github.com/cdoern/storage@v1.12.13/pkg/chrootarchive/archive_unix_test.go (about)

     1  // +build !windows
     2  
     3  package chrootarchive
     4  
     5  import (
     6  	gotar "archive/tar"
     7  	"bytes"
     8  	"io"
     9  	"io/ioutil"
    10  	"os"
    11  	"path"
    12  	"path/filepath"
    13  	"strings"
    14  	"testing"
    15  
    16  	"github.com/containers/storage/pkg/archive"
    17  	"golang.org/x/sys/unix"
    18  	"gotest.tools/assert"
    19  )
    20  
    21  // Test for CVE-2018-15664
    22  // Assures that in the case where an "attacker" controlled path is a symlink to
    23  // some path outside of a container's rootfs that we do not copy data to a
    24  // container path that will actually overwrite data on the host
    25  func TestUntarWithMaliciousSymlinks(t *testing.T) {
    26  	dir, err := ioutil.TempDir("", t.Name())
    27  	assert.NilError(t, err)
    28  	defer os.RemoveAll(dir)
    29  
    30  	root := filepath.Join(dir, "root")
    31  
    32  	err = os.MkdirAll(root, 0755)
    33  	assert.NilError(t, err)
    34  
    35  	// Add a file into a directory above root
    36  	// Ensure that we can't access this file while tarring.
    37  	err = ioutil.WriteFile(filepath.Join(dir, "host-file"), []byte("I am a host file"), 0644)
    38  	assert.NilError(t, err)
    39  
    40  	// Create some data which which will be copied into the "container" root into
    41  	// the symlinked path.
    42  	// Before this change, the copy would overwrite the "host" content.
    43  	// With this change it should not.
    44  	data := filepath.Join(dir, "data")
    45  	err = os.MkdirAll(data, 0755)
    46  	assert.NilError(t, err)
    47  	err = ioutil.WriteFile(filepath.Join(data, "local-file"), []byte("pwn3d"), 0644)
    48  	assert.NilError(t, err)
    49  
    50  	safe := filepath.Join(root, "safe")
    51  	err = unix.Symlink(dir, safe)
    52  	assert.NilError(t, err)
    53  
    54  	rdr, err := archive.TarWithOptions(data, &archive.TarOptions{IncludeFiles: []string{"local-file"}, RebaseNames: map[string]string{"local-file": "host-file"}})
    55  	assert.NilError(t, err)
    56  
    57  	// Use tee to test both the good case and the bad case w/o recreating the archive
    58  	bufRdr := bytes.NewBuffer(nil)
    59  	tee := io.TeeReader(rdr, bufRdr)
    60  
    61  	err = UntarWithRoot(tee, safe, nil, root)
    62  	assert.Assert(t, err != nil)
    63  	assert.ErrorContains(t, err, "open /safe/host-file: no such file or directory")
    64  
    65  	// Make sure the "host" file is still in tact
    66  	// Before the fix the host file would be overwritten
    67  	hostData, err := ioutil.ReadFile(filepath.Join(dir, "host-file"))
    68  	assert.NilError(t, err)
    69  	assert.Equal(t, string(hostData), "I am a host file")
    70  
    71  	// Now test by chrooting to an attacker controlled path
    72  	// This should succeed as is and overwrite a "host" file
    73  	// Note that this would be a mis-use of this function.
    74  	err = UntarWithRoot(bufRdr, safe, nil, safe)
    75  	assert.NilError(t, err)
    76  
    77  	hostData, err = ioutil.ReadFile(filepath.Join(dir, "host-file"))
    78  	assert.NilError(t, err)
    79  	assert.Equal(t, string(hostData), "pwn3d")
    80  }
    81  
    82  // Test for CVE-2018-15664
    83  // Assures that in the case where an "attacker" controlled path is a symlink to
    84  // some path outside of a container's rootfs that we do not unwittingly leak
    85  // host data into the archive.
    86  func TestTarWithMaliciousSymlinks(t *testing.T) {
    87  	dir, err := ioutil.TempDir("", t.Name())
    88  	assert.NilError(t, err)
    89  	// defer os.RemoveAll(dir)
    90  	t.Log(dir)
    91  
    92  	root := filepath.Join(dir, "root")
    93  
    94  	err = os.MkdirAll(root, 0755)
    95  	assert.NilError(t, err)
    96  
    97  	hostFileData := []byte("I am a host file")
    98  
    99  	// Add a file into a directory above root
   100  	// Ensure that we can't access this file while tarring.
   101  	err = ioutil.WriteFile(filepath.Join(dir, "host-file"), hostFileData, 0644)
   102  	assert.NilError(t, err)
   103  
   104  	safe := filepath.Join(root, "safe")
   105  	err = unix.Symlink(dir, safe)
   106  	assert.NilError(t, err)
   107  
   108  	data := filepath.Join(dir, "data")
   109  	err = os.MkdirAll(data, 0755)
   110  	assert.NilError(t, err)
   111  
   112  	type testCase struct {
   113  		p        string
   114  		includes []string
   115  	}
   116  
   117  	cases := []testCase{
   118  		{p: safe, includes: []string{"host-file"}},
   119  		{p: safe + "/", includes: []string{"host-file"}},
   120  		{p: safe, includes: nil},
   121  		{p: safe + "/", includes: nil},
   122  		{p: root, includes: []string{"safe/host-file"}},
   123  		{p: root, includes: []string{"/safe/host-file"}},
   124  		{p: root, includes: nil},
   125  	}
   126  
   127  	maxBytes := len(hostFileData)
   128  
   129  	for _, tc := range cases {
   130  		t.Run(path.Join(tc.p+"_"+strings.Join(tc.includes, "_")), func(t *testing.T) {
   131  			// Here if we use archive.TarWithOptions directly or change the "root" parameter
   132  			// to be the same as "safe", data from the host will be leaked into the archive
   133  			var opts *archive.TarOptions
   134  			if tc.includes != nil {
   135  				opts = &archive.TarOptions{
   136  					IncludeFiles: tc.includes,
   137  				}
   138  			}
   139  			rdr, err := Tar(tc.p, opts, root)
   140  			assert.NilError(t, err)
   141  			defer rdr.Close()
   142  
   143  			tr := gotar.NewReader(rdr)
   144  			assert.Assert(t, !isDataInTar(t, tr, hostFileData, int64(maxBytes)), "host data leaked to archive")
   145  		})
   146  	}
   147  }
   148  
   149  func isDataInTar(t *testing.T, tr *gotar.Reader, compare []byte, maxBytes int64) bool {
   150  	for {
   151  		h, err := tr.Next()
   152  		if err == io.EOF {
   153  			break
   154  		}
   155  		assert.NilError(t, err)
   156  
   157  		if h.Size == 0 {
   158  			continue
   159  		}
   160  		assert.Assert(t, h.Size <= maxBytes, "%s: file size exceeds max expected size %d: %d", h.Name, maxBytes, h.Size)
   161  
   162  		data := make([]byte, int(h.Size))
   163  		_, err = io.ReadFull(tr, data)
   164  		assert.NilError(t, err)
   165  		if bytes.Contains(data, compare) {
   166  			return true
   167  		}
   168  	}
   169  
   170  	return false
   171  }