github.com/demonoid81/moby@v0.0.0-20200517203328-62dd8e17c460/pkg/chrootarchive/archive_unix_test.go (about) 1 // +build !windows 2 3 package chrootarchive 4 5 import ( 6 gotar "archive/tar" 7 "bytes" 8 "io" 9 "io/ioutil" 10 "os" 11 "path" 12 "path/filepath" 13 "strings" 14 "testing" 15 16 "github.com/demonoid81/moby/pkg/archive" 17 "golang.org/x/sys/unix" 18 "gotest.tools/v3/assert" 19 ) 20 21 // Test for CVE-2018-15664 22 // Assures that in the case where an "attacker" controlled path is a symlink to 23 // some path outside of a container's rootfs that we do not copy data to a 24 // container path that will actually overwrite data on the host 25 func TestUntarWithMaliciousSymlinks(t *testing.T) { 26 dir, err := ioutil.TempDir("", t.Name()) 27 assert.NilError(t, err) 28 defer os.RemoveAll(dir) 29 30 root := filepath.Join(dir, "root") 31 32 err = os.MkdirAll(root, 0755) 33 assert.NilError(t, err) 34 35 // Add a file into a directory above root 36 // Ensure that we can't access this file while tarring. 37 err = ioutil.WriteFile(filepath.Join(dir, "host-file"), []byte("I am a host file"), 0644) 38 assert.NilError(t, err) 39 40 // Create some data which which will be copied into the "container" root into 41 // the symlinked path. 42 // Before this change, the copy would overwrite the "host" content. 43 // With this change it should not. 44 data := filepath.Join(dir, "data") 45 err = os.MkdirAll(data, 0755) 46 assert.NilError(t, err) 47 err = ioutil.WriteFile(filepath.Join(data, "local-file"), []byte("pwn3d"), 0644) 48 assert.NilError(t, err) 49 50 safe := filepath.Join(root, "safe") 51 err = unix.Symlink(dir, safe) 52 assert.NilError(t, err) 53 54 rdr, err := archive.TarWithOptions(data, &archive.TarOptions{IncludeFiles: []string{"local-file"}, RebaseNames: map[string]string{"local-file": "host-file"}}) 55 assert.NilError(t, err) 56 57 // Use tee to test both the good case and the bad case w/o recreating the archive 58 bufRdr := bytes.NewBuffer(nil) 59 tee := io.TeeReader(rdr, bufRdr) 60 61 err = UntarWithRoot(tee, safe, nil, root) 62 assert.Assert(t, err != nil) 63 assert.ErrorContains(t, err, "open /safe/host-file: no such file or directory") 64 65 // Make sure the "host" file is still in tact 66 // Before the fix the host file would be overwritten 67 hostData, err := ioutil.ReadFile(filepath.Join(dir, "host-file")) 68 assert.NilError(t, err) 69 assert.Equal(t, string(hostData), "I am a host file") 70 71 // Now test by chrooting to an attacker controlled path 72 // This should succeed as is and overwrite a "host" file 73 // Note that this would be a mis-use of this function. 74 err = UntarWithRoot(bufRdr, safe, nil, safe) 75 assert.NilError(t, err) 76 77 hostData, err = ioutil.ReadFile(filepath.Join(dir, "host-file")) 78 assert.NilError(t, err) 79 assert.Equal(t, string(hostData), "pwn3d") 80 } 81 82 // Test for CVE-2018-15664 83 // Assures that in the case where an "attacker" controlled path is a symlink to 84 // some path outside of a container's rootfs that we do not unwittingly leak 85 // host data into the archive. 86 func TestTarWithMaliciousSymlinks(t *testing.T) { 87 dir, err := ioutil.TempDir("", t.Name()) 88 assert.NilError(t, err) 89 // defer os.RemoveAll(dir) 90 t.Log(dir) 91 92 root := filepath.Join(dir, "root") 93 94 err = os.MkdirAll(root, 0755) 95 assert.NilError(t, err) 96 97 hostFileData := []byte("I am a host file") 98 99 // Add a file into a directory above root 100 // Ensure that we can't access this file while tarring. 101 err = ioutil.WriteFile(filepath.Join(dir, "host-file"), hostFileData, 0644) 102 assert.NilError(t, err) 103 104 safe := filepath.Join(root, "safe") 105 err = unix.Symlink(dir, safe) 106 assert.NilError(t, err) 107 108 data := filepath.Join(dir, "data") 109 err = os.MkdirAll(data, 0755) 110 assert.NilError(t, err) 111 112 type testCase struct { 113 p string 114 includes []string 115 } 116 117 cases := []testCase{ 118 {p: safe, includes: []string{"host-file"}}, 119 {p: safe + "/", includes: []string{"host-file"}}, 120 {p: safe, includes: nil}, 121 {p: safe + "/", includes: nil}, 122 {p: root, includes: []string{"safe/host-file"}}, 123 {p: root, includes: []string{"/safe/host-file"}}, 124 {p: root, includes: nil}, 125 } 126 127 maxBytes := len(hostFileData) 128 129 for _, tc := range cases { 130 t.Run(path.Join(tc.p+"_"+strings.Join(tc.includes, "_")), func(t *testing.T) { 131 // Here if we use archive.TarWithOptions directly or change the "root" parameter 132 // to be the same as "safe", data from the host will be leaked into the archive 133 var opts *archive.TarOptions 134 if tc.includes != nil { 135 opts = &archive.TarOptions{ 136 IncludeFiles: tc.includes, 137 } 138 } 139 rdr, err := Tar(tc.p, opts, root) 140 assert.NilError(t, err) 141 defer rdr.Close() 142 143 tr := gotar.NewReader(rdr) 144 assert.Assert(t, !isDataInTar(t, tr, hostFileData, int64(maxBytes)), "host data leaked to archive") 145 }) 146 } 147 } 148 149 func isDataInTar(t *testing.T, tr *gotar.Reader, compare []byte, maxBytes int64) bool { 150 for { 151 h, err := tr.Next() 152 if err == io.EOF { 153 break 154 } 155 assert.NilError(t, err) 156 157 if h.Size == 0 { 158 continue 159 } 160 assert.Assert(t, h.Size <= maxBytes, "%s: file size exceeds max expected size %d: %d", h.Name, maxBytes, h.Size) 161 162 data := make([]byte, int(h.Size)) 163 _, err = io.ReadFull(tr, data) 164 assert.NilError(t, err) 165 if bytes.Contains(data, compare) { 166 return true 167 } 168 } 169 170 return false 171 }