Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

status: validate container id #1647

Merged
merged 4 commits into from
Jan 29, 2025
Merged

status: validate container id #1647

merged 4 commits into from
Jan 29, 2025

Conversation

giuseppe
Copy link
Member

check that the container name does not contain any slash so that operations in status.c won't risk to access directories/files outside of the run directory.

Beside, it is not a security issue because if a directory exists, crun refuses to use it; and if it does not exist then it is created and immediately deleted because the container creation fails.

Play safe and do not allow any slash in the container name.

Closes: #1646

@giuseppe giuseppe force-pushed the status-validate-container-id branch 3 times, most recently from cc8ca92 to 564dd37 Compare January 28, 2025 12:21
@siteshwar
Copy link

You may want to have a quick look at the OpenScanHub report, although all of them may be false positives.

@giuseppe
Copy link
Member Author

You may want to have a quick look at the OpenScanHub report, although all of them may be false positives.

thanks for the ping, yes they indeed look like false positives. Scanners are not very good at dealing with the cleanup compiler attribute

@giuseppe
status: report errors from libcrun_get_state_directory
873db60 
Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe
status: report errors from get_run_directory
30d22ba 
Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe
status: report errors from get_state_directory_status_file
73bcfab 
Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe
status: validate container id
432a66d 
check that the container name does not contain any slash so that
operations in status.c won't risk to access directories/files outside
of the run directory.

Beside, it is not a security issue because if a directory exists, crun
refuses to use it; and if it does not exist then it is created and
immediately deleted because the container creation fails.

Play safe and do not allow any slash in the container name.

Closes: containers#1646

Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe giuseppe force-pushed the status-validate-container-id branch from 564dd37 to 432a66d Compare January 29, 2025 11:26
@giuseppe
Copy link
Member Author

@flouthoc PTAL

flouthoc
flouthoc approved these changes Jan 29, 2025
View reviewed changes
Copy link
Collaborator

@flouthoc flouthoc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@flouthoc flouthoc merged commit 801d6e8 into containers:main Jan 29, 2025
44 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flouthoc flouthoc flouthoc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

sanitize container name before using it
3 participants
@giuseppe @siteshwar @flouthoc