* Re: [meta-virtualization][scarthgap][PATCH 1/1] docker-moby: fix CVE-2024-41110
[not found] <17E7DAAD2DCE80AD.13344@lists.yoctoproject.org>
@ 2024-08-12 5:42 ` Polampalli, Archana
2024-08-12 17:26 ` Bruce Ashfield
0 siblings, 1 reply; 3+ messages in thread
From: Polampalli, Archana @ 2024-08-12 5:42 UTC (permalink / raw)
To: meta-virtualization@lists.yoctoproject.org, Polampalli, Archana
[-- Attachment #1: Type: text/plain, Size: 9459 bytes --]
Reminder!!
Regards,
Archana
________________________________
From: meta-virtualization@lists.yoctoproject.org <meta-virtualization@lists.yoctoproject.org> on behalf of Polampalli, Archana via lists.yoctoproject.org <archana.polampalli=windriver.com@lists.yoctoproject.org>
Sent: Friday, August 2, 2024 13:33
To: meta-virtualization@lists.yoctoproject.org <meta-virtualization@lists.yoctoproject.org>
Subject: [meta-virtualization][scarthgap][PATCH 1/1] docker-moby: fix CVE-2024-41110
From: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
recipes-containers/docker/docker-moby_git.bb | 1 +
.../docker/files/CVE-2024-41110.patch | 176 ++++++++++++++++++
2 files changed, 177 insertions(+)
create mode 100644 recipes-containers/docker/files/CVE-2024-41110.patch
diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index 0abb0b3f..706101d1 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -56,6 +56,7 @@ SRC_URI = "\
file://0001-libnetwork-use-GO-instead-of-go.patch \
file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
+ file://CVE-2024-41110.patch;patchdir=src/import \
"
DOCKER_COMMIT = "${SRCREV_moby}"
diff --git a/recipes-containers/docker/files/CVE-2024-41110.patch b/recipes-containers/docker/files/CVE-2024-41110.patch
new file mode 100644
index 00000000..6dd56a08
--- /dev/null
+++ b/recipes-containers/docker/files/CVE-2024-41110.patch
@@ -0,0 +1,176 @@
+From ccfe0a41d438053ee54f0478d3a77b090e40c379 Mon Sep 17 00:00:00 2001
+From: Jameson Hyde <jameson.hyde@docker.com>
+Date: Mon, 26 Nov 2018 14:15:22 -0500
+Subject: [PATCH] Authz plugin security fixes for 0-length content and path
+ validation Signed-off-by: Jameson Hyde <jameson.hyde@docker.com>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+fix comments
+
+(cherry picked from commit 9659c3a52bac57e615b5fb49b0652baca448643e)
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+(cherry picked from commit 2ac8a479c53d9b8e67c55f1e283da9d85d2b3415)
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+
+CVE: CVE-2024-41110
+Upstream-Status: Backport [https://github.com/moby/moby/commit/ccfe0a41d438053ee54f0478d3a77b090e40c379]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ pkg/authorization/authz.go | 38 ++++++++++++++++++---
+ pkg/authorization/authz_unix_test.go | 49 ++++++++++++++++++++++++++--
+ 2 files changed, 80 insertions(+), 7 deletions(-)
+
+diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
+index 1eb44315dd..4c2e90b251 100644
+--- a/pkg/authorization/authz.go
++++ b/pkg/authorization/authz.go
+@@ -8,6 +8,8 @@ import (
+ "io"
+ "mime"
+ "net/http"
++ "net/url"
++ "regexp"
+ "strings"
+
+ "github.com/containerd/log"
+@@ -53,10 +55,23 @@ type Ctx struct {
+ authReq *Request
+ }
+
++func isChunked(r *http.Request) bool {
++ // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
++ if strings.ToLower(r.Header.Get("Transfer-Encoding")) == "chunked" {
++ return true
++ }
++ for _, v := range r.TransferEncoding {
++ if 0 == strings.Compare(strings.ToLower(v), "chunked") {
++ return true
++ }
++ }
++ return false
++}
++
+ // AuthZRequest authorized the request to the docker daemon using authZ plugins
+ func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
+ var body []byte
+- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
++ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
+ var err error
+ body, r.Body, err = drainBody(r.Body)
+ if err != nil {
+@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
+ if sendBody(ctx.requestURI, rm.Header()) {
