We use cookies to ensure you get the best experience on our website
首頁 探索 說明
註冊 登入
0ct0pu5
/
moby
1
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: d089b63937
分支列表 標籤列表
moby
/
pkg
/
chrootarchive
/
archive_unix_test.go

archive_unix_test.go 2.5 KB
文件歷史 原始文件

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. // +build !windows
    2. 

  2. 

  3. package chrootarchive
    4. 

  4. 

  5. import (
    6. 

  6. 	"bytes"
    7. 

  7. 	"io"
    8. 

  8. 	"io/ioutil"
    9. 

  9. 	"os"
    10. 

  10. 	"path/filepath"
    11. 

  11. 	"testing"
    12. 

  12. 

  13. 	"github.com/docker/docker/pkg/archive"
    14. 

  14. 	"golang.org/x/sys/unix"
    15. 

  15. 	"gotest.tools/assert"
    16. 

  16. )
    17. 

  17. 

  18. // Test for CVE-2018-15664
    19. 

  19. // Assures that in the case where an "attacker" controlled path is a symlink to
    20. 

  20. // some path outside of a container's rootfs that we do not copy data to a
    21. 

  21. // container path that will actually overwrite data on the host
    22. 

  22. func TestUntarWithMaliciousSymlinks(t *testing.T) {
    23. 

  23. 	dir, err := ioutil.TempDir("", t.Name())
    24. 

  24. 	assert.NilError(t, err)
    25. 

  25. 	defer os.RemoveAll(dir)
    26. 

  26. 

  27. 	root := filepath.Join(dir, "root")
    28. 

  28. 

  29. 	err = os.MkdirAll(root, 0755)
    30. 

  30. 	assert.NilError(t, err)
    31. 

  31. 

  32. 	// Add a file into a directory above root
    33. 

  33. 	// Ensure that we can't access this file while tarring.
    34. 

  34. 	err = ioutil.WriteFile(filepath.Join(dir, "host-file"), []byte("I am a host file"), 0644)
    35. 

  35. 	assert.NilError(t, err)
    36. 

  36. 

  37. 	// Create some data which which will be copied into the "container" root into
    38. 

  38. 	// the symlinked path.
    39. 

  39. 	// Before this change, the copy would overwrite the "host" content.
    40. 

  40. 	// With this change it should not.
    41. 

  41. 	data := filepath.Join(dir, "data")
    42. 

  42. 	err = os.MkdirAll(data, 0755)
    43. 

  43. 	assert.NilError(t, err)
    44. 

  44. 	err = ioutil.WriteFile(filepath.Join(data, "local-file"), []byte("pwn3d"), 0644)
    45. 

  45. 	assert.NilError(t, err)
    46. 

  46. 

  47. 	safe := filepath.Join(root, "safe")
    48. 

  48. 	err = unix.Symlink(dir, safe)
    49. 

  49. 	assert.NilError(t, err)
    50. 

  50. 

  51. 	rdr, err := archive.TarWithOptions(data, &archive.TarOptions{IncludeFiles: []string{"local-file"}, RebaseNames: map[string]string{"local-file": "host-file"}})
    52. 

  52. 	assert.NilError(t, err)
    53. 

  53. 

  54. 	// Use tee to test both the good case and the bad case w/o recreating the archive
    55. 

  55. 	bufRdr := bytes.NewBuffer(nil)
    56. 

  56. 	tee := io.TeeReader(rdr, bufRdr)
    57. 

  57. 

  58. 	err = UntarWithRoot(tee, safe, nil, root)
    59. 

  59. 	assert.Assert(t, err != nil)
    60. 

  60. 	assert.ErrorContains(t, err, "open /safe/host-file: no such file or directory")
    61. 

  61. 

  62. 	// Make sure the "host" file is still in tact
    63. 

  63. 	// Before the fix the host file would be overwritten
    64. 

  64. 	hostData, err := ioutil.ReadFile(filepath.Join(dir, "host-file"))
    65. 

  65. 	assert.NilError(t, err)
    66. 

  66. 	assert.Equal(t, string(hostData), "I am a host file")
    67. 

  67. 

  68. 	// Now test by chrooting to an attacker controlled path
    69. 

  69. 	// This should succeed as is and overwrite a "host" file
    70. 

  70. 	// Note that this would be a mis-use of this function.
    71. 

  71. 	err = UntarWithRoot(bufRdr, safe, nil, safe)
    72. 

  72. 	assert.NilError(t, err)
    73. 

  73. 

  74. 	hostData, err = ioutil.ReadFile(filepath.Join(dir, "host-file"))
    75. 

  75. 	assert.NilError(t, err)
    76. 

  76. 	assert.Equal(t, string(hostData), "pwn3d")
    77. 

  77. }
    78.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5