github.com/rumpl/bof@v23.0.0-rc.2+incompatible/pkg/chrootarchive/archive_unix_test.go (about) 1 //go:build !windows 2 // +build !windows 3 4 package chrootarchive 5 6 import ( 7 gotar "archive/tar" 8 "bytes" 9 "io" 10 "os" 11 "path" 12 "path/filepath" 13 "strings" 14 "testing" 15 16 "github.com/docker/docker/pkg/archive" 17 "golang.org/x/sys/unix" 18 "gotest.tools/v3/assert" 19 "gotest.tools/v3/skip" 20 ) 21 22 // Test for CVE-2018-15664 23 // Assures that in the case where an "attacker" controlled path is a symlink to 24 // some path outside of a container's rootfs that we do not copy data to a 25 // container path that will actually overwrite data on the host 26 func TestUntarWithMaliciousSymlinks(t *testing.T) { 27 skip.If(t, os.Getuid() != 0, "skipping test that requires root") 28 dir, err := os.MkdirTemp("", t.Name()) 29 assert.NilError(t, err) 30 defer os.RemoveAll(dir) 31 32 root := filepath.Join(dir, "root") 33 34 err = os.MkdirAll(root, 0755) 35 assert.NilError(t, err) 36 37 // Add a file into a directory above root 38 // Ensure that we can't access this file while tarring. 39 err = os.WriteFile(filepath.Join(dir, "host-file"), []byte("I am a host file"), 0644) 40 assert.NilError(t, err) 41 42 // Create some data which which will be copied into the "container" root into 43 // the symlinked path. 44 // Before this change, the copy would overwrite the "host" content. 45 // With this change it should not. 46 data := filepath.Join(dir, "data") 47 err = os.MkdirAll(data, 0755) 48 assert.NilError(t, err) 49 err = os.WriteFile(filepath.Join(data, "local-file"), []byte("pwn3d"), 0644) 50 assert.NilError(t, err) 51 52 safe := filepath.Join(root, "safe") 53 err = unix.Symlink(dir, safe) 54 assert.NilError(t, err) 55 56 rdr, err := archive.TarWithOptions(data, &archive.TarOptions{IncludeFiles: []string{"local-file"}, RebaseNames: map[string]string{"local-file": "host-file"}}) 57 assert.NilError(t, err) 58 59 // Use tee to test both the good case and the bad case w/o recreating the archive 60 bufRdr := bytes.NewBuffer(nil) 61 tee := io.TeeReader(rdr, bufRdr) 62 63 err = UntarWithRoot(tee, safe, nil, root) 64 assert.Assert(t, err != nil) 65 assert.ErrorContains(t, err, "open /safe/host-file: no such file or directory") 66 67 // Make sure the "host" file is still in tact 68 // Before the fix the host file would be overwritten 69 hostData, err := os.ReadFile(filepath.Join(dir, "host-file")) 70 assert.NilError(t, err) 71 assert.Equal(t, string(hostData), "I am a host file") 72 73 // Now test by chrooting to an attacker controlled path 74 // This should succeed as is and overwrite a "host" file 75 // Note that this would be a mis-use of this function. 76 err = UntarWithRoot(bufRdr, safe, nil, safe) 77 assert.NilError(t, err) 78 79 hostData, err = os.ReadFile(filepath.Join(dir, "host-file")) 80 assert.NilError(t, err) 81 assert.Equal(t, string(hostData), "pwn3d") 82 } 83 84 // Test for CVE-2018-15664 85 // Assures that in the case where an "attacker" controlled path is a symlink to 86 // some path outside of a container's rootfs that we do not unwittingly leak 87 // host data into the archive. 88 func TestTarWithMaliciousSymlinks(t *testing.T) { 89 skip.If(t, os.Getuid() != 0, "skipping test that requires root") 90 dir, err := os.MkdirTemp("", t.Name()) 91 assert.NilError(t, err) 92 // defer os.RemoveAll(dir) 93 t.Log(dir) 94 95 root := filepath.Join(dir, "root") 96 97 err = os.MkdirAll(root, 0755) 98 assert.NilError(t, err) 99 100 hostFileData := []byte("I am a host file") 101 102 // Add a file into a directory above root 103 // Ensure that we can't access this file while tarring. 104 err = os.WriteFile(filepath.Join(dir, "host-file"), hostFileData, 0644) 105 assert.NilError(t, err) 106 107 safe := filepath.Join(root, "safe") 108 err = unix.Symlink(dir, safe) 109 assert.NilError(t, err) 110 111 data := filepath.Join(dir, "data") 112 err = os.MkdirAll(data, 0755) 113 assert.NilError(t, err) 114 115 type testCase struct { 116 p string 117 includes []string 118 } 119 120 cases := []testCase{ 121 {p: safe, includes: []string{"host-file"}}, 122 {p: safe + "/", includes: []string{"host-file"}}, 123 {p: safe, includes: nil}, 124 {p: safe + "/", includes: nil}, 125 {p: root, includes: []string{"safe/host-file"}}, 126 {p: root, includes: []string{"/safe/host-file"}}, 127 {p: root, includes: nil}, 128 } 129 130 maxBytes := len(hostFileData) 131 132 for _, tc := range cases { 133 t.Run(path.Join(tc.p+"_"+strings.Join(tc.includes, "_")), func(t *testing.T) { 134 // Here if we use archive.TarWithOptions directly or change the "root" parameter 135 // to be the same as "safe", data from the host will be leaked into the archive 136 var opts *archive.TarOptions 137 if tc.includes != nil { 138 opts = &archive.TarOptions{ 139 IncludeFiles: tc.includes, 140 } 141 } 142 rdr, err := Tar(tc.p, opts, root) 143 assert.NilError(t, err) 144 defer rdr.Close() 145 146 tr := gotar.NewReader(rdr) 147 assert.Assert(t, !isDataInTar(t, tr, hostFileData, int64(maxBytes)), "host data leaked to archive") 148 }) 149 } 150 } 151 152 func isDataInTar(t *testing.T, tr *gotar.Reader, compare []byte, maxBytes int64) bool { 153 for { 154 h, err := tr.Next() 155 if err == io.EOF { 156 break 157 } 158 assert.NilError(t, err) 159 160 if h.Size == 0 { 161 continue 162 } 163 assert.Assert(t, h.Size <= maxBytes, "%s: file size exceeds max expected size %d: %d", h.Name, maxBytes, h.Size) 164 165 data := make([]byte, int(h.Size)) 166 _, err = io.ReadFull(tr, data) 167 assert.NilError(t, err) 168 if bytes.Contains(data, compare) { 169 return true 170 } 171 } 172 173 return false 174 }