5532d516be
For local communications (npipe://, unix://), the hostname is not used,
but we need valid and meaningful hostname.
The current code used the client's `addr` as hostname in some cases, which
could contain the path for the unix-socket (`/var/run/docker.sock`), which
gets rejected by go1.20.6 and go1.19.11 because of a security fix for
[CVE-2023-29406 ][1], which was implemented in https://go.dev/issue/60374.
Prior versions go Go would clean the host header, and strip slashes in the
process, but go1.20.6 and go1.19.11 no longer do, and reject the host
header.
This patch introduces a `DummyHost` const, and uses this dummy host for
cases where we don't need an actual hostname.
Before this patch (using go1.20.6):
make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
=== RUN TestAttachWithTTY
attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
--- FAIL: TestAttachWithTTY (0.11s)
=== RUN TestAttachWithoutTTy
attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
--- FAIL: TestAttachWithoutTTy (0.02s)
FAIL
With this patch applied:
make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
INFO: Testing against a local daemon
=== RUN TestAttachWithTTY
--- PASS: TestAttachWithTTY (0.12s)
=== RUN TestAttachWithoutTTy
--- PASS: TestAttachWithoutTTy (0.02s)
PASS
[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 92975f0c11
)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
149 lines
4.1 KiB
Go
149 lines
4.1 KiB
Go
package client // import "github.com/docker/docker/client"
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"math/rand"
|
|
"net/http"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/docker/docker/api/types"
|
|
"github.com/docker/docker/errdefs"
|
|
"gotest.tools/v3/assert"
|
|
is "gotest.tools/v3/assert/cmp"
|
|
)
|
|
|
|
// TestSetHostHeader should set fake host for local communications, set real host
|
|
// for normal communications.
|
|
func TestSetHostHeader(t *testing.T) {
|
|
testURL := "/test"
|
|
testCases := []struct {
|
|
host string
|
|
expectedHost string
|
|
expectedURLHost string
|
|
}{
|
|
{
|
|
host: "unix:///var/run/docker.sock",
|
|
expectedHost: DummyHost,
|
|
expectedURLHost: "/var/run/docker.sock",
|
|
},
|
|
{
|
|
host: "npipe:////./pipe/docker_engine",
|
|
expectedHost: DummyHost,
|
|
expectedURLHost: "//./pipe/docker_engine",
|
|
},
|
|
{
|
|
host: "tcp://0.0.0.0:4243",
|
|
expectedHost: "",
|
|
expectedURLHost: "0.0.0.0:4243",
|
|
},
|
|
{
|
|
host: "tcp://localhost:4243",
|
|
expectedHost: "",
|
|
expectedURLHost: "localhost:4243",
|
|
},
|
|
}
|
|
|
|
for c, test := range testCases {
|
|
hostURL, err := ParseHostURL(test.host)
|
|
assert.NilError(t, err)
|
|
|
|
client := &Client{
|
|
client: newMockClient(func(req *http.Request) (*http.Response, error) {
|
|
if !strings.HasPrefix(req.URL.Path, testURL) {
|
|
return nil, fmt.Errorf("Test Case #%d: Expected URL %q, got %q", c, testURL, req.URL)
|
|
}
|
|
if req.Host != test.expectedHost {
|
|
return nil, fmt.Errorf("Test Case #%d: Expected host %q, got %q", c, test.expectedHost, req.Host)
|
|
}
|
|
if req.URL.Host != test.expectedURLHost {
|
|
return nil, fmt.Errorf("Test Case #%d: Expected URL host %q, got %q", c, test.expectedURLHost, req.URL.Host)
|
|
}
|
|
return &http.Response{
|
|
StatusCode: http.StatusOK,
|
|
Body: io.NopCloser(bytes.NewReader([]byte(""))),
|
|
}, nil
|
|
}),
|
|
|
|
proto: hostURL.Scheme,
|
|
addr: hostURL.Host,
|
|
basePath: hostURL.Path,
|
|
}
|
|
|
|
_, err = client.sendRequest(context.Background(), http.MethodGet, testURL, nil, nil, nil)
|
|
assert.NilError(t, err)
|
|
}
|
|
}
|
|
|
|
// TestPlainTextError tests the server returning an error in plain text for
|
|
// backwards compatibility with API versions <1.24. All other tests use
|
|
// errors returned as JSON
|
|
func TestPlainTextError(t *testing.T) {
|
|
client := &Client{
|
|
client: newMockClient(plainTextErrorMock(http.StatusInternalServerError, "Server error")),
|
|
}
|
|
_, err := client.ContainerList(context.Background(), types.ContainerListOptions{})
|
|
if !errdefs.IsSystem(err) {
|
|
t.Fatalf("expected a Server Error, got %[1]T: %[1]v", err)
|
|
}
|
|
}
|
|
|
|
func TestInfiniteError(t *testing.T) {
|
|
infinitR := rand.New(rand.NewSource(42))
|
|
client := &Client{
|
|
client: newMockClient(func(req *http.Request) (*http.Response, error) {
|
|
resp := &http.Response{StatusCode: http.StatusInternalServerError}
|
|
resp.Header = http.Header{}
|
|
resp.Body = io.NopCloser(infinitR)
|
|
return resp, nil
|
|
}),
|
|
}
|
|
|
|
_, err := client.Ping(context.Background())
|
|
assert.Check(t, is.ErrorContains(err, "request returned Internal Server Error"))
|
|
}
|
|
|
|
func TestCanceledContext(t *testing.T) {
|
|
testURL := "/test"
|
|
|
|
client := &Client{
|
|
client: newMockClient(func(req *http.Request) (*http.Response, error) {
|
|
assert.Equal(t, req.Context().Err(), context.Canceled)
|
|
|
|
return &http.Response{}, context.Canceled
|
|
}),
|
|
}
|
|
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
cancel()
|
|
|
|
_, err := client.sendRequest(ctx, http.MethodGet, testURL, nil, nil, nil)
|
|
assert.Equal(t, true, errdefs.IsCancelled(err))
|
|
assert.Equal(t, true, errors.Is(err, context.Canceled))
|
|
}
|
|
|
|
func TestDeadlineExceededContext(t *testing.T) {
|
|
testURL := "/test"
|
|
|
|
client := &Client{
|
|
client: newMockClient(func(req *http.Request) (*http.Response, error) {
|
|
assert.Equal(t, req.Context().Err(), context.DeadlineExceeded)
|
|
|
|
return &http.Response{}, context.DeadlineExceeded
|
|
}),
|
|
}
|
|
|
|
ctx, cancel := context.WithDeadline(context.Background(), time.Now())
|
|
defer cancel()
|
|
|
|
<-ctx.Done()
|
|
|
|
_, err := client.sendRequest(ctx, http.MethodGet, testURL, nil, nil, nil)
|
|
assert.Equal(t, true, errdefs.IsDeadline(err))
|
|
assert.Equal(t, true, errors.Is(err, context.DeadlineExceeded))
|
|
}
|