github.com/mizzy/docker@v1.5.0/pkg/archive/diff_test.go (about)

     1  package archive
     2  
     3  import (
     4  	"testing"
     5  
     6  	"github.com/docker/docker/vendor/src/code.google.com/p/go/src/pkg/archive/tar"
     7  )
     8  
     9  func TestApplyLayerInvalidFilenames(t *testing.T) {
    10  	for i, headers := range [][]*tar.Header{
    11  		{
    12  			{
    13  				Name:     "../victim/dotdot",
    14  				Typeflag: tar.TypeReg,
    15  				Mode:     0644,
    16  			},
    17  		},
    18  		{
    19  			{
    20  				// Note the leading slash
    21  				Name:     "/../victim/slash-dotdot",
    22  				Typeflag: tar.TypeReg,
    23  				Mode:     0644,
    24  			},
    25  		},
    26  	} {
    27  		if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidFilenames", headers); err != nil {
    28  			t.Fatalf("i=%d. %v", i, err)
    29  		}
    30  	}
    31  }
    32  
    33  func TestApplyLayerInvalidHardlink(t *testing.T) {
    34  	for i, headers := range [][]*tar.Header{
    35  		{ // try reading victim/hello (../)
    36  			{
    37  				Name:     "dotdot",
    38  				Typeflag: tar.TypeLink,
    39  				Linkname: "../victim/hello",
    40  				Mode:     0644,
    41  			},
    42  		},
    43  		{ // try reading victim/hello (/../)
    44  			{
    45  				Name:     "slash-dotdot",
    46  				Typeflag: tar.TypeLink,
    47  				// Note the leading slash
    48  				Linkname: "/../victim/hello",
    49  				Mode:     0644,
    50  			},
    51  		},
    52  		{ // try writing victim/file
    53  			{
    54  				Name:     "loophole-victim",
    55  				Typeflag: tar.TypeLink,
    56  				Linkname: "../victim",
    57  				Mode:     0755,
    58  			},
    59  			{
    60  				Name:     "loophole-victim/file",
    61  				Typeflag: tar.TypeReg,
    62  				Mode:     0644,
    63  			},
    64  		},
    65  		{ // try reading victim/hello (hardlink, symlink)
    66  			{
    67  				Name:     "loophole-victim",
    68  				Typeflag: tar.TypeLink,
    69  				Linkname: "../victim",
    70  				Mode:     0755,
    71  			},
    72  			{
    73  				Name:     "symlink",
    74  				Typeflag: tar.TypeSymlink,
    75  				Linkname: "loophole-victim/hello",
    76  				Mode:     0644,
    77  			},
    78  		},
    79  		{ // Try reading victim/hello (hardlink, hardlink)
    80  			{
    81  				Name:     "loophole-victim",
    82  				Typeflag: tar.TypeLink,
    83  				Linkname: "../victim",
    84  				Mode:     0755,
    85  			},
    86  			{
    87  				Name:     "hardlink",
    88  				Typeflag: tar.TypeLink,
    89  				Linkname: "loophole-victim/hello",
    90  				Mode:     0644,
    91  			},
    92  		},
    93  		{ // Try removing victim directory (hardlink)
    94  			{
    95  				Name:     "loophole-victim",
    96  				Typeflag: tar.TypeLink,
    97  				Linkname: "../victim",
    98  				Mode:     0755,
    99  			},
   100  			{
   101  				Name:     "loophole-victim",
   102  				Typeflag: tar.TypeReg,
   103  				Mode:     0644,
   104  			},
   105  		},
   106  	} {
   107  		if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidHardlink", headers); err != nil {
   108  			t.Fatalf("i=%d. %v", i, err)
   109  		}
   110  	}
   111  }
   112  
   113  func TestApplyLayerInvalidSymlink(t *testing.T) {
   114  	for i, headers := range [][]*tar.Header{
   115  		{ // try reading victim/hello (../)
   116  			{
   117  				Name:     "dotdot",
   118  				Typeflag: tar.TypeSymlink,
   119  				Linkname: "../victim/hello",
   120  				Mode:     0644,
   121  			},
   122  		},
   123  		{ // try reading victim/hello (/../)
   124  			{
   125  				Name:     "slash-dotdot",
   126  				Typeflag: tar.TypeSymlink,
   127  				// Note the leading slash
   128  				Linkname: "/../victim/hello",
   129  				Mode:     0644,
   130  			},
   131  		},
   132  		{ // try writing victim/file
   133  			{
   134  				Name:     "loophole-victim",
   135  				Typeflag: tar.TypeSymlink,
   136  				Linkname: "../victim",
   137  				Mode:     0755,
   138  			},
   139  			{
   140  				Name:     "loophole-victim/file",
   141  				Typeflag: tar.TypeReg,
   142  				Mode:     0644,
   143  			},
   144  		},
   145  		{ // try reading victim/hello (symlink, symlink)
   146  			{
   147  				Name:     "loophole-victim",
   148  				Typeflag: tar.TypeSymlink,
   149  				Linkname: "../victim",
   150  				Mode:     0755,
   151  			},
   152  			{
   153  				Name:     "symlink",
   154  				Typeflag: tar.TypeSymlink,
   155  				Linkname: "loophole-victim/hello",
   156  				Mode:     0644,
   157  			},
   158  		},
   159  		{ // try reading victim/hello (symlink, hardlink)
   160  			{
   161  				Name:     "loophole-victim",
   162  				Typeflag: tar.TypeSymlink,
   163  				Linkname: "../victim",
   164  				Mode:     0755,
   165  			},
   166  			{
   167  				Name:     "hardlink",
   168  				Typeflag: tar.TypeLink,
   169  				Linkname: "loophole-victim/hello",
   170  				Mode:     0644,
   171  			},
   172  		},
   173  		{ // try removing victim directory (symlink)
   174  			{
   175  				Name:     "loophole-victim",
   176  				Typeflag: tar.TypeSymlink,
   177  				Linkname: "../victim",
   178  				Mode:     0755,
   179  			},
   180  			{
   181  				Name:     "loophole-victim",
   182  				Typeflag: tar.TypeReg,
   183  				Mode:     0644,
   184  			},
   185  		},
   186  	} {
   187  		if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidSymlink", headers); err != nil {
   188  			t.Fatalf("i=%d. %v", i, err)
   189  		}
   190  	}
   191  }