Browse code
Restrict checkpoint name to prevent directory traversal
This fix tries to address the issue raised in 28769 where
checkpoint name was not checked before passing to containerd.
As a result, it was possible to use a special checkpoint name
to get outside of the container's directory.
This fix add restriction `[a-zA-Z0-9][a-zA-Z0-9_.-]+` (`RestrictedNamePattern`).
This is the same as container name restriction.
This fix fixes 28769.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Yong Tang authored on 2016/11/24 04:45:35Showing 4 changed files
| ... | ... |
@@ -8,6 +8,12 @@ import ( |
| 8 | 8 |
"path/filepath" |
| 9 | 9 |
|
| 10 | 10 |
"github.com/docker/docker/api/types" |
| 11 |
+ "github.com/docker/docker/utils" |
|
| 12 |
+) |
|
| 13 |
+ |
|
| 14 |
+var ( |
|
| 15 |
+ validCheckpointNameChars = utils.RestrictedNameChars |
|
| 16 |
+ validCheckpointNamePattern = utils.RestrictedNamePattern |
|
| 11 | 17 |
) |
| 12 | 18 |
|
| 13 | 19 |
// CheckpointCreate checkpoints the process running in a container with CRIU |
| ... | ... |
@@ -28,6 +34,10 @@ func (daemon *Daemon) CheckpointCreate(name string, config types.CheckpointCreat |
| 28 | 28 |
checkpointDir = container.CheckpointDir() |
| 29 | 29 |
} |
| 30 | 30 |
|
| 31 |
+ if !validCheckpointNamePattern.MatchString(config.CheckpointID) {
|
|
| 32 |
+ return fmt.Errorf("Invalid checkpoint ID (%s), only %s are allowed", config.CheckpointID, validCheckpointNameChars)
|
|
| 33 |
+ } |
|
| 34 |
+ |
|
| 31 | 35 |
err = daemon.containerd.CreateCheckpoint(container.ID, config.CheckpointID, checkpointDir, config.Exit) |
| 32 | 36 |
if err != nil {
|
| 33 | 37 |
return fmt.Errorf("Cannot checkpoint container %s: %s", name, err)
|
| ... | ... |
@@ -2,6 +2,7 @@ package daemon |
| 2 | 2 |
|
| 3 | 3 |
import ( |
| 4 | 4 |
"fmt" |
| 5 |
+ "strings" |
|
| 5 | 6 |
|
| 6 | 7 |
"github.com/Sirupsen/logrus" |
| 7 | 8 |
"github.com/docker/docker/container" |
| ... | ... |
@@ -58,7 +59,7 @@ func (daemon *Daemon) generateIDAndName(name string) (string, string, error) {
|
| 58 | 58 |
} |
| 59 | 59 |
|
| 60 | 60 |
func (daemon *Daemon) reserveName(id, name string) (string, error) {
|
| 61 |
- if !validContainerNamePattern.MatchString(name) {
|
|
| 61 |
+ if !validContainerNamePattern.MatchString(strings.TrimPrefix(name, "/")) {
|
|
| 62 | 62 |
return "", fmt.Errorf("Invalid container name (%s), only %s are allowed", name, validContainerNameChars)
|
| 63 | 63 |
} |
| 64 | 64 |
if name[0] != '/' {
|
| ... | ... |
@@ -6,7 +6,4 @@ import "regexp" |
| 6 | 6 |
const RestrictedNameChars = `[a-zA-Z0-9][a-zA-Z0-9_.-]` |
| 7 | 7 |
|
| 8 | 8 |
// RestrictedNamePattern is a regular expression to validate names against the collection of restricted characters. |
| 9 |
-var RestrictedNamePattern = regexp.MustCompile(`^/?` + RestrictedNameChars + `+$`) |
|
| 10 |
- |
|
| 11 |
-// RestrictedVolumeNamePattern is a regular expression to validate volume names against the collection of restricted characters. |
|
| 12 |
-var RestrictedVolumeNamePattern = regexp.MustCompile(`^` + RestrictedNameChars + `+$`) |
|
| 9 |
+var RestrictedNamePattern = regexp.MustCompile(`^` + RestrictedNameChars + `+$`) |
| ... | ... |
@@ -36,7 +36,7 @@ var ( |
| 36 | 36 |
// volumeNameRegex ensures the name assigned for the volume is valid. |
| 37 | 37 |
// This name is used to create the bind directory, so we need to avoid characters that |
| 38 | 38 |
// would make the path to escape the root directory. |
| 39 |
- volumeNameRegex = utils.RestrictedVolumeNamePattern |
|
| 39 |
+ volumeNameRegex = utils.RestrictedNamePattern |
|
| 40 | 40 |
) |
| 41 | 41 |
|
| 42 | 42 |
type validationError struct {
|