2018-02-05 21:05:59 +00:00
|
|
|
package client // import "github.com/docker/docker/client"
|
2016-09-06 18:46:37 +00:00
|
|
|
|
|
|
|
import (
|
2017-05-15 19:59:15 +00:00
|
|
|
"bufio"
|
2018-04-19 22:30:59 +00:00
|
|
|
"context"
|
2016-09-06 18:46:37 +00:00
|
|
|
"crypto/tls"
|
|
|
|
"fmt"
|
|
|
|
"net"
|
2016-10-31 16:39:38 +00:00
|
|
|
"net/http"
|
2016-09-06 18:46:37 +00:00
|
|
|
"net/http/httputil"
|
|
|
|
"net/url"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/docker/docker/api/types"
|
2019-08-28 11:46:32 +00:00
|
|
|
"github.com/docker/docker/api/types/versions"
|
2016-09-06 18:46:37 +00:00
|
|
|
"github.com/docker/go-connections/sockets"
|
2017-05-15 19:59:15 +00:00
|
|
|
"github.com/pkg/errors"
|
2016-09-06 18:46:37 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// postHijacked sends a POST request and hijacks the connection.
|
|
|
|
func (cli *Client) postHijacked(ctx context.Context, path string, query url.Values, body interface{}, headers map[string][]string) (types.HijackedResponse, error) {
|
|
|
|
bodyEncoded, err := encodeData(body)
|
|
|
|
if err != nil {
|
|
|
|
return types.HijackedResponse{}, err
|
|
|
|
}
|
|
|
|
|
2019-04-08 12:14:07 +00:00
|
|
|
apiPath := cli.getAPIPath(ctx, path, query)
|
2019-10-12 18:41:14 +00:00
|
|
|
req, err := http.NewRequest(http.MethodPost, apiPath, bodyEncoded)
|
2016-09-06 18:46:37 +00:00
|
|
|
if err != nil {
|
|
|
|
return types.HijackedResponse{}, err
|
|
|
|
}
|
2016-10-31 16:39:38 +00:00
|
|
|
req = cli.addHeaders(req, headers)
|
2016-09-06 18:46:37 +00:00
|
|
|
|
2019-08-28 11:46:32 +00:00
|
|
|
conn, mediaType, err := cli.setupHijackConn(ctx, req, "tcp")
|
2016-09-06 18:46:37 +00:00
|
|
|
if err != nil {
|
|
|
|
return types.HijackedResponse{}, err
|
|
|
|
}
|
|
|
|
|
2019-08-28 11:46:32 +00:00
|
|
|
return types.NewHijackedResponse(conn, mediaType), err
|
2016-09-06 18:46:37 +00:00
|
|
|
}
|
|
|
|
|
2019-04-02 04:08:16 +00:00
|
|
|
// DialHijack returns a hijacked connection with negotiated protocol proto.
|
|
|
|
func (cli *Client) DialHijack(ctx context.Context, url, proto string, meta map[string][]string) (net.Conn, error) {
|
2019-10-12 18:41:14 +00:00
|
|
|
req, err := http.NewRequest(http.MethodPost, url, nil)
|
2019-04-02 04:08:16 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
req = cli.addHeaders(req, meta)
|
|
|
|
|
2019-08-28 11:46:32 +00:00
|
|
|
conn, _, err := cli.setupHijackConn(ctx, req, proto)
|
|
|
|
return conn, err
|
2019-04-02 04:08:16 +00:00
|
|
|
}
|
|
|
|
|
2018-03-19 08:33:06 +00:00
|
|
|
// fallbackDial is used when WithDialer() was not called.
|
|
|
|
// See cli.Dialer().
