Restrict checkpoint name to prevent directory traversal

This fix tries to address the issue raised in 28769 where checkpoint name was not checked before passing to containerd. As a result, it was possible to use a special checkpoint name to get outside of the container's directory. This fix add restriction `[a-zA-Z0-9][a-zA-Z0-9_.-]+` (`RestrictedNamePattern`). This is the same as container name restriction. This fix fixes 28769. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2022-11-09 12:21:53 -05:00 · 2016-11-23 11:45:35 -08:00 · 2016-11-23 11:45:35 -08:00 · c90ec05175
commit c90ec05175
parent ae64cae74e
4 changed files with 14 additions and 6 deletions
--- a/daemon/checkpoint.go
+++ b/daemon/checkpoint.go
@ -8,6 +8,12 @@ import (
 	"path/filepath"

 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/utils"
+)
+
+var (
+	validCheckpointNameChars   = utils.RestrictedNameChars
+	validCheckpointNamePattern = utils.RestrictedNamePattern
 )

 // CheckpointCreate checkpoints the process running in a container with CRIU
@ -28,6 +34,10 @@ func (daemon *Daemon) CheckpointCreate(name string, config types.CheckpointCreat
 		checkpointDir = container.CheckpointDir()
 	}

+	if !validCheckpointNamePattern.MatchString(config.CheckpointID) {
+		return fmt.Errorf("Invalid checkpoint ID (%s), only %s are allowed", config.CheckpointID, validCheckpointNameChars)
+	}
+
 	err = daemon.containerd.CreateCheckpoint(container.ID, config.CheckpointID, checkpointDir, config.Exit)
 	if err != nil {
 		return fmt.Errorf("Cannot checkpoint container %s: %s", name, err)