+ ctx.authReq.ResponseBody = rm.RawBody()
+ }
+-
+ for _, plugin := range ctx.plugins {
+ log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name())
+
+@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
+ return nil, newBody, err
+ }
+
++func isAuthEndpoint(urlPath string) (bool, error) {
++ // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something<http://www.test.com/v1.24/auth/optional?optional1=something&optional2=something> (version optional)
++ matched, err := regexp.MatchString(`^[^\/]+\/(v\d[\d\.]*\/)?auth.*`, urlPath)
++ if err != nil {
++ return false, err
++ }
++ return matched, nil
++}
++
+ // sendBody returns true when request/response body should be sent to AuthZPlugin
+-func sendBody(url string, header http.Header) bool {
++func sendBody(inURL string, header http.Header) bool {
++ u, err := url.Parse(inURL)
++ // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
++ if err != nil {
++ return false
++ }
++
+ // Skip body for auth endpoint
+- if strings.HasSuffix(url, "/auth") {
++ isAuth, err := isAuthEndpoint(u.Path)
++ if isAuth || err != nil {
+ return false
+ }
+
+diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
+index c9b18d96e9..275f1dd3d0 100644
+--- a/pkg/authorization/authz_unix_test.go
++++ b/pkg/authorization/authz_unix_test.go
+@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) {
+
+ func TestSendBody(t *testing.T) {
+ var (
+- url = "nothing.com"
+ testcases = []struct {
++ url string
+ contentType string
+ expected bool
+ }{
+@@ -219,15 +219,58 @@ func TestSendBody(t *testing.T) {
+ contentType: "",
+ expected: false,
+ },
++ {
++ url: "nothing.com/auth",
++ contentType: "",
++ expected: false,
++ },
++ {
++ url: "nothing.com/auth",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
++ {
++ url: "nothing.com/auth?p1=test",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
++ {
++ url: "nothing.com/test?p1=/auth",
++ contentType: "application/json;charset=UTF8",
++ expected: true,
++ },
++ {
++ url: "nothing.com/something/auth",
++ contentType: "application/json;charset=UTF8",
++ expected: true,
++ },
++ {
++ url: "nothing.com/auth/test",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
++ {
++ url: "nothing.com/v1.24/auth/test",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
++ {
++ url: "nothing.com/v1/auth/test",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
+ }
+ )
+
+ for _, testcase := range testcases {
+ header := http.Header{}
+ header.Set("Content-Type", testcase.contentType)
++ if testcase.url == "" {
++ testcase.url = "nothing.com"
++ }
+
+- if b := sendBody(url, header); b != testcase.expected {
+- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
++ if b := sendBody(testcase.url, header); b != testcase.expected {
++ t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
+ }
+ }
+ }
+--
+2.40.0
--
2.40.0
[-- Attachment #2: Type: text/html, Size: 22195 bytes --]
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [meta-virtualization][scarthgap][PATCH 1/1] docker-moby: fix CVE-2024-41110
2024-08-12 5:42 ` [meta-virtualization][scarthgap][PATCH 1/1] docker-moby: fix CVE-2024-41110 Polampalli, Archana
@ 2024-08-12 17:26 ` Bruce Ashfield
0 siblings, 0 replies; 3+ messages in thread
From: Bruce Ashfield @ 2024-08-12 17:26 UTC (permalink / raw)
To: archana.polampalli; +Cc: meta-virtualization@lists.yoctoproject.org
In message: Re: [meta-virtualization][scarthgap][PATCH 1/1] docker-moby: fix CVE-2024-41110
on 12/08/2024 Polampalli, Archana via lists.yoctoproject.org wrote:
> Reminder!!
And a reminder that I only typically do updates and merging
in specific windows during a development cycle, that includes
CVEs.
Also, it doesn't look like you checked for a new 25.x -stable
version. I took a glance and it looks like upstream has dealt
with the issue on the 25.0 branch.
It is almost always preferable to update to a -stable to pickup a fix,
versus cherry picking a patch.
