Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.1 backport] Prohibit /proc and /sys to be symlinks #3785

Merged
merged 1 commit into from Mar 26, 2023
Merged

[1.1 backport] Prohibit /proc and /sys to be symlinks #3785

merged 1 commit into from Mar 26, 2023

Conversation

thaJeztah
Copy link
Member

Commit 3291d66 introduced a check for /proc and /sys, making sure the destination (dest) is a directory (and not e.g. a symlink).

Later, a hunk from commit 0ca91f4 switched from using filepath.Join to SecureJoin for dest. As SecureJoin follows and resolves symlinks, the check whether dest is a symlink no longer works.

To fix, do the check without/before using SecureJoin.

Add integration tests to make sure we won't regress.

(cherry picked from commit 0d72adf)

@kolyshkin @thaJeztah
Prohibit /proc and /sys to be symlinks
0abab45 
Commit 3291d66 introduced a check for /proc and /sys, making sure
the destination (dest) is a directory (and not e.g. a symlink).

Later, a hunk from commit 0ca91f4 switched from using filepath.Join
to SecureJoin for dest. As SecureJoin follows and resolves symlinks,
the check whether dest is a symlink no longer works.

To fix, do the check without/before using SecureJoin.

Add integration tests to make sure we won't regress.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 0d72adf)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 1.1.5 milestone Mar 25, 2023
@thaJeztah thaJeztah added impact/changelog backport/1.1-pr A backport to 1.1.x release. labels Mar 25, 2023
@thaJeztah thaJeztah mentioned this pull request Mar 25, 2023
Merged
@cyphar cyphar merged commit 059d773 into opencontainers:release-1.1 Mar 26, 2023
24 of 25 checks passed
@thaJeztah thaJeztah deleted the 1.1_backport_no_symlinks branch March 26, 2023 12:06
This was referenced Mar 27, 2023
Merged
Closed
@GoVulnBot GoVulnBot mentioned this pull request Mar 29, 2023
Closed
@wagoodman wagoodman mentioned this pull request Oct 24, 2023
Open
This was referenced Oct 31, 2023
Merged
Merged
Merged
@github-actions github-actions bot mentioned this pull request Nov 12, 2023
Merged
1 task
This was referenced Nov 28, 2023
Merged
Merged
Merged
This was referenced Dec 5, 2023
Merged
Merged
Merged
Merged
Merged
This was referenced Dec 20, 2023
Merged
Merged
This was referenced Dec 30, 2023
Merged
Merged
Merged
This was referenced Jan 2, 2024
Merged
Merged
Merged
Merged
This was referenced Jan 16, 2024
Merged
Merged
This was referenced Jan 23, 2024
Merged
Merged
Merged
This was referenced Feb 1, 2024
Merged
Merged
Merged
Merged
This was referenced Mar 16, 2024
Merged
Merged
Merged
@github-actions github-actions bot mentioned this pull request Apr 2, 2024
Merged
1 task
@github-actions github-actions bot mentioned this pull request Apr 18, 2024
Merged
1 task
@github-actions github-actions bot mentioned this pull request May 1, 2024
Merged
1 task
This was referenced May 11, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cyphar cyphar cyphar approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
backport/1.1-pr A backport to 1.1.x release. impact/changelog
Projects
None yet
Milestone
1.1.5
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@thaJeztah @cyphar @AkihiroSuda @kolyshkin