Skip to content

[1.1 backport] Prohibit /proc and /sys to be symlinks #3785

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 26, 2023
Merged

[1.1 backport] Prohibit /proc and /sys to be symlinks #3785

merged 1 commit into from
Mar 26, 2023

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Mar 25, 2023

Commit 3291d66 introduced a check for /proc and /sys, making sure the destination (dest) is a directory (and not e.g. a symlink).

Later, a hunk from commit 0ca91f4 switched from using filepath.Join to SecureJoin for dest. As SecureJoin follows and resolves symlinks, the check whether dest is a symlink no longer works.

To fix, do the check without/before using SecureJoin.

Add integration tests to make sure we won't regress.

(cherry picked from commit 0d72adf)

@kolyshkin @thaJeztah
Prohibit /proc and /sys to be symlinks
0abab45 
Commit 3291d66 introduced a check for /proc and /sys, making sure
the destination (dest) is a directory (and not e.g. a symlink).

Later, a hunk from commit 0ca91f4 switched from using filepath.Join
to SecureJoin for dest. As SecureJoin follows and resolves symlinks,
the check whether dest is a symlink no longer works.

To fix, do the check without/before using SecureJoin.

Add integration tests to make sure we won't regress.

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit 0d72adf)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah added this to the 1.1.5 milestone Mar 25, 2023
@thaJeztah thaJeztah added impact/changelog backport/1.1-pr A backport PR to release-1.1 labels Mar 25, 2023
@thaJeztah thaJeztah mentioned this pull request Mar 25, 2023
Merged
@cyphar cyphar merged commit 059d773 into opencontainers:release-1.1 Mar 26, 2023
@thaJeztah thaJeztah deleted the 1.1_backport_no_symlinks branch March 26, 2023 12:06
This was referenced Mar 27, 2023
Merged
Closed
@GoVulnBot GoVulnBot mentioned this pull request Mar 29, 2023
Closed
@wagoodman wagoodman mentioned this pull request Oct 24, 2023
Closed
This was referenced Oct 31, 2023
Merged
Merged
Merged
@github-actions github-actions bot mentioned this pull request Nov 12, 2023
Merged
1 task
This was referenced Nov 28, 2023
Merged
Merged
Merged
This was referenced Dec 5, 2023
Merged
Merged
Merged
Merged
Merged
This was referenced Dec 20, 2023
Merged
Merged
This was referenced Dec 30, 2023
Merged
Merged
Merged
This was referenced Feb 2, 2024
Merged
Merged
This was referenced Mar 16, 2024
Merged
Merged
Merged
@github-actions github-actions bot mentioned this pull request Apr 2, 2024
Merged
1 task
@github-actions github-actions bot mentioned this pull request Apr 18, 2024
Merged
1 task
@github-actions github-actions bot mentioned this pull request May 1, 2024
Merged
1 task
This was referenced May 11, 2024
Merged
Merged
@github-actions github-actions bot mentioned this pull request May 30, 2024
Merged
1 task
This was referenced Jul 10, 2024
Merged
Merged
This was referenced Aug 2, 2024
Merged
Merged
@github-actions github-actions bot mentioned this pull request Aug 15, 2024
Merged
1 task
This was referenced Aug 22, 2024
Merged
Merged
This was referenced Sep 24, 2024
Merged
Merged
This was referenced Oct 7, 2024
Merged
Merged
This was referenced Oct 19, 2024
Merged
Merged
@github-actions github-actions bot mentioned this pull request Dec 1, 2024
Merged
1 task
@github-actions github-actions bot mentioned this pull request Jan 26, 2025
Merged
1 task
@github-actions github-actions bot mentioned this pull request Feb 18, 2025
Closed
@github-actions github-actions bot mentioned this pull request Mar 1, 2025
Merged
1 task
@github-actions github-actions bot mentioned this pull request Apr 6, 2025
Merged
1 task
@github-actions github-actions bot mentioned this pull request Jul 8, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cyphar cyphar cyphar approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

backport/1.1-pr A backport PR to release-1.1 impact/changelog

Projects

None yet

Milestone

1.1.5

Development

Successfully merging this pull request may close these issues.

4 participants

@thaJeztah @cyphar @AkihiroSuda @kolyshkin