Merge commit from fork

[26.0] AuthZ plugin security fixes
If url includes scheme, urlPath will drop hostname, which would not match the auth check
2026-01-12 11:11:44 +00:00 · 2024-07-23 21:36:28 +02:00 · 2024-07-17 13:09:10 +02:00 · 2024-07-17 13:09:08 +02:00 · 2024-06-08 17:25:26 +02:00 · 2024-05-08 09:43:51 +02:00
10 changed files with 128 additions and 15 deletions
--- a/.github/workflows/.windows.yml
+++ b/.github/workflows/.windows.yml
@@ -19,7 +19,7 @@ on:
        default: false

 env:
-  GO_VERSION: "1.21.9"
+  GO_VERSION: "1.21.10"
  GOTESTLIST_VERSION: v0.3.1
  TESTSTAT_VERSION: v0.1.25
  WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
--- a/.github/workflows/buildkit.yml
+++ b/.github/workflows/buildkit.yml
@@ -13,7 +13,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.21.9"
+  GO_VERSION: "1.21.10"
  DESTDIR: ./build

 jobs:
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -13,7 +13,7 @@ on:
  pull_request:

 env:
-  GO_VERSION: "1.21.9"
+  GO_VERSION: "1.21.10"
  GIT_PAGER: "cat"
  PAGER: "cat"

--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1

-ARG GO_VERSION=1.21.9
+ARG GO_VERSION=1.21.10
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
 ARG XX_VERSION=1.4.0
--- a/Dockerfile.simple
+++ b/Dockerfile.simple
@@ -5,7 +5,7 @@

 # This represents the bare minimum required to build and test Docker.

-ARG GO_VERSION=1.21.9
+ARG GO_VERSION=1.21.10

 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -161,7 +161,7 @@ FROM ${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}
 # Use PowerShell as the default shell
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

-ARG GO_VERSION=1.21.9
+ARG GO_VERSION=1.21.10
 ARG GOTESTSUM_VERSION=v1.8.2
 ARG GOWINRES_VERSION=v0.3.1
 ARG CONTAINERD_VERSION=v1.7.15
--- a/daemon/images/image_history.go
+++ b/daemon/images/image_history.go
@@ -43,9 +43,14 @@ func (i *ImageService) ImageHistory(ctx context.Context, name string) ([]*image.
 			layerCounter++
 		}

+		var created int64
+		if h.Created != nil {
+			created = h.Created.Unix()
+		}
+
 		history = append([]*image.HistoryResponseItem{{
 			ID:        "<missing>",
-			Created:   h.Created.Unix(),
+			Created:   created,
 			CreatedBy: h.CreatedBy,
 			Comment:   h.Comment,
 			Size:      layerSize,
--- a/hack/dockerfiles/generate-files.Dockerfile
+++ b/hack/dockerfiles/generate-files.Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1

-ARG GO_VERSION=1.21.9
+ARG GO_VERSION=1.21.10
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG PROTOC_VERSION=3.11.4

--- a/pkg/authorization/authz.go
+++ b/pkg/authorization/authz.go
@@ -8,6 +8,8 @@ import (
 	"io"
 	"mime"
 	"net/http"
+	"net/url"
+	"regexp"
 	"strings"

 	"github.com/containerd/log"
@@ -53,10 +55,23 @@ type Ctx struct {
 	authReq *Request
 }

+func isChunked(r *http.Request) bool {
+	// RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
+	if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") {
+		return true
+	}
+	for _, v := range r.TransferEncoding {
+		if strings.EqualFold(v, "chunked") {
+			return true
+		}
+	}
+	return false
+}
+
 // AuthZRequest authorized the request to the docker daemon using authZ plugins
 func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
 	var body []byte
-	if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
+	if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
 		var err error
 		body, r.Body, err = drainBody(r.Body)
 		if err != nil {
@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
 	if sendBody(ctx.requestURI, rm.Header()) {
 		ctx.authReq.ResponseBody = rm.RawBody()
 	}
-
 	for _, plugin := range ctx.plugins {
 		log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name())

@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
 	return nil, newBody, err
 }

+func isAuthEndpoint(urlPath string) (bool, error) {
+	// eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
+	matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath)
+	if err != nil {
+		return false, err
+	}
+	return matched, nil
+}
+
 // sendBody returns true when request/response body should be sent to AuthZPlugin
-func sendBody(url string, header http.Header) bool {
+func sendBody(inURL string, header http.Header) bool {
+	u, err := url.Parse(inURL)
+	// Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
+	if err != nil {
+		return false
+	}
+
 	// Skip body for auth endpoint
-	if strings.HasSuffix(url, "/auth") {
+	isAuth, err := isAuthEndpoint(u.Path)
+	if isAuth || err != nil {
 		return false
 	}

