2014-10-20 15:35:48 -04:00
|
|
|
package archive
|
|
|
|
|
|
|
|
import (
|
2015-05-01 18:01:10 -04:00
|
|
|
"archive/tar"
|
2014-10-20 15:35:48 -04:00
|
|
|
"testing"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestApplyLayerInvalidFilenames(t *testing.T) {
|
|
|
|
for i, headers := range [][]*tar.Header{
|
|
|
|
{
|
|
|
|
{
|
|
|
|
Name: "../victim/dotdot",
|
|
|
|
Typeflag: tar.TypeReg,
|
|
|
|
Mode: 0644,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
{
|
|
|
|
// Note the leading slash
|
|
|
|
Name: "/../victim/slash-dotdot",
|
|
|
|
Typeflag: tar.TypeReg,
|
|
|
|
Mode: 0644,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
} {
|
|
|
|
if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidFilenames", headers); err != nil {
|
|
|
|
t.Fatalf("i=%d. %v", i, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestApplyLayerInvalidHardlink(t *testing.T) {
|
|
|
|
for i, headers := range [][]*tar.Header{
|
|
|
|
{ // try reading victim/hello (../)
|
|
|
|
{
|
|
|
|
Name: "dotdot",
|
|
|
|
Typeflag: tar.TypeLink,
|
|
|
|
Linkname: "../victim/hello",
|
|
|
|
Mode: 0644,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{ // try reading victim/hello (/../)
|
|
|
|
{
|
|
|
|
Name: "slash-dotdot",
|
|
|
|
Typeflag: tar.TypeLink,
|
|
|
|
// Note the leading slash
|
|
|
|
Linkname: "/../victim/hello",
|
|
|
|
Mode: 0644,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{ // try writing victim/file
|
|
|
|
{
|
|
|
|
Name: "loophole-victim",
|
|
|
|
Typeflag: tar.TypeLink,
|
|
|
|
Linkname: "../victim",
|
|
|
|
Mode: 0755,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "loophole-victim/file",
|
|
|
|
Typeflag: tar.TypeReg,
|
|
|
|
Mode: 0644,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{ // try reading victim/hello (hardlink, symlink)
|
|
|
|
{
|
|
|
|
Name: "loophole-victim",
|
|
|
|
Typeflag: tar.TypeLink,
|
|
|
|
Linkname: "../victim",
|
|
|
|
Mode: 0755,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "symlink",
|
|
|
|
Typeflag: tar.TypeSymlink,
|
|
|
|
Linkname: "loophole-victim/hello",
|
|
|
|
Mode: 0644,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{ // Try reading victim/hello (hardlink, hardlink)
|
|
|
|
{
|
|
|
|
Name: "loophole-victim",
|
|
|
|
Typeflag: tar.TypeLink,
|
|
|
|
Linkname: "../victim",
|
|
|
|
Mode: 0755,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "hardlink",
|
|
|
|
Typeflag: tar.TypeLink,
|
|
|
|
Linkname: "loophole-victim/hello",
|
|
|
|
Mode: 0644,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{ // Try removing victim directory (hardlink)
|
|
|
|
{
|
|
|
|
Name: "loophole-victim",
|
|
|
|
Typeflag: tar.TypeLink,
|
|
|
|
Linkname: "../victim",
|
|
|
|
Mode: 0755,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "loophole-victim",
|
|
|
|
Typeflag: tar.TypeReg,
|
|
|
|
Mode: 0644,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
} {
|
|
|
|
if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidHardlink", headers); err != nil {
|
|
|
|
t.Fatalf("i=%d. %v", i, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestApplyLayerInvalidSymlink(t *testing.T) {
|
|
|
|
for i, headers := range [][]*tar.Header{
|
|
|
|
{ // try reading victim/hello (../)
|
|
|
|
{
|
|
|
|
Name: "dotdot",
|
|
|
|
Typeflag: tar.TypeSymlink,
|
|
|
|
Linkname: "../victim/hello",
|
|
|
|
Mode: 0644,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{ // try reading victim/hello (/../)
|
|
|
|
{
|
|
|
|
Name: "slash-dotdot",
|
|
|
|
Typeflag: tar.TypeSymlink,
|
|
|
|
// Note the leading slash
|
|
|
|
Linkname: "/../victim/hello",
|
|
|
|
Mode: 0644,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{ // try writing victim/file
|
|
|
|
{
|
|
|
|
Name: "loophole-victim",
|
|
|
|
Typeflag: tar.TypeSymlink,
|
|
|
|
Linkname: "../victim",
|
|
|
|
Mode: 0755,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "loophole-victim/file",
|
|
|
|
Typeflag: tar.TypeReg,
|
|
|
|
Mode: 0644,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{ // try reading victim/hello (symlink, symlink)
|
|
|
|
{
|
|
|
|
Name: "loophole-victim",
|
|
|
|
Typeflag: tar.TypeSymlink,
|
|
|
|
Linkname: "../victim",
|
|
|
|
Mode: 0755,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "symlink",
|
|
|
|
Typeflag: tar.TypeSymlink,
|
|
|
|
Linkname: "loophole-victim/hello",
|
|
|
|
Mode: 0644,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{ // try reading victim/hello (symlink, hardlink)
|
|
|
|
{
|
|
|
|
Name: "loophole-victim",
|
|
|
|
Typeflag: tar.TypeSymlink,
|
|
|
|
Linkname: "../victim",
|
|
|
|
Mode: 0755,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "hardlink",
|
|
|
|
Typeflag: tar.TypeLink,
|
|
|
|
Linkname: "loophole-victim/hello",
|
|
|
|
Mode: 0644,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{ // try removing victim directory (symlink)
|
|
|
|
{
|
|
|
|
Name: "loophole-victim",
|
|
|
|
Typeflag: tar.TypeSymlink,
|
|
|
|
Linkname: "../victim",
|
|
|
|
Mode: 0755,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "loophole-victim",
|
|
|
|
Typeflag: tar.TypeReg,
|
|
|
|
Mode: 0644,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
} {
|
|
|
|
if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidSymlink", headers); err != nil {
|
|
|
|
t.Fatalf("i=%d. %v", i, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|