Bruce
>
> Regards,
> Archana
> ________________________________
> From: meta-virtualization@lists.yoctoproject.org <meta-virtualization@lists.yoctoproject.org> on behalf of Polampalli, Archana via lists.yoctoproject.org <archana.polampalli=windriver.com@lists.yoctoproject.org>
> Sent: Friday, August 2, 2024 13:33
> To: meta-virtualization@lists.yoctoproject.org <meta-virtualization@lists.yoctoproject.org>
> Subject: [meta-virtualization][scarthgap][PATCH 1/1] docker-moby: fix CVE-2024-41110
>
> From: Archana Polampalli <archana.polampalli@windriver.com>
>
> Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
> ---
> recipes-containers/docker/docker-moby_git.bb | 1 +
> .../docker/files/CVE-2024-41110.patch | 176 ++++++++++++++++++
> 2 files changed, 177 insertions(+)
> create mode 100644 recipes-containers/docker/files/CVE-2024-41110.patch
>
> diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
> index 0abb0b3f..706101d1 100644
> --- a/recipes-containers/docker/docker-moby_git.bb
> +++ b/recipes-containers/docker/docker-moby_git.bb
> @@ -56,6 +56,7 @@ SRC_URI = "\
> file://0001-libnetwork-use-GO-instead-of-go.patch \
> file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
> file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
> + file://CVE-2024-41110.patch;patchdir=src/import \
> "
>
> DOCKER_COMMIT = "${SRCREV_moby}"
> diff --git a/recipes-containers/docker/files/CVE-2024-41110.patch b/recipes-containers/docker/files/CVE-2024-41110.patch
> new file mode 100644
> index 00000000..6dd56a08
> --- /dev/null
> +++ b/recipes-containers/docker/files/CVE-2024-41110.patch
> @@ -0,0 +1,176 @@
> +From ccfe0a41d438053ee54f0478d3a77b090e40c379 Mon Sep 17 00:00:00 2001
> +From: Jameson Hyde <jameson.hyde@docker.com>
> +Date: Mon, 26 Nov 2018 14:15:22 -0500
> +Subject: [PATCH] Authz plugin security fixes for 0-length content and path
> + validation Signed-off-by: Jameson Hyde <jameson.hyde@docker.com>
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +fix comments
> +
> +(cherry picked from commit 9659c3a52bac57e615b5fb49b0652baca448643e)
> +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
> +(cherry picked from commit 2ac8a479c53d9b8e67c55f1e283da9d85d2b3415)
> +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
> +
> +CVE: CVE-2024-41110
> +Upstream-Status: Backport [https://github.com/moby/moby/commit/ccfe0a41d438053ee54f0478d3a77b090e40c379]
> +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
> +---
> + pkg/authorization/authz.go | 38 ++++++++++++++++++---
> + pkg/authorization/authz_unix_test.go | 49 ++++++++++++++++++++++++++--
> + 2 files changed, 80 insertions(+), 7 deletions(-)
> +
> +diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
> +index 1eb44315dd..4c2e90b251 100644
> +--- a/pkg/authorization/authz.go
> ++++ b/pkg/authorization/authz.go
> +@@ -8,6 +8,8 @@ import (
> + "io"
> + "mime"
> + "net/http"
> ++ "net/url"
> ++ "regexp"
> + "strings"
> +
> + "github.com/containerd/log"
> +@@ -53,10 +55,23 @@ type Ctx struct {
> + authReq *Request
> + }
> +
> ++func isChunked(r *http.Request) bool {
> ++ // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
> ++ if strings.ToLower(r.Header.Get("Transfer-Encoding")) == "chunked" {
> ++ return true
> ++ }
> ++ for _, v := range r.TransferEncoding {
> ++ if 0 == strings.Compare(strings.ToLower(v), "chunked") {
> ++ return true
> ++ }
> ++ }
> ++ return false
> ++}
> ++
> + // AuthZRequest authorized the request to the docker daemon using authZ plugins
> + func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
> + var body []byte
> +- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
> ++ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
> + var err error
> + body, r.Body, err = drainBody(r.Body)
> + if err != nil {
> +@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
> + if sendBody(ctx.requestURI, rm.Header()) {
> + ctx.authReq.ResponseBody = rm.RawBody()
> + }
> +-
> + for _, plugin := range ctx.plugins {
> + log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name())
> +
> +@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
> + return nil, newBody, err
> + }
> +
> ++func isAuthEndpoint(urlPath string) (bool, error) {
> ++ // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something<http://www.test.com/v1.24/auth/optional?optional1=something&optional2=something> (version optional)
> ++ matched, err := regexp.MatchString(`^[^\/]+\/(v\d[\d\.]*\/)?auth.*`, urlPath)
> ++ if err != nil {
> ++ return false, err
> ++ }
> ++ return matched, nil
> ++}
> ++
