github.com/Prakhar-Agarwal-byte/moby@v0.0.0-20231027092010-a14e3e8ab87e/pkg/chrootarchive/archive_unix_test.go (about) 1 //go:build !windows 2 3 package chrootarchive 4 5 import ( 6 gotar "archive/tar" 7 "bytes" 8 "io" 9 "os" 10 "path" 11 "path/filepath" 12 "strings" 13 "testing" 14 15 "github.com/Prakhar-Agarwal-byte/moby/pkg/archive" 16 "golang.org/x/sys/unix" 17 "gotest.tools/v3/assert" 18 "gotest.tools/v3/skip" 19 ) 20 21 // Test for CVE-2018-15664 22 // Assures that in the case where an "attacker" controlled path is a symlink to 23 // some path outside of a container's rootfs that we do not copy data to a 24 // container path that will actually overwrite data on the host 25 func TestUntarWithMaliciousSymlinks(t *testing.T) { 26 skip.If(t, os.Getuid() != 0, "skipping test that requires root") 27 dir := t.TempDir() 28 29 root := filepath.Join(dir, "root") 30 31 err := os.Mkdir(root, 0o755) 32 assert.NilError(t, err) 33 34 // Add a file into a directory above root 35 // Ensure that we can't access this file while tarring. 36 err = os.WriteFile(filepath.Join(dir, "host-file"), []byte("I am a host file"), 0o644) 37 assert.NilError(t, err) 38 39 // Create some data which which will be copied into the "container" root into 40 // the symlinked path. 41 // Before this change, the copy would overwrite the "host" content. 42 // With this change it should not. 43 data := filepath.Join(dir, "data") 44 err = os.Mkdir(data, 0o755) 45 assert.NilError(t, err) 46 err = os.WriteFile(filepath.Join(data, "local-file"), []byte("pwn3d"), 0o644) 47 assert.NilError(t, err) 48 49 safe := filepath.Join(root, "safe") 50 err = unix.Symlink(dir, safe) 51 assert.NilError(t, err) 52 53 rdr, err := archive.TarWithOptions(data, &archive.TarOptions{IncludeFiles: []string{"local-file"}, RebaseNames: map[string]string{"local-file": "host-file"}}) 54 assert.NilError(t, err) 55 56 // Use tee to test both the good case and the bad case w/o recreating the archive 57 bufRdr := bytes.NewBuffer(nil) 58 tee := io.TeeReader(rdr, bufRdr) 59 60 err = UntarWithRoot(tee, safe, nil, root) 61 assert.Assert(t, err != nil) 62 assert.ErrorContains(t, err, "open /safe/host-file: no such file or directory") 63 64 // Make sure the "host" file is still in tact 65 // Before the fix the host file would be overwritten 66 hostData, err := os.ReadFile(filepath.Join(dir, "host-file")) 67 assert.NilError(t, err) 68 assert.Equal(t, string(hostData), "I am a host file") 69 70 // Now test by chrooting to an attacker controlled path 71 // This should succeed as is and overwrite a "host" file 72 // Note that this would be a mis-use of this function. 73 err = UntarWithRoot(bufRdr, safe, nil, safe) 74 assert.NilError(t, err) 75 76 hostData, err = os.ReadFile(filepath.Join(dir, "host-file")) 77 assert.NilError(t, err) 78 assert.Equal(t, string(hostData), "pwn3d") 79 } 80 81 // Test for CVE-2018-15664 82 // Assures that in the case where an "attacker" controlled path is a symlink to 83 // some path outside of a container's rootfs that we do not unwittingly leak 84 // host data into the archive. 85 func TestTarWithMaliciousSymlinks(t *testing.T) { 86 skip.If(t, os.Getuid() != 0, "skipping test that requires root") 87 dir, err := os.MkdirTemp("", t.Name()) 88 assert.NilError(t, err) 89 // defer os.RemoveAll(dir) 90 t.Log(dir) 91 92 root := filepath.Join(dir, "root") 93 94 err = os.Mkdir(root, 0o755) 95 assert.NilError(t, err) 96 97 hostFileData := []byte("I am a host file") 98 99 // Add a file into a directory above root 100 // Ensure that we can't access this file while tarring. 101 err = os.WriteFile(filepath.Join(dir, "host-file"), hostFileData, 0o644) 102 assert.NilError(t, err) 103 104 safe := filepath.Join(root, "safe") 105 err = unix.Symlink(dir, safe) 106 assert.NilError(t, err) 107 108 data := filepath.Join(dir, "data") 109 err = os.Mkdir(data, 0o755) 110 assert.NilError(t, err) 111 112 type testCase struct { 113 p string 114 includes []string 115 } 116 117 cases := []testCase{ 118 {p: safe, includes: []string{"host-file"}}, 119 {p: safe + "/", includes: []string{"host-file"}}, 120 {p: safe, includes: nil}, 121 {p: safe + "/", includes: nil}, 122 {p: root, includes: []string{"safe/host-file"}}, 123 {p: root, includes: []string{"/safe/host-file"}}, 124 {p: root, includes: nil}, 125 } 126 127 maxBytes := len(hostFileData) 128 129 for _, tc := range cases { 130 t.Run(path.Join(tc.p+"_"+strings.Join(tc.includes, "_")), func(t *testing.T) { 131 // Here if we use archive.TarWithOptions directly or change the "root" parameter 132 // to be the same as "safe", data from the host will be leaked into the archive 133 var opts *archive.TarOptions 134 if tc.includes != nil { 135 opts = &archive.TarOptions{ 136 IncludeFiles: tc.includes, 137 } 138 } 139 rdr, err := Tar(tc.p, opts, root) 140 assert.NilError(t, err) 141 defer rdr.Close() 142 143 tr := gotar.NewReader(rdr) 144 assert.Assert(t, !isDataInTar(t, tr, hostFileData, int64(maxBytes)), "host data leaked to archive") 145 }) 146 } 147 } 148 149 func isDataInTar(t *testing.T, tr *gotar.Reader, compare []byte, maxBytes int64) bool { 150 for { 151 h, err := tr.Next() 152 if err == io.EOF { 153 break 154 } 155 assert.NilError(t, err) 156 157 if h.Size == 0 { 158 continue 159 } 160 assert.Assert(t, h.Size <= maxBytes, "%s: file size exceeds max expected size %d: %d", h.Name, maxBytes, h.Size) 161 162 data := make([]byte, int(h.Size)) 163 _, err = io.ReadFull(tr, data) 164 assert.NilError(t, err) 165 if bytes.Contains(data, compare) { 166 return true 167 } 168 } 169 170 return false 171 }