--- a/pkg/authorization/authz_unix_test.go
+++ b/pkg/authorization/authz_unix_test.go
@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) {

 func TestSendBody(t *testing.T) {
 	var (
-		url       = "nothing.com"
 		testcases = []struct {
+			url         string
 			contentType string
 			expected    bool
 		}{
@@ -219,15 +219,93 @@ func TestSendBody(t *testing.T) {
 				contentType: "",
 				expected:    false,
 			},
+			{
+				url:         "nothing.com/auth",
+				contentType: "",
+				expected:    false,
+			},
+			{
+				url:         "nothing.com/auth",
+				contentType: "application/json;charset=UTF8",
+				expected:    false,
+			},
+			{
+				url:         "nothing.com/auth?p1=test",
+				contentType: "application/json;charset=UTF8",
+				expected:    false,
+			},
+			{
+				url:         "nothing.com/test?p1=/auth",
+				contentType: "application/json;charset=UTF8",
+				expected:    true,
+			},
+			{
+				url:         "nothing.com/something/auth",
+				contentType: "application/json;charset=UTF8",
+				expected:    true,
+			},
+			{
+				url:         "nothing.com/auth/test",
+				contentType: "application/json;charset=UTF8",
+				expected:    false,
+			},
+			{
+				url:         "nothing.com/v1.24/auth/test",
+				contentType: "application/json;charset=UTF8",
+				expected:    false,
+			},
+			{
+				url:         "nothing.com/v1/auth/test",
+				contentType: "application/json;charset=UTF8",
+				expected:    false,
+			},
+			{
+				url:         "www.nothing.com/v1.24/auth/test",
+				contentType: "application/json;charset=UTF8",
+				expected:    false,
+			},
+			{
+				url:         "https://www.nothing.com/v1.24/auth/test",
+				contentType: "application/json;charset=UTF8",
+				expected:    false,
+			},
+			{
+				url:         "http://nothing.com/v1.24/auth/test",
+				contentType: "application/json;charset=UTF8",
+				expected:    false,
+			},
+			{
+				url:         "www.nothing.com/test?p1=/auth",
+				contentType: "application/json;charset=UTF8",
+				expected:    true,
+			},
+			{
+				url:         "http://www.nothing.com/test?p1=/auth",
+				contentType: "application/json;charset=UTF8",
+				expected:    true,
+			},
+			{
+				url:         "www.nothing.com/something/auth",
+				contentType: "application/json;charset=UTF8",
+				expected:    true,
+			},
+			{
+				url:         "https://www.nothing.com/something/auth",
+				contentType: "application/json;charset=UTF8",
+				expected:    true,
+			},
 		}
 	)

 	for _, testcase := range testcases {
 		header := http.Header{}
 		header.Set("Content-Type", testcase.contentType)
+		if testcase.url == "" {
+			testcase.url = "nothing.com"
+		}

-		if b := sendBody(url, header); b != testcase.expected {
-			t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
+		if b := sendBody(testcase.url, header); b != testcase.expected {
+			t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
 		}
 	}
 }
Author	SHA1	Message	Date
Sebastiaan van Stijn	a312606256	Merge commit from fork [26.0] AuthZ plugin security fixes	2024-07-23 21:36:28 +02:00
Jameson Hyde	754d8f168e	If url includes scheme, urlPath will drop hostname, which would not match the auth check Signed-off-by: Jameson Hyde <jameson.hyde@docker.com> (cherry picked from commit 754fb8d9d03895ae3ab60d2ad778152b0d835206) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `5282cb25d0`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-07-17 13:09:10 +02:00
Jameson Hyde	4c31251093	Authz plugin security fixes for 0-length content and path validation Signed-off-by: Jameson Hyde <jameson.hyde@docker.com> fix comments (cherry picked from commit 9659c3a52bac57e615b5fb49b0652baca448643e) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `2ac8a479c5`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-07-17 13:09:08 +02:00
Sebastiaan van Stijn	8ce163b7dc	Merge pull request #47807 from vvoland/v26.0-47805 [26.0 backport] update to go1.21.10	2024-06-08 17:25:26 +02:00
Paweł Gronowski	ac366556b7	update to go1.21.10 - https://github.com/golang/go/issues?q=milestone%3AGo1.21.10+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.21.9...go1.21.10 These minor releases include 2 security fixes following the security policy: - cmd/go: arbitrary code execution during build on darwin On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive. Thanks to Juho Forsén of Mattermost for reporting this issue. This is CVE-2024-24787 and Go issue https://go.dev/issue/67119. - net: malformed DNS message can cause infinite loop A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. Thanks to long-name-let-people-remember-you on GitHub for reporting this issue, and to Mateusz Poliwczak for bringing the issue to our attention. This is CVE-2024-24788 and Go issue https://go.dev/issue/66754. View the release notes for more information: https://go.dev/doc/devel/release#go1.22.3 - Description for the changelog ```markdown changelog Update Go runtime to 1.21.10 ``` Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit `6c97e0e0b5`) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>	2024-05-08 09:43:51 +02:00
Paweł Gronowski	54aee20458	Merge pull request #47758 from austinvazquez/cherry-pick-ab570ab3d62038b3d26f96a9bb585d0b6095b9b4-to-26.0 [26.0 backport] fix: avoid nil dereference on image history Created value	2024-04-25 17:42:59 +02:00
Christopher Petito	bd6b5b6d37	nil dereference fix on image history Created value Issue was caused by the changes here https://github.com/moby/moby/pull/45504 First released in v25.0.0-beta.1 Signed-off-by: Christopher Petito <47751006+krissetto@users.noreply.github.com> (cherry picked from commit `ab570ab3d6`) Signed-off-by: Austin Vazquez <macedonv@amazon.com>	2024-04-23 23:19:52 +00:00