Skip to content

[BUG] Temporary file leak and race condition in "bridge convert" #13482

New issue
New issue
Open
#13483
Open
[BUG] Temporary file leak and race condition in "bridge convert"#13482
#13483
Labels
kind/bugstatus/0-triage
@htoyoda18

Description

@htoyoda18
htoyoda18
opened on Dec 29, 2025

Description

The convert function in the bridge package creates a temporary compose.yaml file to be used by transformation containers but fails to remove it after execution. Furthermore, it uses a fixed filename in the system's temporary directory, leading to potential race conditions and execution failures on certain platforms (like macOS).

Steps To Reproduce

  1. Run docker compose bridge convert --output ./out-test on any Compose project.

  2. Check the system temporary directory:
    On macOS: ls -l $TMPDIR/compose.yaml
    On Linux: ls -l /tmp/compose.yaml

  3. Observe that the file exists and contains the marshaled project configuration.

  4. Run the command again and notice it overwrites the same file.

Actual terminal output (macOS):

% docker compose bridge convert --output ./out-test
% ls -l $TMPDIR/compose.yaml
-rw-------@ 1 user  staff  192 Dec 29 21:19 /var/folders/.../T//compose.yaml

Compose Version

version 5.0.1

Docker Environment

Client: Docker Engine - Community
 Version:    28.3.3
 Context:    colima
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.24.0
    Path:     /opt/homebrew/lib/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  5.0.1
    Path:     /opt/homebrew/lib/docker/cli-plugins/docker-compose

Server:
 Containers: 14
  Running: 5
  Paused: 0
  Stopped: 9
 Images: 15
 Server Version: 28.4.0
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05044ec0a9a75232cad458027ca83437aae3f4da
 runc version: v1.2.5-0-g59923ef
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-64-generic
 Operating System: Ubuntu 24.04.2 LTS
 OSType: linux
 Architecture: aarch64
 CPUs: 2
 Total Memory: 1.913GiB
 Name: colima
 ID: f7110f15-0ae5-441f-94c1-9c8693526124
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false

Anything else?

Security Risk: The leaked file contains the full project model, which may include sensitive information if types.WithSecretContent is used during marshaling.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugstatus/0-triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions