github.com/rentongzhang/docker@v1.8.2-rc1/pkg/archive/diff_test.go (about) 1 package archive 2 3 import ( 4 "archive/tar" 5 "testing" 6 ) 7 8 func TestApplyLayerInvalidFilenames(t *testing.T) { 9 for i, headers := range [][]*tar.Header{ 10 { 11 { 12 Name: "../victim/dotdot", 13 Typeflag: tar.TypeReg, 14 Mode: 0644, 15 }, 16 }, 17 { 18 { 19 // Note the leading slash 20 Name: "/../victim/slash-dotdot", 21 Typeflag: tar.TypeReg, 22 Mode: 0644, 23 }, 24 }, 25 } { 26 if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidFilenames", headers); err != nil { 27 t.Fatalf("i=%d. %v", i, err) 28 } 29 } 30 } 31 32 func TestApplyLayerInvalidHardlink(t *testing.T) { 33 for i, headers := range [][]*tar.Header{ 34 { // try reading victim/hello (../) 35 { 36 Name: "dotdot", 37 Typeflag: tar.TypeLink, 38 Linkname: "../victim/hello", 39 Mode: 0644, 40 }, 41 }, 42 { // try reading victim/hello (/../) 43 { 44 Name: "slash-dotdot", 45 Typeflag: tar.TypeLink, 46 // Note the leading slash 47 Linkname: "/../victim/hello", 48 Mode: 0644, 49 }, 50 }, 51 { // try writing victim/file 52 { 53 Name: "loophole-victim", 54 Typeflag: tar.TypeLink, 55 Linkname: "../victim", 56 Mode: 0755, 57 }, 58 { 59 Name: "loophole-victim/file", 60 Typeflag: tar.TypeReg, 61 Mode: 0644, 62 }, 63 }, 64 { // try reading victim/hello (hardlink, symlink) 65 { 66 Name: "loophole-victim", 67 Typeflag: tar.TypeLink, 68 Linkname: "../victim", 69 Mode: 0755, 70 }, 71 { 72 Name: "symlink", 73 Typeflag: tar.TypeSymlink, 74 Linkname: "loophole-victim/hello", 75 Mode: 0644, 76 }, 77 }, 78 { // Try reading victim/hello (hardlink, hardlink) 79 { 80 Name: "loophole-victim", 81 Typeflag: tar.TypeLink, 82 Linkname: "../victim", 83 Mode: 0755, 84 }, 85 { 86 Name: "hardlink", 87 Typeflag: tar.TypeLink, 88 Linkname: "loophole-victim/hello", 89 Mode: 0644, 90 }, 91 }, 92 { // Try removing victim directory (hardlink) 93 { 94 Name: "loophole-victim", 95 Typeflag: tar.TypeLink, 96 Linkname: "../victim", 97 Mode: 0755, 98 }, 99 { 100 Name: "loophole-victim", 101 Typeflag: tar.TypeReg, 102 Mode: 0644, 103 }, 104 }, 105 } { 106 if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidHardlink", headers); err != nil { 107 t.Fatalf("i=%d. %v", i, err) 108 } 109 } 110 } 111 112 func TestApplyLayerInvalidSymlink(t *testing.T) { 113 for i, headers := range [][]*tar.Header{ 114 { // try reading victim/hello (../) 115 { 116 Name: "dotdot", 117 Typeflag: tar.TypeSymlink, 118 Linkname: "../victim/hello", 119 Mode: 0644, 120 }, 121 }, 122 { // try reading victim/hello (/../) 123 { 124 Name: "slash-dotdot", 125 Typeflag: tar.TypeSymlink, 126 // Note the leading slash 127 Linkname: "/../victim/hello", 128 Mode: 0644, 129 }, 130 }, 131 { // try writing victim/file 132 { 133 Name: "loophole-victim", 134 Typeflag: tar.TypeSymlink, 135 Linkname: "../victim", 136 Mode: 0755, 137 }, 138 { 139 Name: "loophole-victim/file", 140 Typeflag: tar.TypeReg, 141 Mode: 0644, 142 }, 143 }, 144 { // try reading victim/hello (symlink, symlink) 145 { 146 Name: "loophole-victim", 147 Typeflag: tar.TypeSymlink, 148 Linkname: "../victim", 149 Mode: 0755, 150 }, 151 { 152 Name: "symlink", 153 Typeflag: tar.TypeSymlink, 154 Linkname: "loophole-victim/hello", 155 Mode: 0644, 156 }, 157 }, 158 { // try reading victim/hello (symlink, hardlink) 159 { 160 Name: "loophole-victim", 161 Typeflag: tar.TypeSymlink, 162 Linkname: "../victim", 163 Mode: 0755, 164 }, 165 { 166 Name: "hardlink", 167 Typeflag: tar.TypeLink, 168 Linkname: "loophole-victim/hello", 169 Mode: 0644, 170 }, 171 }, 172 { // try removing victim directory (symlink) 173 { 174 Name: "loophole-victim", 175 Typeflag: tar.TypeSymlink, 176 Linkname: "../victim", 177 Mode: 0755, 178 }, 179 { 180 Name: "loophole-victim", 181 Typeflag: tar.TypeReg, 182 Mode: 0644, 183 }, 184 }, 185 } { 186 if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidSymlink", headers); err != nil { 187 t.Fatalf("i=%d. %v", i, err) 188 } 189 } 190 }