Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

genpolicy: block all relative paths for copyFile requests #166

Merged
merged 2 commits into from
Mar 21, 2024
Merged

genpolicy: block all relative paths for copyFile requests #166

merged 2 commits into from
Mar 21, 2024

Conversation

Redent0r
Copy link

@Redent0r Redent0r commented Mar 19, 2024
edited
Loading

Merge Checklist
  • Followed patch format from upstream recommendation: https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md#patch-format
    • Included a single commit in a given PR - at least unless there are related commits and each makes sense as a change on its own.
  • Aware about the PR to be merged using "create a merge commit" rather than "squash and merge" (or similar)
  • genPolicy only: Ensured the tool still builds on Windows
  • genPolicy only: Updated sample YAMLs' policy annotations, if applicable
  • The upstream-missing label (or upstream-not-needed) has been set on the PR.
Summary

This PR tightens the policy implementation with regards to directory traversal by prohibiting symlink sources that contain ...
It's worth noting this fix has been added to check_directory_traversals, which is used by 2 code paths:

Test Methodology

Tested locally using https://github.com/kata-containers/kata-containers/blob/main/src/tools/agent-ctl/README.md#examples.

Was able to see before this change how we can specify a copy file request with a symlink source pointing to ..

Was able to see after this change how specifying a copy file request gets blocked

@Redent0r Redent0r force-pushed the saulparedes/block_all_relative_paths branch from 99ae275 to 3541346 Compare March 19, 2024 17:31
@Redent0r Redent0r added the upstream/missing PRs that are yet to be upstreamed label Mar 19, 2024
@Redent0r Redent0r force-pushed the saulparedes/block_all_relative_paths branch from 3541346 to 639c591 Compare March 21, 2024 18:30
@Redent0r Redent0r marked this pull request as ready for review March 21, 2024 18:31
@Redent0r Redent0r requested review from a team as code owners March 21, 2024 18:31
@Redent0r Redent0r merged commit 2659e6a into msft-main Mar 21, 2024
82 of 102 checks passed
@Redent0r Redent0r deleted the saulparedes/block_all_relative_paths branch March 21, 2024 20:43
@Redent0r Redent0r added upstream/merged PRs that have been merged upstream and removed upstream/missing PRs that are yet to be upstreamed labels Sep 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ms-mahuber ms-mahuber ms-mahuber approved these changes

Assignees
No one assigned
Labels
upstream/merged PRs that have been merged upstream
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Redent0r @ms-mahuber