Add --file_write_strategy to Bazel

[arvi18]

Work towards bazelbuild#24808

RELNOTES: If the new --file_write_strategy flag is set to lazy, files produced by file write actions (e.g. the ones produced by ctx.actions.write and ctx.actions.expand_template) are not written to disk with BwoB unless required by local execution or upon explicit request. The default is eager, which retains the current behavior.

[visz11]

/refacto-test

[refacto-test]

Refacto is reviewing this PR. Please wait for the review comments to be posted.

[refacto-test]

Secure Implementation of Lazy File Writing Strategy

👍 Well Done

Secure Handling of Inline File Content

The implementation correctly handles inline file content with proper digest calculation and validation, preventing potential data tampering.

Proper Error Handling

The code includes appropriate error handling for IO exceptions and properly propagates them with detailed error codes.

Secure Temporary File Management

When files need to be materialized, the implementation uses secure temporary file handling to prevent path traversal issues.

📌 Files Processed

• src/main/java/com/google/devtools/build/lib/actions/BUILD
• src/main/java/com/google/devtools/build/lib/actions/FileArtifactValue.java
• src/main/java/com/google/devtools/build/lib/actions/cache/VirtualActionInput.java
• src/main/java/com/google/devtools/build/lib/analysis/BUILD
• src/main/java/com/google/devtools/build/lib/analysis/actions/DeterministicWriter.java
• src/main/java/com/google/devtools/build/lib/analysis/actions/FileWriteActionContext.java
• src/main/java/com/google/devtools/build/lib/analysis/actions/LocalTemplateExpansionStrategy.java
• src/main/java/com/google/devtools/build/lib/exec/BUILD
• src/main/java/com/google/devtools/build/lib/exec/EagerFileWriteStrategy.java
• src/main/java/com/google/devtools/build/lib/exec/ExecutionOptions.java
• src/main/java/com/google/devtools/build/lib/exec/LazyFileWriteStrategy.java
• src/main/java/com/google/devtools/build/lib/remote/AbstractActionInputPrefetcher.java
• src/main/java/com/google/devtools/build/lib/remote/RemoteActionFileSystem.java
• src/main/java/com/google/devtools/build/lib/remote/RemoteActionInputFetcher.java
• src/main/java/com/google/devtools/build/lib/remote/RemoteExecutionCache.java
• src/main/java/com/google/devtools/build/lib/remote/RemoteOutputChecker.java
• src/main/java/com/google/devtools/build/lib/remote/merkletree/BUILD
• src/main/java/com/google/devtools/build/lib/remote/merkletree/DirectoryTree.java
• src/main/java/com/google/devtools/build/lib/remote/merkletree/DirectoryTreeBuilder.java
• src/main/java/com/google/devtools/build/lib/remote/merkletree/MerkleTree.java
• src/main/java/com/google/devtools/build/lib/runtime/commands/RunCommand.java
• src/main/java/com/google/devtools/build/lib/skyframe/FilesystemValueChecker.java
• src/main/java/com/google/devtools/build/lib/standalone/StandaloneModule.java
• src/main/java/com/google/devtools/build/lib/util/BUILD
• src/main/java/com/google/devtools/build/lib/util/StreamWriter.java
• src/test/java/com/google/devtools/build/lib/buildtool/ConvenienceSymlinkTest.java
• src/test/java/com/google/devtools/build/lib/exec/BUILD
• src/test/java/com/google/devtools/build/lib/exec/EagerFileWriteStrategyTest.java
• src/test/java/com/google/devtools/build/lib/exec/LazyFileWriteStrategyTest.java
• src/test/java/com/google/devtools/build/lib/exec/util/TestExecutorBuilder.java
• src/test/java/com/google/devtools/build/lib/remote/BUILD
• src/test/java/com/google/devtools/build/lib/remote/BuildWithoutTheBytesIntegrationTest.java
• src/test/java/com/google/devtools/build/lib/remote/BuildWithoutTheBytesIntegrationTestBase.java
• src/test/java/com/google/devtools/build/lib/remote/RemoteActionFileSystemTest.java
• src/test/java/com/google/devtools/build/lib/skyframe/FilesystemValueCheckerTest.java

📝 Additional Comments

src/main/java/com/google/devtools/build/lib/actions/FileArtifactValue.java (1)

Potential Timing Attack in Equals Method

The equals method in FileWriteOutputArtifactValue uses Arrays.equals() to compare digests, which does not perform a constant-time comparison. This could potentially be vulnerable to timing attacks if an attacker can measure the time it takes to compare digests. While this is a low risk in most scenarios, it's a security best practice to use constant-time comparisons for cryptographic material.

return Objects.equals(writer, that.writer)
    && size == that.size
    && MessageDigest.isEqual(digest, that.digest);

Standards:

• CWE-208
• A02:2021-Cryptographic Failures

[refacto-test]

Potential Memory Exhaustion in Inline File Handling

The code attempts to allocate a ByteArrayOutputStream with a size potentially as large as Integer.MAX_VALUE. While there is a clamp function to limit the size, this could still lead to memory exhaustion if a malicious or corrupted file has a very large reported size. This could be exploited as a denial of service attack by causing the JVM to run out of memory when processing large files.

Suggested change

	var out = new ByteArrayOutputStream(Math.clamp(getSize(), 0, Integer.MAX_VALUE));
	// Define a reasonable maximum size (e.g., 10MB)
	private static final int MAX_IN_MEMORY_SIZE = 10 * 1024 * 1024;
	var out = new ByteArrayOutputStream(Math.clamp(getSize(), 0, Math.min(MAX_IN_MEMORY_SIZE, Integer.MAX_VALUE)));

Standards

• CWE-400
• A05:2021-Security Misconfiguration

[refacto-test]

Potential Resource Leak in getInputStream Method

The getInputStream method creates a ByteArrayOutputStream, writes to it, and then returns a ByteArrayInputStream without closing the ByteArrayOutputStream. While ByteArrayOutputStream doesn't use system resources that need explicit closing, this pattern could lead to resource leaks with other stream implementations or if the implementation changes in the future. Additionally, the exception handling assumes the writer won't throw if the output stream doesn't, which may not always be true.

Suggested change

	public InputStream getInputStream() {
	// TODO: Avoid materializing the full content in memory by using a variant of
	// Piped{Input,Output}Stream that works well with virtual threads.
	var out = new ByteArrayOutputStream(Math.clamp(getSize(), 0, Integer.MAX_VALUE));
	try {
	writeTo(out);
	} catch (IOException e) {
	// writer is not expected to throw if out doesn't.
	throw new IllegalStateException(e);
	}
	return new ByteArrayInputStream(out.toByteArray());
	}
	public InputStream getInputStream() {
	// TODO: Avoid materializing the full content in memory by using a variant of
	// Piped{Input,Output}Stream that works well with virtual threads.
	try (var out = new ByteArrayOutputStream(Math.clamp(getSize(), 0, Integer.MAX_VALUE))) {
	try {
	writeTo(out);
	return new ByteArrayInputStream(out.toByteArray());
	} catch (IOException e) {
	// writer is not expected to throw if out doesn't.
	throw new IllegalStateException(e);
	}
	}
	}

Standards

• CWE-772
• A06:2021-Vulnerable and Outdated Components