Merge commit from fork

[25.0] AuthZ plugin security fixes
moby · Jul 23, 2024 · 65cc597 · 65cc597
2 parents b722836 91903e8
commit 65cc597
Show file tree

Hide file tree

Showing 2 changed files with 115 additions and 7 deletions.
diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
@@ -8,6 8,8 @@ import (
  "io"
  "mime"
  "net/http"
  "net/url"
  "regexp"
  "strings"
 
  "github.com/containerd/log"
@@ -53,10 55,23 @@ type Ctx struct {
  authReq *Request
 }
 
 func isChunked(r *http.Request) bool {
  // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
  if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") {
  return true
  }
  for _, v := range r.TransferEncoding {
  if strings.EqualFold(v, "chunked") {
  return true
  }
  }
  return false
 }
 
 // AuthZRequest authorized the request to the docker daemon using authZ plugins
 func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
  var body []byte
- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
  if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
  var err error
  body, r.Body, err = drainBody(r.Body)
  if err != nil {
@@ -109,7 124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
  if sendBody(ctx.requestURI, rm.Header()) {
  ctx.authReq.ResponseBody = rm.RawBody()
  }
-
  for _, plugin := range ctx.plugins {
  log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name())
 
@@ -147,10 161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
  return nil, newBody, err
 }
 
 func isAuthEndpoint(urlPath string) (bool, error) {
  // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
  matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath)
  if err != nil {
  return false, err
  }
  return matched, nil
 }
 
 // sendBody returns true when request/response body should be sent to AuthZPlugin
-func sendBody(url string, header http.Header) bool {
 func sendBody(inURL string, header http.Header) bool {
  u, err := url.Parse(inURL)
  // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
  if err != nil {
  return false
  }
 
  // Skip body for auth endpoint
- if strings.HasSuffix(url, "/auth") {
  isAuth, err := isAuthEndpoint(u.Path)
  if isAuth || err != nil {
  return false
  }
 

diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
@@ -174,8 174,8 @@ func TestDrainBody(t *testing.T) {
 
 func TestSendBody(t *testing.T) {
  var (
- url = "nothing.com"
  testcases = []struct {
  url string
  contentType string
  expected bool
  }{
@@ -219,15 219,93 @@ func TestSendBody(t *testing.T) {
  contentType: "",
  expected: false,
  },
  {
  url: "nothing.com/auth",
  contentType: "",
  expected: false,
  },
  {
  url: "nothing.com/auth",
  contentType: "application/json;charset=UTF8",
  expected: false,
  },
  {
  url: "nothing.com/auth?p1=test",
  contentType: "application/json;charset=UTF8",
  expected: false,
  },
  {
  url: "nothing.com/test?p1=/auth",
  contentType: "application/json;charset=UTF8",
  expected: true,
  },
  {
  url: "nothing.com/something/auth",
  contentType: "application/json;charset=UTF8",
  expected: true,
  },
  {
  url: "nothing.com/auth/test",
  contentType: "application/json;charset=UTF8",
  expected: false,
  },
  {
  url: "nothing.com/v1.24/auth/test",
  contentType: "application/json;charset=UTF8",
  expected: false,
  },
  {
  url: "nothing.com/v1/auth/test",
  contentType: "application/json;charset=UTF8",
  expected: false,
  },
  {
  url: "www.nothing.com/v1.24/auth/test",
  contentType: "application/json;charset=UTF8",
  expected: false,
  },
  {
  url: "https://www.nothing.com/v1.24/auth/test",
  contentType: "application/json;charset=UTF8",
  expected: false,
  },
  {
  url: "http://nothing.com/v1.24/auth/test",
  contentType: "application/json;charset=UTF8",
  expected: false,
  },
  {
  url: "www.nothing.com/test?p1=/auth",
  contentType: "application/json;charset=UTF8",
  expected: true,
  },
  {
  url: "http://www.nothing.com/test?p1=/auth",
  contentType: "application/json;charset=UTF8",
  expected: true,
  },
  {
  url: "www.nothing.com/something/auth",
  contentType: "application/json;charset=UTF8",
  expected: true,
  },
  {
  url: "https://www.nothing.com/something/auth",
  contentType: "application/json;charset=UTF8",
  expected: true,
  },
  }
  )
 
  for _, testcase := range testcases {
  header := http.Header{}
  header.Set("Content-Type", testcase.contentType)
  if testcase.url == "" {
  testcase.url = "nothing.com"
  }
 
- if b := sendBody(url, header); b != testcase.expected {
- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
  if b := sendBody(testcase.url, header); b != testcase.expected {
  t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
  }
  }
 }