New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kubectl copy doesn't check for paths outside of it's destination directory. #61297

Closed
brendandburns opened this Issue Mar 16, 2018 · 5 comments

Comments

Projects
None yet
9 participants
@brendandburns
Copy link
Contributor

brendandburns commented Mar 16, 2018

Is this a BUG REPORT or FEATURE REQUEST?: Bug

/kind bug

What happened:
kubectl cp :/some/remote/dir /some/local/dir

If the container returns a malformed tarfile with paths like:

'/some/remote/dir/../../../../tmp/foo' kubectl writes this to /tmp/foo instead of /some/local/dir/tmp/foo

What you expected to happen:

I expect kubectl to clean up the path and write to /some/local/dir/tmp/foo

Notes
Original credit to @hansmi (Michael Hanselmann) for originally reporting the bug.

Tracked as CVE-2018-1002100

@dims

This comment has been minimized.

Copy link
Member

dims commented Mar 17, 2018

/milestone v1.10

(match PR being marked v1.10)

@k8s-merge-robot

This comment has been minimized.

Copy link
Contributor

k8s-merge-robot commented Mar 18, 2018

[MILESTONENOTIFIER] Milestone Issue Needs Approval

@brendandburns @kubernetes/sig-cli-misc

Action required: This issue must have the status/approved-for-milestone label applied by a SIG maintainer.

Issue Labels
  • sig/cli: Issue will be escalated to these SIGs if needed.
  • priority/critical-urgent: Never automatically move issue out of a release milestone; continually escalate to contributor and SIG through all available channels.
  • kind/bug: Fixes a bug discovered during the current release.
Help
@jdumars

This comment has been minimized.

Copy link
Member

jdumars commented Mar 18, 2018

@soltysh @pwittrock @adohe PTAL ~ if this is 1.10 blocking, please add the approved-for-milestone label

k8s-merge-robot added a commit that referenced this issue Mar 18, 2018

Merge pull request #61298 from brendandburns/kubectl
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fix a bug where malformed paths don't get written to the destination dir

Fixes #61297

@liggitt @hansmi @cjcullen @jessfraz
@xingxingxia

This comment has been minimized.

Copy link

xingxingxia commented May 2, 2018

What happened:
kubectl cp :/some/remote/dir /some/local/dir
If the container returns a malformed tarfile with paths like:
'/some/remote/dir/../../../../tmp/foo' kubectl writes this to /tmp/foo instead of /some/local/dir/tmp/foo

@brendandburns hi, tried to figure out the steps that can reproduce the issue but didn't figure out [1]. I didn't understand what is (and how to prepare) container returns a malformed tarfile with paths like '/some/remote/dir/../../../../tmp/foo'. Could you give more detail for me to reproduce? Thx
[1] the steps I tried:

$ kubectl exec ruby-ex-1-qnq2n -- ls -d /opt/app-root/src
/opt/app-root/src
$ kubectl exec ruby-ex-1-qnq2n -- mkdir -p /tmp/pod-dir1 
$ kubectl exec ruby-ex-1-qnq2n -- touch /tmp/pod-dir1/a.txt 
$ mkdir -p mydir1/mydir2
$ kubectl cp ruby-ex-1-qnq2n:/opt/app-root/src/../../../tmp/pod-dir1 mydir1/mydir2/  # please correct me if my understanding is wrong
$ ls mydir1/mydir2/
a.txt
@hansmi

This comment has been minimized.

Copy link

hansmi commented May 2, 2018

@xingxingxia Red Hat's OpenShift product was also affected by this and comparable issues. I'll be publishing the proof-of-concept code at https://hansmi.ch/articles/2018-04-openshift-s2i-security on May 4, 2018.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment