github.com/nalind/docker@v1.5.0/pkg/archive/diff_test.go (about) 1 package archive 2 3 import ( 4 "testing" 5 6 "github.com/docker/docker/vendor/src/code.google.com/p/go/src/pkg/archive/tar" 7 ) 8 9 func TestApplyLayerInvalidFilenames(t *testing.T) { 10 for i, headers := range [][]*tar.Header{ 11 { 12 { 13 Name: "../victim/dotdot", 14 Typeflag: tar.TypeReg, 15 Mode: 0644, 16 }, 17 }, 18 { 19 { 20 // Note the leading slash 21 Name: "/../victim/slash-dotdot", 22 Typeflag: tar.TypeReg, 23 Mode: 0644, 24 }, 25 }, 26 } { 27 if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidFilenames", headers); err != nil { 28 t.Fatalf("i=%d. %v", i, err) 29 } 30 } 31 } 32 33 func TestApplyLayerInvalidHardlink(t *testing.T) { 34 for i, headers := range [][]*tar.Header{ 35 { // try reading victim/hello (../) 36 { 37 Name: "dotdot", 38 Typeflag: tar.TypeLink, 39 Linkname: "../victim/hello", 40 Mode: 0644, 41 }, 42 }, 43 { // try reading victim/hello (/../) 44 { 45 Name: "slash-dotdot", 46 Typeflag: tar.TypeLink, 47 // Note the leading slash 48 Linkname: "/../victim/hello", 49 Mode: 0644, 50 }, 51 }, 52 { // try writing victim/file 53 { 54 Name: "loophole-victim", 55 Typeflag: tar.TypeLink, 56 Linkname: "../victim", 57 Mode: 0755, 58 }, 59 { 60 Name: "loophole-victim/file", 61 Typeflag: tar.TypeReg, 62 Mode: 0644, 63 }, 64 }, 65 { // try reading victim/hello (hardlink, symlink) 66 { 67 Name: "loophole-victim", 68 Typeflag: tar.TypeLink, 69 Linkname: "../victim", 70 Mode: 0755, 71 }, 72 { 73 Name: "symlink", 74 Typeflag: tar.TypeSymlink, 75 Linkname: "loophole-victim/hello", 76 Mode: 0644, 77 }, 78 }, 79 { // Try reading victim/hello (hardlink, hardlink) 80 { 81 Name: "loophole-victim", 82 Typeflag: tar.TypeLink, 83 Linkname: "../victim", 84 Mode: 0755, 85 }, 86 { 87 Name: "hardlink", 88 Typeflag: tar.TypeLink, 89 Linkname: "loophole-victim/hello", 90 Mode: 0644, 91 }, 92 }, 93 { // Try removing victim directory (hardlink) 94 { 95 Name: "loophole-victim", 96 Typeflag: tar.TypeLink, 97 Linkname: "../victim", 98 Mode: 0755, 99 }, 100 { 101 Name: "loophole-victim", 102 Typeflag: tar.TypeReg, 103 Mode: 0644, 104 }, 105 }, 106 } { 107 if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidHardlink", headers); err != nil { 108 t.Fatalf("i=%d. %v", i, err) 109 } 110 } 111 } 112 113 func TestApplyLayerInvalidSymlink(t *testing.T) { 114 for i, headers := range [][]*tar.Header{ 115 { // try reading victim/hello (../) 116 { 117 Name: "dotdot", 118 Typeflag: tar.TypeSymlink, 119 Linkname: "../victim/hello", 120 Mode: 0644, 121 }, 122 }, 123 { // try reading victim/hello (/../) 124 { 125 Name: "slash-dotdot", 126 Typeflag: tar.TypeSymlink, 127 // Note the leading slash 128 Linkname: "/../victim/hello", 129 Mode: 0644, 130 }, 131 }, 132 { // try writing victim/file 133 { 134 Name: "loophole-victim", 135 Typeflag: tar.TypeSymlink, 136 Linkname: "../victim", 137 Mode: 0755, 138 }, 139 { 140 Name: "loophole-victim/file", 141 Typeflag: tar.TypeReg, 142 Mode: 0644, 143 }, 144 }, 145 { // try reading victim/hello (symlink, symlink) 146 { 147 Name: "loophole-victim", 148 Typeflag: tar.TypeSymlink, 149 Linkname: "../victim", 150 Mode: 0755, 151 }, 152 { 153 Name: "symlink", 154 Typeflag: tar.TypeSymlink, 155 Linkname: "loophole-victim/hello", 156 Mode: 0644, 157 }, 158 }, 159 { // try reading victim/hello (symlink, hardlink) 160 { 161 Name: "loophole-victim", 162 Typeflag: tar.TypeSymlink, 163 Linkname: "../victim", 164 Mode: 0755, 165 }, 166 { 167 Name: "hardlink", 168 Typeflag: tar.TypeLink, 169 Linkname: "loophole-victim/hello", 170 Mode: 0644, 171 }, 172 }, 173 { // try removing victim directory (symlink) 174 { 175 Name: "loophole-victim", 176 Typeflag: tar.TypeSymlink, 177 Linkname: "../victim", 178 Mode: 0755, 179 }, 180 { 181 Name: "loophole-victim", 182 Typeflag: tar.TypeReg, 183 Mode: 0644, 184 }, 185 }, 186 } { 187 if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidSymlink", headers); err != nil { 188 t.Fatalf("i=%d. %v", i, err) 189 } 190 } 191 }