Skip to content

[release-1.27] Properly validate cache IDs and sources #5797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 24, 2024
Merged

[release-1.27] Properly validate cache IDs and sources #5797

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
92015ee
Properly validate cache IDs and sources
mheon Oct 9, 2024
cd0e6c7
[release-1.27] Bump to 1.27.5
dashea Oct 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

# Changelog

## v1.27.5 (2024-10-24)

Properly validate cache IDs and sources

## v1.27.4 (2024-03-26)

[release-1.27] Bump Bump google.golang.org/protobuf to v1.33.0
Expand Down
3 changes: 3 additions & 0 deletions changelog.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
- Changelog for v1.27.5 (2024-10-24)
* Properly validate cache IDs and sources

- Changelog for v1.27.4 (2024-03-26)
* [release-1.27] Bump Bump google.golang.org/protobuf to v1.33.0
* [release-1.27] conformance tests: don't break on trailing zeroes
Expand Down
2 changes: 1 addition & 1 deletion define/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ const (
Package = "buildah"
// Version for the Package. Bump version in contrib/rpm/buildah.spec
// too.
Version = "1.27.4"
Version = "1.27.5"

// DefaultRuntime if containers.conf fails.
DefaultRuntime = "runc"
Expand Down
15 changes: 12 additions & 3 deletions internal/parse/parse.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"github.com/containers/storage"
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/lockfile"
digest "github.com/opencontainers/go-digest"
specs "github.com/opencontainers/runtime-spec/specs-go"
)

Expand Down Expand Up @@ -306,7 +307,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
return newMount, lockedTargets, fmt.Errorf("no stage found with name %s", fromStage)
}
// path should be /contextDir/specified path
newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
if err != nil {
return newMount, nil, err
}
newMount.Source = evaluated
} else {
// we need to create cache on host if no image is being used

Expand All @@ -323,9 +328,13 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
}

if id != "" {
newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
// Don't let the user control where we place the directory.
dirID := digest.FromString(id).Encoded()[:16]
newMount.Source = filepath.Join(cacheParent, dirID)
} else {
newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
// Don't let the user control where we place the directory.
dirID := digest.FromString(newMount.Destination).Encoded()[:16]
newMount.Source = filepath.Join(cacheParent, dirID)
}
idPair := idtools.IDPair{
UID: uid,
Expand Down
41 changes: 41 additions & 0 deletions tests/bud.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5236,3 +5236,44 @@ _EOF
assert "$status" -eq 2 "exit code from ls"
expect_output --substring "No such file or directory"
}

@test "build-check-cve-2024-9675" {
_prefetch alpine

# SELinux can successfully block this exploit.
if ! which selinuxenabled > /dev/null 2> /dev/null ; then
searg=""
elif selinuxenabled ; then
searg="--security-opt=label=disable"
fi

touch ${TEST_SCRATCH_DIR}/file.txt

cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
FROM alpine
RUN --mount=type=cache,id=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
ls -l /var/tmp && cat /var/tmp/file.txt
EOF

run_buildah 1 build --no-cache $searg ${TEST_SCRATCH_DIR}
expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"

cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
FROM alpine
RUN --mount=type=cache,source=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
ls -l /var/tmp && cat /var/tmp/file.txt
EOF

run_buildah 1 build --no-cache $searg ${TEST_SCRATCH_DIR}
expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"

mkdir ${TEST_SCRATCH_DIR}/cve20249675
cat > ${TEST_SCRATCH_DIR}/cve20249675/Containerfile <<EOF
FROM alpine
RUN --mount=type=cache,from=testbuild,source=../,target=/var/tmp \
ls -l /var/tmp && cat /var/tmp/file.txt
EOF

run_buildah 1 build --no-cache $searg --build-context testbuild=${TEST_SCRATCH_DIR}/cve20249675/ ${TEST_SCRATCH_DIR}/cve20249675/
expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
}
Loading