root
/
buildah
mirror of https://github.com/containers/buildah.git
1
0
Fork 0
Code Issues Actions 3 Packages Projects Releases Wiki Activity

CVE-2024-9407: validate "bind-propagation" flag settings 

CVE-2024-9407: validate that the value for the "bind-propagation" flag
when handling "bind" and "cache" mounts in `buildah run` or in RUN
instructions is one of the values that we would accept without the
"bind-propagation=" prefix.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This commit is contained in:
Nalin Dahyabhai 2024-10-01 11:01:45 -04:00
parent 4aeddcc80d
commit 732f770648
2 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
internal/volumes/volumes.go
View File

@ -104,6 +104,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
if !hasArgValue {
return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)
}
switch argValue {
default:
return newMount, "", fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
case "shared", "rshared", "private", "rprivate", "slave", "rslave":
// this should be the relevant parts of the same list of options we accepted above
}
newMount.Options = append(newMount.Options, argValue)
case "src", "source":
if !hasArgValue {
@ -276,6 +282,12 @@ func GetCacheMount(args []string, _ storage.Store, _ string, additionalMountPoin
if !hasArgValue {
return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)
}
switch argValue {
default:
return newMount, nil, fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
case "shared", "rshared", "private", "rprivate", "slave", "rslave":
// this should be the relevant parts of the same list of options we accepted above
}
newMount.Options = append(newMount.Options, argValue)
case "id":
if !hasArgValue {

25
tests/bud.bats
View File

@ -6946,3 +6946,28 @@ _EOF
run_buildah run testctr -- sh -c 'cd podman-tag && git ls-remote --tags origin v5.0.0^{} | cut -f1'
assert "$output" = "$local_head_hash"
}
@test "build-validates-bind-bind-propagation" {
_prefetch alpine
cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
FROM alpine as base
FROM alpine
RUN --mount=type=bind,from=base,source=/,destination=/var/empty,rw,bind-propagation=suid pwd
_EOF
run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
expect_output --substring "invalid mount option"
}
@test "build-validates-cache-bind-propagation" {
_prefetch alpine
cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
FROM alpine
RUN --mount=type=cache,destination=/var/empty,rw,bind-propagation=suid pwd
_EOF
run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
expect_output --substring "invalid mount option"
}