> + // sendBody returns true when request/response body should be sent to AuthZPlugin
> +-func sendBody(url string, header http.Header) bool {
> ++func sendBody(inURL string, header http.Header) bool {
> ++ u, err := url.Parse(inURL)
> ++ // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
> ++ if err != nil {
> ++ return false
> ++ }
> ++
> + // Skip body for auth endpoint
> +- if strings.HasSuffix(url, "/auth") {
> ++ isAuth, err := isAuthEndpoint(u.Path)
> ++ if isAuth || err != nil {
> + return false
> + }
> +
> +diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
> +index c9b18d96e9..275f1dd3d0 100644
> +--- a/pkg/authorization/authz_unix_test.go
> ++++ b/pkg/authorization/authz_unix_test.go
> +@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) {
> +
> + func TestSendBody(t *testing.T) {
> + var (
> +- url = "nothing.com"
> + testcases = []struct {
> ++ url string
> + contentType string
> + expected bool
> + }{
> +@@ -219,15 +219,58 @@ func TestSendBody(t *testing.T) {
> + contentType: "",
> + expected: false,
> + },
> ++ {
> ++ url: "nothing.com/auth",
> ++ contentType: "",
> ++ expected: false,
> ++ },
> ++ {
> ++ url: "nothing.com/auth",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: false,
> ++ },
> ++ {
> ++ url: "nothing.com/auth?p1=test",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: false,
> ++ },
> ++ {
> ++ url: "nothing.com/test?p1=/auth",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: true,
> ++ },
> ++ {
> ++ url: "nothing.com/something/auth",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: true,
> ++ },
> ++ {
> ++ url: "nothing.com/auth/test",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: false,
> ++ },
> ++ {
> ++ url: "nothing.com/v1.24/auth/test",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: false,
> ++ },
> ++ {
> ++ url: "nothing.com/v1/auth/test",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: false,
> ++ },
> + }
> + )
> +
> + for _, testcase := range testcases {
> + header := http.Header{}
> + header.Set("Content-Type", testcase.contentType)
> ++ if testcase.url == "" {
> ++ testcase.url = "nothing.com"
> ++ }
> +
> +- if b := sendBody(url, header); b != testcase.expected {
> +- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
> ++ if b := sendBody(testcase.url, header); b != testcase.expected {
> ++ t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
> + }
> + }
> + }
> +--
> +2.40.0
> --
> 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#8859): https://lists.yoctoproject.org/g/meta-virtualization/message/8859
> Mute This Topic: https://lists.yoctoproject.org/mt/107681589/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* [meta-virtualization][scarthgap][PATCH 1/1] docker-moby: fix CVE-2024-41110
@ 2024-08-02 8:03 archana.polampalli
0 siblings, 0 replies; 3+ messages in thread
From: archana.polampalli @ 2024-08-02 8:03 UTC (permalink / raw)
To: meta-virtualization
From: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
recipes-containers/docker/docker-moby_git.bb | 1 +
.../docker/files/CVE-2024-41110.patch | 176 ++++++++++++++++++
2 files changed, 177 insertions(+)
create mode 100644 recipes-containers/docker/files/CVE-2024-41110.patch
diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index 0abb0b3f..706101d1 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -56,6 +56,7 @@ SRC_URI = "\
file://0001-libnetwork-use-GO-instead-of-go.patch \
file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
+ file://CVE-2024-41110.patch;patchdir=src/import \
"
DOCKER_COMMIT = "${SRCREV_moby}"
diff --git a/recipes-containers/docker/files/CVE-2024-41110.patch b/recipes-containers/docker/files/CVE-2024-41110.patch
new file mode 100644
index 00000000..6dd56a08
--- /dev/null
+++ b/recipes-containers/docker/files/CVE-2024-41110.patch
@@ -0,0 +1,176 @@
+From ccfe0a41d438053ee54f0478d3a77b090e40c379 Mon Sep 17 00:00:00 2001
+From: Jameson Hyde <jameson.hyde@docker.com>
+Date: Mon, 26 Nov 2018 14:15:22 -0500
+Subject: [PATCH] Authz plugin security fixes for 0-length content and path
+ validation Signed-off-by: Jameson Hyde <jameson.hyde@docker.com>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+fix comments
+
+(cherry picked from commit 9659c3a52bac57e615b5fb49b0652baca448643e)
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+(cherry picked from commit 2ac8a479c53d9b8e67c55f1e283da9d85d2b3415)
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+
+CVE: CVE-2024-41110
