Skip to content
This repository has been archived by the owner on Oct 14, 2024. It is now read-only.

volume mount sandbox should protect against path traversal #21

Merged
merged 1 commit into from
Nov 11, 2020
Merged

volume mount sandbox should protect against path traversal #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions lxc/lxc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,10 @@ func (d *Driver) mountEntries(cfg *drivers.TaskConfig, taskConfig TaskConfig) ([
} else {
// Relative source paths are treated as relative to alloc dir
paths[0] = filepath.Join(cfg.TaskDir().Dir, paths[0])
if !volumesEnabled && pathEscapesSandbox(cfg.TaskDir().Dir, paths[0]) {
return nil, fmt.Errorf(
"bind-mount path escapes task directory but volumes are disabled")
}
}

// LXC assumes paths are relative with respect to rootfs
Expand All @@ -180,6 +184,17 @@ func (d *Driver) mountEntries(cfg *drivers.TaskConfig, taskConfig TaskConfig) ([

}

func pathEscapesSandbox(sandboxDir, path string) bool {
rel, err := filepath.Rel(sandboxDir, path)
if err != nil {
return true
}
if strings.HasPrefix(rel, "..") {
return true
}
return false
}

func (d *Driver) devicesCgroupEntries(cfg *drivers.TaskConfig) ([]string, error) {
entries := make([]string, len(cfg.Devices))

Expand Down
28 changes: 28 additions & 0 deletions lxc/lxc_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,34 @@ func TestLXCDriver_Mounts(t *testing.T) {
}
}

func TestLXCDriver_BadMounts(t *testing.T) {
t.Parallel()

task := &drivers.TaskConfig{
ID: uuid.Generate(),
Name: "test",
Mounts: []*drivers.MountConfig{
{HostPath: "/dev", TaskPath: "/task-mounts/dev-path"},
{HostPath: "/bin/sh", TaskPath: "/task-mounts/task-path-ro", Readonly: true},
},
}
taskConfig := TaskConfig{
Template: "busybox",
Volumes: []string{"/absolute/path:/usr-config/container/path"},
}

d := NewLXCDriver(testlog.HCLogger(t)).(*Driver)
d.config.Enabled = true
d.config.AllowVolumes = false

_, err := d.mountEntries(task, taskConfig)
require.EqualError(t, err, "absolute bind-mount volume in config but volumes are disabled")

taskConfig.Volumes = []string{"relative/../../../path2:usr-config/container/relative"}
_, err = d.mountEntries(task, taskConfig)
require.EqualError(t, err, "bind-mount path escapes task directory but volumes are disabled")
notnoop marked this conversation as resolved.
Show resolved Hide resolved
}

func TestLXCDriver_DevicesCgroup(t *testing.T) {
t.Parallel()

Expand Down