert function in the bridge package creates a temporary compose.yaml file to be used by transformation containers but fails to remove it after execution. Furthermore, it uses a fixed filename in the system's temporary directory, leading to potential race conditions and execution failures on certain platforms (like macOS).

Steps To Reproduce

  1. Run docker compose bridge convert --output ./out-test on any Compose project.

  2. Check the system temporary directory:
    On macOS: ls -l $TMPDIR/compose.yaml
    On Linux: ls -l /tmp/compose.yaml

  3. Observe that the file exists and contains the marshaled project configuration.

  4. Run the command again and notice it overwrites the same file.

Actual terminal output (macOS):

% docker compose bridge convert --output ./out-test
% ls -l $TMPDIR/compose.yaml
-rw-------@ 1 user  staff  192 Dec 29 21:19 /var/folders/.../T//compose.yaml

Compose Version

version 5.0.1

Docker Environment

Client: Docker Engine - Community
 Version:    28.3.3
 Context:    colima
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.24.0
    Path:     /opt/homebrew/lib/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  5.0.1
    Path:     /opt/homebrew/lib/docker/cli-plugins/docker-compose

Server:
 Containers: 14
  Running: 5
  Paused: 0
  Stopped: 9
 Images: 15
 Server Version: 28.4.0
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05044ec0a9a75232cad458027ca83437aae3f4da
 runc version: v1.2.5-0-g59923ef
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-64-generic
 Operating System: Ubuntu 24.04.2 LTS
 OSType: linux
 Architecture: aarch64
 CPUs: 2
 Total Memory: 1.913GiB
 Name: colima
 ID: f7110f15-0ae5-441f-94c1-9c8693526124
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false

Anything else?

Security Risk: The leaked file contains the full project model, which may include sensitive information if types.WithSecretContent is used during marshaling.

Reactions are currently unavailable

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugstatus/0-triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.