|
|
@@ -0,0 +1,208 @@
|
|
|
+package main
|
|
|
+
|
|
|
+import (
|
|
|
+ "fmt"
|
|
|
+ "io/ioutil"
|
|
|
+ "os"
|
|
|
+ "path/filepath"
|
|
|
+ "testing"
|
|
|
+)
|
|
|
+
|
|
|
+const (
|
|
|
+ cpTestPathParent = "/some"
|
|
|
+ cpTestPath = "/some/path"
|
|
|
+ cpTestName = "test"
|
|
|
+ cpFullPath = "/some/path/test"
|
|
|
+
|
|
|
+ cpContainerContents = "holla, i am the container"
|
|
|
+ cpHostContents = "hello, i am the host"
|
|
|
+)
|
|
|
+
|
|
|
+// Test for #5656
|
|
|
+// Check that garbage paths don't escape the container's rootfs
|
|
|
+func TestCpGarbagePath(t *testing.T) {
|
|
|
+ out, exitCode, err := cmd(t, "run", "-d", "busybox", "/bin/sh", "-c", "mkdir -p '"+cpTestPath+"' && echo -n '"+cpContainerContents+"' > "+cpFullPath)
|
|
|
+ if err != nil || exitCode != 0 {
|
|
|
+ t.Fatal("failed to create a container", out, err)
|
|
|
+ }
|
|
|
+
|
|
|
+ cleanedContainerID := stripTrailingCharacters(out)
|
|
|
+ defer deleteContainer(cleanedContainerID)
|
|
|
+
|
|
|
+ out, _, err = cmd(t, "wait", cleanedContainerID)
|
|
|
+ if err != nil || stripTrailingCharacters(out) != "0" {
|
|
|
+ t.Fatal("failed to set up container", out, err)
|
|
|
+ }
|
|
|
+
|
|
|
+ if err := os.MkdirAll(cpTestPath, os.ModeDir); err != nil {
|
|
|
+ t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ hostFile, err := os.Create(cpFullPath)
|
|
|
+ if err != nil {
|
|
|
+ t.Fatal(err)
|
|
|
+ }
|
|
|
+ defer hostFile.Close()
|
|
|
+ defer os.RemoveAll(cpTestPathParent)
|
|
|
+
|
|
|
+ fmt.Fprintf(hostFile, "%s", cpHostContents)
|
|
|
+
|
|
|
+ tmpdir, err := ioutil.TempDir("", "docker-integration")
|
|
|
+ if err != nil {
|
|
|
+ t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ tmpname := filepath.Join(tmpdir, cpTestName)
|
|
|
+ defer os.RemoveAll(tmpdir)
|
|
|
+
|
|
|
+ path := filepath.Join("../../../../../../../../../../../../", cpFullPath)
|
|
|
+
|
|
|
+ _, _, err = cmd(t, "cp", cleanedContainerID+":"+path, tmpdir)
|
|
|
+ if err != nil {
|
|
|
+ t.Fatalf("couldn't copy from garbage path: %s:%s %s", cleanedContainerID, path, err)
|
|
|
+ }
|
|
|
+
|
|
|
+ file, _ := os.Open(tmpname)
|
|
|
+ defer file.Close()
|
|
|
+
|
|
|
+ test, err := ioutil.ReadAll(file)
|
|
|
+ if err != nil {
|
|
|
+ t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ if string(test) == cpHostContents {
|
|
|
+ t.Errorf("output matched host file -- garbage path can escape container rootfs")
|
|
|
+ }
|
|
|
+
|
|
|
+ if string(test) != cpContainerContents {
|
|
|
+ t.Errorf("output doesn't match the input for garbage path")
|
|
|
+ }
|
|
|
+
|
|
|
+ logDone("cp - garbage paths relative to container's rootfs")
|
|
|
+}
|
|
|
+
|
|
|
+// Check that relative paths are relative to the container's rootfs
|
|
|
+func TestCpRelativePath(t *testing.T) {
|
|
|
+ out, exitCode, err := cmd(t, "run", "-d", "busybox", "/bin/sh", "-c", "mkdir -p '"+cpTestPath+"' && echo -n '"+cpContainerContents+"' > "+cpFullPath)
|
|
|
+ if err != nil || exitCode != 0 {
|
|
|
+ t.Fatal("failed to create a container", out, err)
|
|
|
+ }
|
|
|
+
|
|
|
+ cleanedContainerID := stripTrailingCharacters(out)
|
|
|
+ defer deleteContainer(cleanedContainerID)
|
|
|
+
|
|
|
+ out, _, err = cmd(t, "wait", cleanedContainerID)
|
|
|
+ if err != nil || stripTrailingCharacters(out) != "0" {
|
|
|
+ t.Fatal("failed to set up container", out, err)
|
|
|
+ }
|
|
|
+
|
|
|
+ if err := os.MkdirAll(cpTestPath, os.ModeDir); err != nil {
|
|
|
