pool/docker-stable
SHA256
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
docker-stable/0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
Aleksa Sarai f61acbec84 - Update docker-buildx to v0.19.2. See upstream changelog online at 
<https://github.com/docker/buildx/releases/tag/v0.19.2>.
  Some notable changelogs from the last update:
    * <https://github.com/docker/buildx/releases/tag/v0.19.0>
	* <https://github.com/docker/buildx/releases/tag/v0.18.0>
- Update to Go 1.22.

- Add a new toggle file /etc/docker/suse-secrets-enable which allows users to
  disable the SUSEConnect integration with Docker (which creates special mounts
  in /run/secrets to allow container-suseconnect to authenticate containers
  with registries on registered hosts). bsc#1231348 bsc#1232999
  In order to disable these mounts, just do
    echo 0 > /etc/docker/suse-secrets-enable
  and restart Docker. In order to re-enable them, just do
    echo 1 > /etc/docker/suse-secrets-enable
  and restart Docker. Docker will output information on startup to tell you
  whether the SUSE secrets feature is enabled or not.
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch

- Add docker-integration-tests-devel subpackage for building and running the
  upstream Docker integration tests on machines to test that Docker works
  properly. Users should not install this package.
- docker-rpmlintrc updated to include allow-list for all of the integration
  tests package, since it contains a bunch of stuff that wouldn't normally be
  allowed.
- Added patches:
  + 0010-TESTS-backport-fixes-for-integration-tests.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker-stable?expand=0&rev=11
2024-12-11 10:51:10 +00:00

210 lines
6.4 KiB
Diff
Raw Blame History

From 989f5ae4dea1619b7e1d7ec7f9cac8d64b3a2209 Mon Sep 17 00:00:00 2001
From: Jameson Hyde <jameson.hyde@docker.com>
Date: Mon, 26 Nov 2018 14:15:22 -0500
Subject: [PATCH 09/13] CVE-2024-41110: AuthZ plugin securty fixes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is a backport of the following upstream patches:
* 2ac8a479c53d ("Authz plugin security fixes for 0-length content and path validation")
* 5282cb25d09d ("If url includes scheme, urlPath will drop hostname, which would not match the auth check")
Signed-off-by: Jameson Hyde <jameson.hyde@docker.com>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
pkg/authorization/authz.go | 38 +++++++++++--
pkg/authorization/authz_unix_test.go | 84 +++++++++++++++++++++++++++-
2 files changed, 115 insertions(+), 7 deletions(-)
diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
index 590ac8dddd88..68ed8bbdaf97 100644
--- a/pkg/authorization/authz.go
+++ b/pkg/authorization/authz.go
@@ -7,6 +7,8 @@ import (
"io"
"mime"
"net/http"
+ "net/url"
+ "regexp"
"strings"
"github.com/docker/docker/pkg/ioutils"
@@ -52,10 +54,23 @@ type Ctx struct {
authReq *Request
}
+func isChunked(r *http.Request) bool {
+ // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
+ if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") {
+ return true
+ }
+ for _, v := range r.TransferEncoding {
+ if strings.EqualFold(v, "chunked") {
+ return true
+ }
+ }
+ return false
+}
+
// AuthZRequest authorized the request to the docker daemon using authZ plugins
func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
var body []byte
- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
+ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
var err error
body, r.Body, err = drainBody(r.Body)
if err != nil {
@@ -108,7 +123,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
if sendBody(ctx.requestURI, rm.Header()) {
ctx.authReq.ResponseBody = rm.RawBody()
}
-
for _, plugin := range ctx.plugins {
logrus.Debugf("AuthZ response using plugin %s", plugin.Name())
@@ -146,10 +160,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
return nil, newBody, err
}
+func isAuthEndpoint(urlPath string) (bool, error) {
+ // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
+ matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath)
+ if err != nil {
+ return false, err
+ }
+ return matched, nil
+}
+
// sendBody returns true when request/response body should be sent to AuthZPlugin
-func sendBody(url string, header http.Header) bool {
+func sendBody(inURL string, header http.Header) bool {
+ u, err := url.Parse(inURL)
+ // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
+ if err != nil {
+ return false
+ }
+
// Skip body for auth endpoint
- if strings.HasSuffix(url, "/auth") {
+ isAuth, err := isAuthEndpoint(u.Path)
+ if isAuth || err != nil {
return false
}
diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
index 835cb703839b..8bfe44e1a840 100644
--- a/pkg/authorization/authz_unix_test.go
+++ b/pkg/authorization/authz_unix_test.go
@@ -175,8 +175,8 @@ func TestDrainBody(t *testing.T) {
func TestSendBody(t *testing.T) {
var (
- url = "nothing.com"
testcases = []struct {
+ url string
contentType string
expected bool
}{
@@ -220,15 +220,93 @@ func TestSendBody(t *testing.T) {
contentType: "",
expected: false,
},
+ {
+ url: "nothing.com/auth",
+ contentType: "",
+ expected: false,
+ },
+ {
+ url: "nothing.com/auth",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "nothing.com/auth?p1=test",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "nothing.com/test?p1=/auth",
+ contentType: "application/json;charset=UTF8",
+ expected: true,
+ },
+ {
+ url: "nothing.com/something/auth",
+ contentType: "application/json;charset=UTF8",
+ expected: true,
+ },
+ {
+ url: "nothing.com/auth/test",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "nothing.com/v1.24/auth/test",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "nothing.com/v1/auth/test",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "www.nothing.com/v1.24/auth/test",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "https://www.nothing.com/v1.24/auth/test",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "http://nothing.com/v1.24/auth/test",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "www.nothing.com/test?p1=/auth",
+ contentType: "application/json;charset=UTF8",
+ expected: true,
+ },
+ {
+ url: "http://www.nothing.com/test?p1=/auth",
+ contentType: "application/json;charset=UTF8",
+ expected: true,
+ },
+ {
+ url: "www.nothing.com/something/auth",
+ contentType: "application/json;charset=UTF8",
+ expected: true,
+ },
+ {
+ url: "https://www.nothing.com/something/auth",
+ contentType: "application/json;charset=UTF8",
+ expected: true,
+ },
}
)
for _, testcase := range testcases {
header := http.Header{}
header.Set("Content-Type", testcase.contentType)
+ if testcase.url == "" {
+ testcase.url = "nothing.com"
+ }
- if b := sendBody(url, header); b != testcase.expected {
- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
+ if b := sendBody(testcase.url, header); b != testcase.expected {
+ t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
}
}
}
--
2.47.0
Reference in New Issue View Git Blame Copy Permalink