volume mount sandbox should protect against path traversal

The volume mounts for the LXC driver check that the path is not absolute, but a relative path can be passed as the source and that can be used to escape the task directory sandbox in the case where `volumes_enabled` is false (not the default).
hashicorp · Nov 11, 2020 · 14a5673 · 14a5673
1 parent 031735d
commit 14a5673
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/lxc/lxc.go b/lxc/lxc.go
@@ -163,6 +163,10 @@ func (d *Driver) mountEntries(cfg *drivers.TaskConfig, taskConfig TaskConfig) ([
 		} else {
 			// Relative source paths are treated as relative to alloc dir
 			paths[0] = filepath.Join(cfg.TaskDir().Dir, paths[0])
+			if !volumesEnabled && pathEscapesSandbox(cfg.TaskDir().Dir, paths[0]) {
+				return nil, fmt.Errorf(
+					"bind-mount path escapes task directory but volumes are disabled")
+			}
 		}
 
 		// LXC assumes paths are relative with respect to rootfs
@@ -174,6 +178,17 @@ func (d *Driver) mountEntries(cfg *drivers.TaskConfig, taskConfig TaskConfig) ([
 
 }
 
+func pathEscapesSandbox(sandboxDir, path string) bool {
+	rel, err := filepath.Rel(sandboxDir, path)
+	if err != nil {
+		return true
+	}
+	if strings.HasPrefix(rel, "..") {
+		return true
+	}
+	return false
+}
+
 func (d *Driver) devicesCgroupEntries(cfg *drivers.TaskConfig) ([]string, error) {
 	entries := make([]string, len(cfg.Devices))
 

diff --git a/lxc/lxc_test.go b/lxc/lxc_test.go
@@ -67,6 +67,34 @@ func TestLXCDriver_Mounts(t *testing.T) {
 	}
 }
 
+func TestLXCDriver_BadMounts(t *testing.T) {
+	t.Parallel()
+
+	task := &drivers.TaskConfig{
+		ID:   uuid.Generate(),
+		Name: "test",
+		Mounts: []*drivers.MountConfig{
+			{HostPath: "/dev", TaskPath: "/task-mounts/dev-path"},
+			{HostPath: "/bin/sh", TaskPath: "/task-mounts/task-path-ro", Readonly: true},
+		},
+	}
+	taskConfig := TaskConfig{
+		Template: "busybox",
+		Volumes:  []string{"/absolute/path:/usr-config/container/path"},
+	}
+
+	d := NewLXCDriver(testlog.HCLogger(t)).(*Driver)
+	d.config.Enabled = true
+	d.config.AllowVolumes = false
+
+	_, err := d.mountEntries(task, taskConfig)
+	require.EqualError(t, err, "absolute bind-mount volume in config but volumes are disabled")
+
+	taskConfig.Volumes = []string{"relative/../../../path2:usr-config/container/relative"}
+	_, err = d.mountEntries(task, taskConfig)
+	require.EqualError(t, err, "bind-mount path escapes task directory but volumes are disabled")
+}
+
 func TestLXCDriver_DevicesCgroup(t *testing.T) {
 	t.Parallel()