|
|
|
|
func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
|
2016-09-06 18:46:37 +00:00
|
|
|
if tlsConfig != nil && proto != "unix" && proto != "npipe" {
|
2018-03-23 18:39:30 +00:00
|
|
|
return tls.Dial(proto, addr, tlsConfig)
|
2016-09-06 18:46:37 +00:00
|
|
|
}
|
|
|
|
if proto == "npipe" {
|
|
|
|
return sockets.DialPipe(addr, 32*time.Second)
|
|
|
|
}
|
|
|
|
return net.Dial(proto, addr)
|
|
|
|
}
|
2017-05-15 19:59:15 +00:00
|
|
|
|
2019-08-28 11:46:32 +00:00
|
|
|
func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) {
|
client: define a "dummy" hostname to use for local connections
For local communications (npipe://, unix://), the hostname is not used,
but we need valid and meaningful hostname.
The current code used the client's `addr` as hostname in some cases, which
could contain the path for the unix-socket (`/var/run/docker.sock`), which
gets rejected by go1.20.6 and go1.19.11 because of a security fix for
[CVE-2023-29406 ][1], which was implemented in https://go.dev/issue/60374.
Prior versions go Go would clean the host header, and strip slashes in the
process, but go1.20.6 and go1.19.11 no longer do, and reject the host
header.
This patch introduces a `DummyHost` const, and uses this dummy host for
cases where we don't need an actual hostname.
Before this patch (using go1.20.6):
make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
=== RUN TestAttachWithTTY
attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
--- FAIL: TestAttachWithTTY (0.11s)
=== RUN TestAttachWithoutTTy
attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
--- FAIL: TestAttachWithoutTTy (0.02s)
FAIL
With this patch applied:
make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
INFO: Testing against a local daemon
=== RUN TestAttachWithTTY
--- PASS: TestAttachWithTTY (0.12s)
=== RUN TestAttachWithoutTTy
--- PASS: TestAttachWithoutTTy (0.02s)
PASS
[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 92975f0c11f0566cc3c36659f5e3bb9faf5cb176)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-12 12:15:38 +00:00
|
|
|
req.URL.Host = cli.addr
|
|
|
|
if cli.proto == "unix" || cli.proto == "npipe" {
|
|
|
|
// Override host header for non-tcp connections.
|
|
|
|
req.Host = DummyHost
|
|
|
|
}
|
2017-05-15 19:59:15 +00:00
|
|
|
req.Header.Set("Connection", "Upgrade")
|
|
|
|
req.Header.Set("Upgrade", proto)
|
|
|
|
|
2018-03-19 08:33:06 +00:00
|
|
|
dialer := cli.Dialer()
|
|
|
|
conn, err := dialer(ctx)
|
2017-05-15 19:59:15 +00:00
|
|
|
if err != nil {
|
2019-08-28 11:46:32 +00:00
|
|
|
return nil, "", errors.Wrap(err, "cannot connect to the Docker daemon. Is 'docker daemon' running on this host?")
|
2017-05-15 19:59:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// When we set up a TCP connection for hijack, there could be long periods
|
|
|
|
// of inactivity (a long running command with no output) that in certain
|
|
|
|
// network setups may cause ECONNTIMEOUT, leaving the client in an unknown
|
|
|
|
// state. Setting TCP KeepAlive on the socket connection will prohibit
|
|
|
|
// ECONNTIMEOUT unless the socket connection truly is broken
|
|
|
|
if tcpConn, ok := conn.(*net.TCPConn); ok {
|
|
|
|
tcpConn.SetKeepAlive(true)
|
|
|
|
tcpConn.SetKeepAlivePeriod(30 * time.Second)
|
|
|
|
}
|
|
|
|
|
|
|
|
clientconn := httputil.NewClientConn(conn, nil)
|
|
|
|
defer clientconn.Close()
|
|
|
|
|
|
|
|
// Server hijacks the connection, error 'connection closed' expected
|
|
|
|
resp, err := clientconn.Do(req)
|
2019-09-11 17:19:10 +00:00
|
|
|
|
2019-10-12 14:52:08 +00:00
|
|
|
//nolint:staticcheck // ignore SA1019 for connecting to old (pre go1.8) daemons
|
2017-07-26 05:46:41 +00:00
|
|
|
if err != httputil.ErrPersistEOF {
|
|
|
|
if err != nil {
|
2019-08-28 11:46:32 +00:00
|
|
|
return nil, "", err
|
2017-07-26 05:46:41 +00:00
|
|
|
}
|
|
|
|
if resp.StatusCode != http.StatusSwitchingProtocols {
|
|
|
|
resp.Body.Close()
|
2019-08-28 11:46:32 +00:00
|
|
|
return nil, "", fmt.Errorf("unable to upgrade to %s, received %d", proto, resp.StatusCode)
|
2017-07-26 05:46:41 +00:00
|
|
|
}
|
2017-05-15 19:59:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
c, br := clientconn.Hijack()
|
|
|
|
if br.Buffered() > 0 {
|
2018-03-07 18:23:03 +00:00
|
|
|
// If there is buffered content, wrap the connection. We return an
|
2019-08-28 11:46:32 +00:00
|
|
|
// object that implements CloseWrite if the underlying connection
|
2018-03-07 18:23:03 +00:00
|
|
|
// implements it.
