Fix CVE-2024-41110 in moby-engine (#9953)
This commit is contained in:
Rohit Rawat
GitHub
Родитель
90c6588d48
Коммит
f94a924668
|
|
@ -0,0 +1,199 @@
|
|||
From 0626c6db97b2cb3fc15bd3c5f2ade377fc8e9471 Mon Sep 17 00:00:00 2001
|
||||
From: Rohit Rawat <xordux@gmail.com>
|
||||
Date: Tue, 30 Jul 2024 10:20:38 +0000
|
||||
Subject: [PATCH] CVE-2024-41110 Authz plugin security fixes for 0-length
|
||||
content and path validation Signed-off-by: Jameson Hyde
|
||||
<jameson.hyde@docker.com>
|
||||
|
||||
---
|
||||
pkg/authorization/authz.go | 38 +++++++++++--
|
||||
pkg/authorization/authz_unix_test.go | 84 +++++++++++++++++++++++++++-
|
||||
2 files changed, 115 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
|
||||
index 1eb4431..d568a2b 100644
|
||||
--- a/pkg/authorization/authz.go
|
||||
+++ b/pkg/authorization/authz.go
|
||||
@@ -8,6 +8,8 @@ import (
|
||||
"io"
|
||||
"mime"
|
||||
"net/http"
|
||||
+ "net/url"
|
||||
+ "regexp"
|
||||
"strings"
|
||||
|
||||
"github.com/containerd/log"
|
||||
@@ -53,10 +55,23 @@ type Ctx struct {
|
||||
authReq *Request
|
||||
}
|
||||
|
||||
+func isChunked(r *http.Request) bool {
|
||||
+ // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
|
||||
+ if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") {
|
||||
+ return true
|
||||
+ }
|
||||
+ for _, v := range r.TransferEncoding {
|
||||
+ if strings.EqualFold(v, "chunked") {
|
||||
+ return true
|
||||
+ }
|
||||
+ }
|
||||
+ return false
|
||||
+}
|
||||
+
|
||||
// AuthZRequest authorized the request to the docker daemon using authZ plugins
|
||||
func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
|
||||
var body []byte
|
||||
- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
|
||||
+ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
|
||||
var err error
|
||||
body, r.Body, err = drainBody(r.Body)
|
||||
if err != nil {
|
||||
@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
|
||||
if sendBody(ctx.requestURI, rm.Header()) {
|
||||
ctx.authReq.ResponseBody = rm.RawBody()
|
||||
}
|
||||
-
|
||||
for _, plugin := range ctx.plugins {
|
||||
log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name())
|
||||
|
||||
@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
|
||||
return nil, newBody, err
|
||||
}
|
||||
|
||||
+func isAuthEndpoint(urlPath string) (bool, error) {
|
||||
+ // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
|
||||
+ matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath)
|
||||
+ if err != nil {
|
||||
+ return false, err
|
||||
+ }
|
||||
+ return matched, nil
|
||||
+}
|
||||
+
|
||||
// sendBody returns true when request/response body should be sent to AuthZPlugin
|
||||
-func sendBody(url string, header http.Header) bool {
|
||||
+func sendBody(inURL string, header http.Header) bool {
|
||||
+ u, err := url.Parse(inURL)
|
||||
+ // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
|
||||
+ if err != nil {
|
||||
+ return false
|
||||
+ }
|
||||
+
|
||||
// Skip body for auth endpoint
|
||||
- if strings.HasSuffix(url, "/auth") {
|
||||
+ isAuth, err := isAuthEndpoint(u.Path)
|
||||
+ if isAuth || err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
|
||||
index c9b18d9..66b4d20 100644
|
||||
--- a/pkg/authorization/authz_unix_test.go
|
||||
+++ b/pkg/authorization/authz_unix_test.go
|
||||
@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) {
|
||||
|
||||
func TestSendBody(t *testing.T) {
|
||||
var (
|
||||
- url = "nothing.com"
|
||||
testcases = []struct {
|
||||
+ url string
|
||||
contentType string
|
||||
expected bool
|
||||
}{
|
||||
@@ -219,15 +219,93 @@ func TestSendBody(t *testing.T) {
|
||||
contentType: "",
|
||||
expected: false,
|
