kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Merge pull request #2298 from unclejack/2070-validate_src_for_bind_mounts

Browse source 
validate source for bind mounts
This commit is contained in:
Victor Vieux 2013-11-05 13:31:10 -08:00
commit 2205bb43ea
3 changed files with 59 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
commands_test.go
View file

@ -660,4 +660,41 @@ func TestCmdLogs(t *testing.T) {
if err := cli.CmdLogs(globalRuntime.List()[0].ID); err != nil { if err := cli.CmdLogs(globalRuntime.List()[0].ID); err != nil {
t.Fatal(err) t.Fatal(err)
} }
// Expected behaviour: using / as a bind mount source should throw an error
func TestRunErrorBindMountRootSource(t *testing.T) {
cli := NewDockerCli(nil, nil, ioutil.Discard, testDaemonProto, testDaemonAddr)
defer cleanup(globalRuntime)
c := make(chan struct{})
go func() {
defer close(c)
if err := cli.CmdRun("-v", "/:/tmp", unitTestImageID, "echo 'should fail'"); err == nil {
t.Fatal("should have failed to run when using / as a source for the bind mount")
}
}()
setTimeout(t, "CmdRun timed out", 5*time.Second, func() {
<-c
})
}
// Expected behaviour: error out when attempting to bind mount non-existing source paths
func TestRunErrorBindNonExistingSource(t *testing.T) {
cli := NewDockerCli(nil, nil, ioutil.Discard, testDaemonProto, testDaemonAddr)
defer cleanup(globalRuntime)
c := make(chan struct{})
go func() {
defer close(c)
if err := cli.CmdRun("-v", "/i/dont/exist:/tmp", unitTestImageID, "echo 'should fail'"); err == nil {
t.Fatal("should have failed to run when using /i/dont/exist as a source for the bind mount")
}
}()
setTimeout(t, "CmdRun timed out", 5*time.Second, func() {
<-c
})
} }

3
container.go
View file

@ -251,6 +251,9 @@ func ParseRun(args []string, capabilities *Capabilities) (*Config, *HostConfig,
for bind := range flVolumes { for bind := range flVolumes {
arr := strings.Split(bind, ":") arr := strings.Split(bind, ":")
if len(arr) > 1 { if len(arr) > 1 {
if arr[0] == "/" {
return nil, nil, cmd, fmt.Errorf("Invalid bind mount: source can't be '/'")
}
dstDir := arr[1] dstDir := arr[1]
flVolumes[dstDir] = struct{}{} flVolumes[dstDir] = struct{}{}
binds = append(binds, bind) binds = append(binds, bind)

19
server.go
View file

@ -1316,6 +1316,25 @@ func (srv *Server) RegisterLinks(name string, hostConfig *HostConfig) error {
func (srv *Server) ContainerStart(name string, hostConfig *HostConfig) error { func (srv *Server) ContainerStart(name string, hostConfig *HostConfig) error {
runtime := srv.runtime runtime := srv.runtime
container := runtime.Get(name) container := runtime.Get(name)
if hostConfig != nil {
for _, bind := range hostConfig.Binds {
splitBind := strings.Split(bind, ":")
source := splitBind[0]
// refuse to bind mount "/" to the container
if source == "/" {
return fmt.Errorf("Invalid bind mount '%s' : source can't be '/'", bind)
}
// ensure the source exists on the host
_, err := os.Stat(source)
if err != nil && os.IsNotExist(err) {
return fmt.Errorf("Invalid bind mount '%s' : source doesn't exist", bind)
}
}
}
if container == nil { if container == nil {
return fmt.Errorf("No such container: %s", name) return fmt.Errorf("No such container: %s", name)
} }