-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE-2024-7387: Prevent Build Inputs "Zip-Slip"
BuildConfig-driven builds allow developers to specify additional `Secrets` and/or `ConfigMaps` whose file contents can be referenced during the build. For `Docker` strategy builds, this is accoplished by copying the file contents of the `Secret` or `ConfigMap` directly to a path within the build's source code using the `cp` Linux command. Previously, an attacker could maliciously craft their source code and build `Secrets` or `ConfigMaps` in such a way that they could overwrite the `cp` command and execute arbitrary code. Due to the way build pods are constructed, these commands then run as root in a privileged container, with full Linux capabilies and `unconfined` Seccomp policy. An attacker can then escalate their privileges through multiple attack vectors - for example, by obtaining the credentials of the host node's kubelet. This change blocks the primary attack vector by requiring the ultimate destination of the referenced `Secret` or `ConfigMap` to be a child directory of the source code root, thereby preventing the overwrite of the `cp` Linux command. This only applies to builds which use the `Docker` strategy during execution. Builds which use the `Source` or `Custom` build strategy are not affected. This patch also uses methods that may be considered out of date or deprecated in golang 1.22 or later. This is done deliberately to allow clean cherrypicks to OpenShift 3.11 and other, older versions of OpenShift 4.x. Signed-off-by: Adam Kaplan <[email protected]>
- Loading branch information
1 parent
739f527
commit 0b62633
Showing
6 changed files
with
245 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Womp womp - you've been pwned! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
Top secret data! | ||
This should be copied into the same directory as the source code. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest | ||
|
||
WORKDIR /opt/app-root/src | ||
|
||
COPY hello.txt hello.txt | ||
|
||
CMD ["cat", "hello.txt"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Hello OpenShift! |