mirror of
https://github.com/containers/podman.git
synced 2025-06-21 01:19:15 +08:00
podman-remote: prevent leaking secret into image
Prevents temp secrets leaking into image by moving it away from context directory to parent builder directory. Builder directory automatically gets cleaned up when we are done with the build. Signed-off-by: Aditya Rajan <arajan@redhat.com>
This commit is contained in:
@ -259,7 +259,19 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
|
||||
arr := strings.SplitN(token, "=", 2)
|
||||
if len(arr) > 1 {
|
||||
if arr[0] == "src" {
|
||||
modifiedSrc := fmt.Sprintf("src=%s", filepath.Join(contextDirectory, arr[1]))
|
||||
/* move secret away from contextDir */
|
||||
/* to make sure we dont accidentally commit temporary secrets to image*/
|
||||
builderDirectory, _ := filepath.Split(contextDirectory)
|
||||
// following path is outside build context
|
||||
newSecretPath := filepath.Join(builderDirectory, arr[1])
|
||||
oldSecretPath := filepath.Join(contextDirectory, arr[1])
|
||||
err := os.Rename(oldSecretPath, newSecretPath)
|
||||
if err != nil {
|
||||
utils.BadRequest(w, "secrets", query.Secrets, err)
|
||||
return
|
||||
}
|
||||
|
||||
modifiedSrc := fmt.Sprintf("src=%s", newSecretPath)
|
||||
modifiedOpt = append(modifiedOpt, modifiedSrc)
|
||||
} else {
|
||||
modifiedOpt = append(modifiedOpt, token)
|
||||
|
3
test/e2e/build/Dockerfile.with-secret-verify-leak
Normal file
3
test/e2e/build/Dockerfile.with-secret-verify-leak
Normal file
@ -0,0 +1,3 @@
|
||||
FROM alpine
|
||||
COPY * /
|
||||
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
|
@ -82,6 +82,22 @@ var _ = Describe("Podman build", func() {
|
||||
Expect(session).Should(Exit(0))
|
||||
})
|
||||
|
||||
It("podman build with a secret from file and verify if secret file is not leaked into image", func() {
|
||||
session := podmanTest.Podman([]string{"build", "-f", "build/Dockerfile.with-secret-verify-leak", "-t", "secret-test-leak", "--secret", "id=mysecret,src=build/secret.txt", "build/"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(Exit(0))
|
||||
Expect(session.OutputToString()).To(ContainSubstring("somesecret"))
|
||||
|
||||
session = podmanTest.Podman([]string{"run", "--rm", "secret-test-leak", "ls"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(Exit(0))
|
||||
Expect(session.OutputToString()).To(Not(ContainSubstring("podman-build-secret")))
|
||||
|
||||
session = podmanTest.Podman([]string{"rmi", "secret-test-leak"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session).Should(Exit(0))
|
||||
})
|
||||
|
||||
It("podman build with logfile", func() {
|
||||
logfile := filepath.Join(podmanTest.TempDir, "logfile")
|
||||
session := podmanTest.Podman([]string{"build", "--pull-never", "--tag", "test", "--logfile", logfile, "build/basicalpine"})
|
||||
|
Reference in New Issue
Block a user