+ t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ hostFile, err := os.Create(cpFullPath)
|
|
|
+ if err != nil {
|
|
|
+ t.Fatal(err)
|
|
|
+ }
|
|
|
+ defer hostFile.Close()
|
|
|
+ defer os.RemoveAll(cpTestPathParent)
|
|
|
+
|
|
|
+ fmt.Fprintf(hostFile, "%s", cpHostContents)
|
|
|
+
|
|
|
+ tmpdir, err := ioutil.TempDir("", "docker-integration")
|
|
|
+
|
|
|
+ if err != nil {
|
|
|
+ t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ tmpname := filepath.Join(tmpdir, cpTestName)
|
|
|
+ defer os.RemoveAll(tmpdir)
|
|
|
+
|
|
|
+ path, _ := filepath.Rel("/", cpFullPath)
|
|
|
+
|
|
|
+ _, _, err = cmd(t, "cp", cleanedContainerID+":"+path, tmpdir)
|
|
|
+ if err != nil {
|
|
|
+ t.Fatalf("couldn't copy from relative path: %s:%s %s", cleanedContainerID, path, err)
|
|
|
+ }
|
|
|
+
|
|
|
+ file, _ := os.Open(tmpname)
|
|
|
+ defer file.Close()
|
|
|
+
|
|
|
+ test, err := ioutil.ReadAll(file)
|
|
|
+ if err != nil {
|
|
|
+ t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ if string(test) == cpHostContents {
|
|
|
+ t.Errorf("output matched host file -- relative path can escape container rootfs")
|
|
|
+ }
|
|
|
+
|
|
|
+ if string(test) != cpContainerContents {
|
|
|
+ t.Errorf("output doesn't match the input for relative path")
|
|
|
+ }
|
|
|
+
|
|
|
+ logDone("cp - relative paths relative to container's rootfs")
|
|
|
+}
|
|
|
+
|
|
|
+// Check that absolute paths are relative to the container's rootfs
|
|
|
+func TestCpAbsolutePath(t *testing.T) {
|
|
|
+ out, exitCode, err := cmd(t, "run", "-d", "busybox", "/bin/sh", "-c", "mkdir -p '"+cpTestPath+"' && echo -n '"+cpContainerContents+"' > "+cpFullPath)
|
|
|
+ if err != nil || exitCode != 0 {
|
|
|
+ t.Fatal("failed to create a container", out, err)
|
|
|
+ }
|
|
|
+
|
|
|
+ cleanedContainerID := stripTrailingCharacters(out)
|
|
|
+ defer deleteContainer(cleanedContainerID)
|
|
|
+
|
|
|
+ out, _, err = cmd(t, "wait", cleanedContainerID)
|
|
|
+ if err != nil || stripTrailingCharacters(out) != "0" {
|
|
|
+ t.Fatal("failed to set up container", out, err)
|
|
|
+ }
|
|
|
+
|
|
|
+ if err := os.MkdirAll(cpTestPath, os.ModeDir); err != nil {
|
|
|
+ t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ hostFile, err := os.Create(cpFullPath)
|
|
|
+ if err != nil {
|
|
|
+ t.Fatal(err)
|
|
|
+ }
|
|
|
+ defer hostFile.Close()
|
|
|
+ defer os.RemoveAll(cpTestPathParent)
|
|
|
+
|
|
|
+ fmt.Fprintf(hostFile, "%s", cpHostContents)
|
|
|
+
|
|
|
+ tmpdir, err := ioutil.TempDir("", "docker-integration")
|
|
|
+
|
|
|
+ if err != nil {
|
|
|
+ t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ tmpname := filepath.Join(tmpdir, cpTestName)
|
|
|
+ defer os.RemoveAll(tmpdir)
|
|
|
+
|
|
|
+ path := cpFullPath
|
|
|
+
|
|
|
+ _, _, err = cmd(t, "cp", cleanedContainerID+":"+path, tmpdir)
|
|
|
+ if err != nil {
|
|
|
+ t.Fatalf("couldn't copy from absolute path: %s:%s %s", cleanedContainerID, path, err)
|
|
|
+ }
|
|
|
+
|
|
|
+ file, _ := os.Open(tmpname)
|
|
|
+ defer file.Close()
|
|
|
+
|
|
|
+ test, err := ioutil.ReadAll(file)
|
|
|
+ if err != nil {
|
|
|
+ t.Fatal(err)
|
|
|
+ }
|
|
|
+
|
|
|
+ if string(test) == cpHostContents {
|
|
|
+ t.Errorf("output matched host file -- absolute path can escape container rootfs")
|
|
|
+ }
|
|
|
+
|
|
|
+ if string(test) != cpContainerContents {
|
|
|
+ t.Errorf("output doesn't match the input for absolute path")
|
|
|
+ }
|
|
|
+
|
|
|
+ logDone("cp - absolute paths relative to container's rootfs")
|
|
|
+}
|
cyphar