|
|
|
|
if _, ok := c.(types.CloseWriter); ok {
|
2018-03-21 22:29:44 +00:00
|
|
|
c = &hijackedConnCloseWriter{&hijackedConn{c, br}}
|
2018-03-07 18:23:03 +00:00
|
|
|
} else {
|
|
|
|
c = &hijackedConn{c, br}
|
|
|
|
}
|
2017-05-15 19:59:15 +00:00
|
|
|
} else {
|
|
|
|
br.Reset(nil)
|
|
|
|
}
|
|
|
|
|
2019-08-28 11:46:32 +00:00
|
|
|
var mediaType string
|
|
|
|
if versions.GreaterThanOrEqualTo(cli.ClientVersion(), "1.42") {
|
|
|
|
// Prior to 1.42, Content-Type is always set to raw-stream and not relevant
|
|
|
|
mediaType = resp.Header.Get("Content-Type")
|
|
|
|
}
|
|
|
|
|
|
|
|
return c, mediaType, nil
|
2017-05-15 19:59:15 +00:00
|
|
|
}
|
|
|
|
|
2018-03-07 18:23:03 +00:00
|
|
|
// hijackedConn wraps a net.Conn and is returned by setupHijackConn in the case
|
|
|
|
// that a) there was already buffered data in the http layer when Hijack() was
|
|
|
|
// called, and b) the underlying net.Conn does *not* implement CloseWrite().
|
|
|
|
// hijackedConn does not implement CloseWrite() either.
|
2017-05-15 19:59:15 +00:00
|
|
|
type hijackedConn struct {
|
|
|
|
net.Conn
|
|
|
|
r *bufio.Reader
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *hijackedConn) Read(b []byte) (int, error) {
|
|
|
|
return c.r.Read(b)
|
|
|
|
}
|
2018-03-07 18:23:03 +00:00
|
|
|
|
|
|
|
// hijackedConnCloseWriter is a hijackedConn which additionally implements
|
|
|
|
// CloseWrite(). It is returned by setupHijackConn in the case that a) there
|
|
|
|
// was already buffered data in the http layer when Hijack() was called, and b)
|
|
|
|
// the underlying net.Conn *does* implement CloseWrite().
|
2018-03-21 22:29:44 +00:00
|
|
|
type hijackedConnCloseWriter struct {
|
|
|
|
*hijackedConn
|
|
|
|
}
|
2018-03-07 18:23:03 +00:00
|
|
|
|
|
|
|
var _ types.CloseWriter = &hijackedConnCloseWriter{}
|
|
|
|
|
|
|
|
func (c *hijackedConnCloseWriter) CloseWrite() error {
|
|
|
|
conn := c.Conn.(types.CloseWriter)
|
|
|
|
return conn.CloseWrite()
|
|
|
|
}
|