+Upstream-Status: Backport [https://github.com/moby/moby/commit/ccfe0a41d438053ee54f0478d3a77b090e40c379]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ pkg/authorization/authz.go | 38 ++++++++++++++++++---
+ pkg/authorization/authz_unix_test.go | 49 ++++++++++++++++++++++++++--
+ 2 files changed, 80 insertions(+), 7 deletions(-)
+
+diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
+index 1eb44315dd..4c2e90b251 100644
+--- a/pkg/authorization/authz.go
++++ b/pkg/authorization/authz.go
+@@ -8,6 +8,8 @@ import (
+ "io"
+ "mime"
+ "net/http"
++ "net/url"
++ "regexp"
+ "strings"
+
+ "github.com/containerd/log"
+@@ -53,10 +55,23 @@ type Ctx struct {
+ authReq *Request
+ }
+
++func isChunked(r *http.Request) bool {
++ // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
++ if strings.ToLower(r.Header.Get("Transfer-Encoding")) == "chunked" {
++ return true
++ }
++ for _, v := range r.TransferEncoding {
++ if 0 == strings.Compare(strings.ToLower(v), "chunked") {
++ return true
++ }
++ }
++ return false
++}
++
+ // AuthZRequest authorized the request to the docker daemon using authZ plugins
+ func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
+ var body []byte
+- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
++ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
+ var err error
+ body, r.Body, err = drainBody(r.Body)
+ if err != nil {
+@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
+ if sendBody(ctx.requestURI, rm.Header()) {
+ ctx.authReq.ResponseBody = rm.RawBody()
+ }
+-
+ for _, plugin := range ctx.plugins {
+ log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name())
+
+@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
+ return nil, newBody, err
+ }
+
++func isAuthEndpoint(urlPath string) (bool, error) {
++ // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
++ matched, err := regexp.MatchString(`^[^\/]+\/(v\d[\d\.]*\/)?auth.*`, urlPath)
++ if err != nil {
++ return false, err
++ }
++ return matched, nil
++}
++
+ // sendBody returns true when request/response body should be sent to AuthZPlugin
+-func sendBody(url string, header http.Header) bool {
++func sendBody(inURL string, header http.Header) bool {
++ u, err := url.Parse(inURL)
++ // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
++ if err != nil {
++ return false
++ }
++
+ // Skip body for auth endpoint
+- if strings.HasSuffix(url, "/auth") {
++ isAuth, err := isAuthEndpoint(u.Path)
++ if isAuth || err != nil {
+ return false
+ }
+
+diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
+index c9b18d96e9..275f1dd3d0 100644
+--- a/pkg/authorization/authz_unix_test.go
++++ b/pkg/authorization/authz_unix_test.go
+@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) {
+
+ func TestSendBody(t *testing.T) {
+ var (
+- url = "nothing.com"
+ testcases = []struct {
++ url string
+ contentType string
+ expected bool
+ }{
+@@ -219,15 +219,58 @@ func TestSendBody(t *testing.T) {
+ contentType: "",
+ expected: false,
+ },
++ {
++ url: "nothing.com/auth",
++ contentType: "",
++ expected: false,
++ },
++ {
++ url: "nothing.com/auth",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
++ {
++ url: "nothing.com/auth?p1=test",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
++ {
++ url: "nothing.com/test?p1=/auth",
++ contentType: "application/json;charset=UTF8",
++ expected: true,
++ },
++ {
++ url: "nothing.com/something/auth",
++ contentType: "application/json;charset=UTF8",
++ expected: true,
++ },
++ {
++ url: "nothing.com/auth/test",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
++ {
++ url: "nothing.com/v1.24/auth/test",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
++ {
++ url: "nothing.com/v1/auth/test",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
+ }
+ )
+
+ for _, testcase := range testcases {
+ header := http.Header{}
+ header.Set("Content-Type", testcase.contentType)
++ if testcase.url == "" {
++ testcase.url = "nothing.com"
++ }
+
+- if b := sendBody(url, header); b != testcase.expected {
+- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
++ if b := sendBody(testcase.url, header); b != testcase.expected {
++ t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
+ }
+ }
+ }
+--
+2.40.0
--
2.40.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-08-12 17:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <17E7DAAD2DCE80AD.13344@lists.yoctoproject.org>
2024-08-12 5:42 ` [meta-virtualization][scarthgap][PATCH 1/1] docker-moby: fix CVE-2024-41110 Polampalli, Archana
2024-08-12 17:26 ` Bruce Ashfield
2024-08-02 8:03 archana.polampalli
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.