opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-12 08:45:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

test/e2e: add CVE-2025-9566 regression test

Browse Source 
Ensure we do not regress again.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit is contained in:
Paul Holzinger
2025-09-05 18:17:17 +02:00
parent c8183c50a0
commit 6c4b98c940
1 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
test/e2e/play_kube_test.go
View File

@ -2188,7 +2188,7 @@ func getPersistentVolumeClaimVolume(vName string) *Volume {
// getConfigMapVolume returns a new ConfigMap Volume given the name and items // getConfigMapVolume returns a new ConfigMap Volume given the name and items
// of the ConfigMap. // of the ConfigMap.
func getConfigMapVolume(vName string, items []map[string]string, optional bool, defaultMode *int32) *Volume { //nolint:unparam func getConfigMapVolume(vName string, items []map[string]string, optional bool, defaultMode *int32) *Volume {
vol := &Volume{ vol := &Volume{
VolumeType: "ConfigMap", VolumeType: "ConfigMap",
Name: defaultVolName, Name: defaultVolName,
@ -6391,4 +6391,33 @@ spec:
Expect(appContainerLogDir).ToNot(BeEmpty(), "Should have found application container log directory") Expect(appContainerLogDir).ToNot(BeEmpty(), "Should have found application container log directory")
Expect(logContent).To(ContainSubstring(expectedMessage), "Log file should contain the expected message") Expect(logContent).To(ContainSubstring(expectedMessage), "Log file should contain the expected message")
}) })
It("CVE-2025-9566 regression test - ConfigMap mount", func() {
testfile := filepath.Join(podmanTest.TempDir, "testfile")
volumeName := "cm-vol"
cm := getConfigMap(withConfigMapName(volumeName), withConfigMapData("foo", "content1"))
cmYaml, err := getKubeYaml("configmap", cm)
Expect(err).ToNot(HaveOccurred())
ctrName := "ctr1"
podName := "pod1"
// create a symlink at the volume mount location so we can make sure we don't resolve that to the host location.
ctr := getCtr(withName(ctrName), withVolumeMount("/test", "", false), withImage(CITEST_IMAGE), withCmd([]string{"sh", "-c", "ln -sf " + testfile + " /test/foo"}))
pod := getPod(withPodName(podName), withVolume(getConfigMapVolume(volumeName, nil, false, nil)), withCtr(ctr))
podYaml, err := getKubeYaml("pod", pod)
Expect(err).ToNot(HaveOccurred())
yamls := []string{cmYaml, podYaml}
err = generateMultiDocKubeYaml(yamls, kubeYaml)
Expect(err).ToNot(HaveOccurred())
podmanTest.PodmanExitCleanly("kube", "play", kubeYaml)
// wait for the container to finish to ensure the symlink was created
podmanTest.PodmanExitCleanly("wait", podName+"-"+ctrName)
podmanTest.PodmanExitCleanly("kube", "down", kubeYaml)
kube := podmanTest.Podman([]string{"kube", "play", kubeYaml})
kube.WaitWithDefaultTimeout()
Expect(kube).To(ExitWithError(125, `cannot create file "foo" at volume mountpoint`))
Expect(testfile).ToNot(BeAnExistingFile(), "file should never be created on the host")
})
}) })