Merge pull request #2365 from /issues/2283-validate-cidrs

Validate CIDRs in proxy before attaching a container Fixes #2283
weaveworks · Jun 13, 2016 · aca3419 · aca3419
2 parents 47878cf + df5508c
commit aca3419
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/proxy/proxy.go b/proxy/proxy.go
@@ -20,6 +20,7 @@ import (
 	"github.com/weaveworks/weave/common"
 	weavedocker "github.com/weaveworks/weave/common/docker"
 	weavenet "github.com/weaveworks/weave/net"
+	"github.com/weaveworks/weave/net/address"
 )
 
 const (
@@ -488,6 +489,10 @@ func (proxy *Proxy) attach(containerID string, orDie, killProcess bool) error {
 		return nil
 	}
 	Log.Infof("Attaching container %s with WEAVE_CIDR \"%s\" to weave network", container.ID, strings.Join(cidrs, " "))
+	if err := validateCIDRs(cidrs); err != nil {
+		return err
+	}
+
 	args := []string{"attach"}
 	args = append(args, cidrs...)
 	if !proxy.NoRewriteHosts {
@@ -523,6 +528,23 @@ func callWeaveAttach(container *docker.Container, args []string) error {
 	return nil
 }
 
+func validateCIDRs(cidrs []string) error {
+	for _, cidr := range cidrs {
+		if cidr == "net:default" {
+			continue
+		}
+		for _, prefix := range []string{"ip:", "net:", ""} {
+			if strings.HasPrefix(cidr, prefix) {
+				if _, err := address.ParseCIDR(strings.TrimPrefix(cidr, prefix)); err == nil {
+					break
+				}
+				return fmt.Errorf("invalid WEAVE_CIDR: %s", cidr)
+			}
+		}
+	}
+	return nil
+}
+
 func (proxy *Proxy) weaveCIDRs(networkMode string, env []string) ([]string, error) {
 	if networkMode == "host" || strings.HasPrefix(networkMode, "container:") {
 		return nil, fmt.Errorf("the container has '--net=%s'", networkMode)