||||
},
|
||||
+ {
|
||||
+ url: "nothing.com/auth",
|
||||
+ contentType: "",
|
||||
+ expected: false,
|
||||
+ },
|
||||
+ {
|
||||
+ url: "nothing.com/auth",
|
||||
+ contentType: "application/json;charset=UTF8",
|
||||
+ expected: false,
|
||||
+ },
|
||||
+ {
|
||||
+ url: "nothing.com/auth?p1=test",
|
||||
+ contentType: "application/json;charset=UTF8",
|
||||
+ expected: false,
|
||||
+ },
|
||||
+ {
|
||||
+ url: "nothing.com/test?p1=/auth",
|
||||
+ contentType: "application/json;charset=UTF8",
|
||||
+ expected: true,
|
||||
+ },
|
||||
+ {
|
||||
+ url: "nothing.com/something/auth",
|
||||
+ contentType: "application/json;charset=UTF8",
|
||||
+ expected: true,
|
||||
+ },
|
||||
+ {
|
||||
+ url: "nothing.com/auth/test",
|
||||
+ contentType: "application/json;charset=UTF8",
|
||||
+ expected: false,
|
||||
+ },
|
||||
+ {
|
||||
+ url: "nothing.com/v1.24/auth/test",
|
||||
+ contentType: "application/json;charset=UTF8",
|
||||
+ expected: false,
|
||||
+ },
|
||||
+ {
|
||||
+ url: "nothing.com/v1/auth/test",
|
||||
+ contentType: "application/json;charset=UTF8",
|
||||
+ expected: false,
|
||||
+ },
|
||||
+ {
|
||||
+ url: "www.nothing.com/v1.24/auth/test",
|
||||
+ contentType: "application/json;charset=UTF8",
|
||||
+ expected: false,
|
||||
+ },
|
||||
+ {
|
||||
+ url: "https://www.nothing.com/v1.24/auth/test",
|
||||
+ contentType: "application/json;charset=UTF8",
|
||||
+ expected: false,
|
||||
+ },
|
||||
+ {
|
||||
+ url: "http://nothing.com/v1.24/auth/test",
|
||||
+ contentType: "application/json;charset=UTF8",
|
||||
+ expected: false,
|
||||
+ },
|
||||
+ {
|
||||
+ url: "www.nothing.com/test?p1=/auth",
|
||||
+ contentType: "application/json;charset=UTF8",
|
||||
+ expected: true,
|
||||
+ },
|
||||
+ {
|
||||
+ url: "http://www.nothing.com/test?p1=/auth",
|
||||
+ contentType: "application/json;charset=UTF8",
|
||||
+ expected: true,
|
||||
+ },
|
||||
+ {
|
||||
+ url: "www.nothing.com/something/auth",
|
||||
+ contentType: "application/json;charset=UTF8",
|
||||
+ expected: true,
|
||||
+ },
|
||||
+ {
|
||||
+ url: "https://www.nothing.com/something/auth",
|
||||
+ contentType: "application/json;charset=UTF8",
|
||||
+ expected: true,
|
||||
+ },
|
||||
}
|
||||
)
|
||||
|
||||
for _, testcase := range testcases {
|
||||
header := http.Header{}
|
||||
header.Set("Content-Type", testcase.contentType)
|
||||
+ if testcase.url == "" {
|
||||
+ testcase.url = "nothing.com"
|
||||
+ }
|
||||
|
||||
- if b := sendBody(url, header); b != testcase.expected {
|
||||
- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
|
||||
+ if b := sendBody(testcase.url, header); b != testcase.expected {
|
||||
+ t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
|
||||
}
|
||||
}
|
||||
}
|
||||
--
|
||||
2.33.8
|
||||
|
|
@ -3,7 +3,7 @@
|
|||
Summary: The open-source application container engine
|
||||
Name: moby-engine
|
||||
Version: 25.0.3
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: ASL 2.0
|
||||
Group: Tools/Container
|
||||
URL: https://mobyproject.org
|
||||
|
|
@ -16,6 +16,7 @@ Source2: docker.socket
|
|||
|
||||
Patch0: CVE-2022-2879.patch
|
||||
Patch1: enable-docker-proxy-libexec-search.patch
|
||||
Patch2: CVE-2024-41110.patch
|
||||
|
||||
%{?systemd_requires}
|
||||
|
||||
|
|
@ -111,6 +112,9 @@ fi
|
|||
%{_unitdir}/*
|
||||
|
||||
%changelog
|
||||
* Tue Aug 13 2024 Rohit Rawat <rohitrawat@microsoft.com> - 25.0.3-5
|
||||
- Address CVE-2024-41110
|
||||
|
||||
* Fri Aug 09 2024 Henry Beberman <henry.beberman@microsoft.com> - 25.0.3-4
|
||||
- Backport upstream change to search /usr/libexec for docker-proxy without daemon.json
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче