InTheForest/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2026-01-11 10:41:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit from fork

Browse Source 
[24.0] AuthZ plugin security fixes
This commit is contained in:
Sebastiaan van Stijn
2024-07-23 21:36:28 +02:00
committed by GitHub
parent e0ce0ff8d5 55fa16e22f
commit 852759a7df
2 changed files with 115 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
pkg/authorization/authz.go
View File

@@ -7,6 +7,8 @@ import (
"io" "io"
"mime" "mime"
"net/http" "net/http"
"net/url"
"regexp"
"strings" "strings"
"github.com/docker/docker/pkg/ioutils" "github.com/docker/docker/pkg/ioutils"
@@ -52,10 +54,23 @@ type Ctx struct {
authReq *Request authReq *Request
} }
func isChunked(r *http.Request) bool {
// RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") {
return true
}
for _, v := range r.TransferEncoding {
if strings.EqualFold(v, "chunked") {
return true
}
}
return false
}
// AuthZRequest authorized the request to the docker daemon using authZ plugins // AuthZRequest authorized the request to the docker daemon using authZ plugins
func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error { func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
var body []byte var body []byte
if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize { if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
var err error var err error
body, r.Body, err = drainBody(r.Body) body, r.Body, err = drainBody(r.Body)
if err != nil { if err != nil {
@@ -108,7 +123,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
if sendBody(ctx.requestURI, rm.Header()) { if sendBody(ctx.requestURI, rm.Header()) {
ctx.authReq.ResponseBody = rm.RawBody() ctx.authReq.ResponseBody = rm.RawBody()
} }
for _, plugin := range ctx.plugins { for _, plugin := range ctx.plugins {
logrus.Debugf("AuthZ response using plugin %s", plugin.Name()) logrus.Debugf("AuthZ response using plugin %s", plugin.Name())
@@ -146,10 +160,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
return nil, newBody, err return nil, newBody, err
} }
func isAuthEndpoint(urlPath string) (bool, error) {
// eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath)
if err != nil {
return false, err
}
return matched, nil
}
// sendBody returns true when request/response body should be sent to AuthZPlugin // sendBody returns true when request/response body should be sent to AuthZPlugin
func sendBody(url string, header http.Header) bool { func sendBody(inURL string, header http.Header) bool {
u, err := url.Parse(inURL)
// Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
if err != nil {
return false
}
// Skip body for auth endpoint // Skip body for auth endpoint
if strings.HasSuffix(url, "/auth") { isAuth, err := isAuthEndpoint(u.Path)
if isAuth || err != nil {
return false return false
} }

84
pkg/authorization/authz_unix_test.go
View File

@@ -175,8 +175,8 @@ func TestDrainBody(t *testing.T) {
func TestSendBody(t *testing.T) { func TestSendBody(t *testing.T) {
var ( var (
url = "nothing.com"
testcases = []struct { testcases = []struct {
url string
contentType string contentType string
expected bool expected bool
}{ }{
@@ -220,15 +220,93 @@ func TestSendBody(t *testing.T) {
contentType: "", contentType: "",
expected: false, expected: false,
}, },
{
url: "nothing.com/auth",
contentType: "",
expected: false,
},
{
url: "nothing.com/auth",
contentType: "application/json;charset=UTF8",
expected: false,
},
{
url: "nothing.com/auth?p1=test",
contentType: "application/json;charset=UTF8",
expected: false,
},
{
url: "nothing.com/test?p1=/auth",
contentType: "application/json;charset=UTF8",
expected: true,
},
{
url: "nothing.com/something/auth",
contentType: "application/json;charset=UTF8",
expected: true,
},
{
url: "nothing.com/auth/test",
contentType: "application/json;charset=UTF8",
expected: false,
},
{
url: "nothing.com/v1.24/auth/test",
contentType: "application/json;charset=UTF8",
expected: false,
},
{
url: "nothing.com/v1/auth/test",
contentType: "application/json;charset=UTF8",
expected: false,
},
{
url: "www.nothing.com/v1.24/auth/test",
contentType: "application/json;charset=UTF8",
expected: false,
},
{
url: "https://www.nothing.com/v1.24/auth/test",
contentType: "application/json;charset=UTF8",
expected: false,
},
{
url: "http://nothing.com/v1.24/auth/test",
contentType: "application/json;charset=UTF8",
expected: false,
},
{
url: "www.nothing.com/test?p1=/auth",
contentType: "application/json;charset=UTF8",
expected: true,
},
{
url: "http://www.nothing.com/test?p1=/auth",
contentType: "application/json;charset=UTF8",
expected: true,
},
{
url: "www.nothing.com/something/auth",
contentType: "application/json;charset=UTF8",
expected: true,
},
{
url: "https://www.nothing.com/something/auth",
contentType: "application/json;charset=UTF8",
expected: true,
},
} }
) )
for _, testcase := range testcases { for _, testcase := range testcases {
header := http.Header{} header := http.Header{}
header.Set("Content-Type", testcase.contentType) header.Set("Content-Type", testcase.contentType)
if testcase.url == "" {
testcase.url = "nothing.com"
}
if b := sendBody(url, header); b != testcase.expected { if b := sendBody(testcase.url, header); b != testcase.expected {
t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b) t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
} }
} }
} }