opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-21 09:28:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

podman-remote: prevent leaking secret into image

Browse Source 
Prevents temp secrets leaking into image by moving it away from context
directory to parent builder directory. Builder directory automatically
gets cleaned up when we are done with the build.

Signed-off-by: Aditya Rajan <arajan@redhat.com>
This commit is contained in:
Aditya Rajan
2021-11-30 14:15:53 +05:30
parent e7204178e1
commit c80a2e4495
3 changed files with 32 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/api/handlers/compat/images_build.go
View File

@ -259,7 +259,19 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
arr := strings.SplitN(token, "=", 2)
if len(arr) > 1 {
if arr[0] == "src" {
modifiedSrc := fmt.Sprintf("src=%s", filepath.Join(contextDirectory, arr[1]))
/* move secret away from contextDir */
/* to make sure we dont accidentally commit temporary secrets to image*/
builderDirectory, _ := filepath.Split(contextDirectory)
// following path is outside build context
newSecretPath := filepath.Join(builderDirectory, arr[1])
oldSecretPath := filepath.Join(contextDirectory, arr[1])
err := os.Rename(oldSecretPath, newSecretPath)
if err != nil {
utils.BadRequest(w, "secrets", query.Secrets, err)
return
}
modifiedSrc := fmt.Sprintf("src=%s", newSecretPath)
modifiedOpt = append(modifiedOpt, modifiedSrc)
} else {
modifiedOpt = append(modifiedOpt, token)

3
test/e2e/build/Dockerfile.with-secret-verify-leak Normal file
View File

@ -0,0 +1,3 @@
FROM alpine
COPY * /
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret

16
test/e2e/build_test.go
View File

@ -82,6 +82,22 @@ var _ = Describe("Podman build", func() {
Expect(session).Should(Exit(0))
})
It("podman build with a secret from file and verify if secret file is not leaked into image", func() {
session := podmanTest.Podman([]string{"build", "-f", "build/Dockerfile.with-secret-verify-leak", "-t", "secret-test-leak", "--secret", "id=mysecret,src=build/secret.txt", "build/"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
Expect(session.OutputToString()).To(ContainSubstring("somesecret"))
session = podmanTest.Podman([]string{"run", "--rm", "secret-test-leak", "ls"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
Expect(session.OutputToString()).To(Not(ContainSubstring("podman-build-secret")))
session = podmanTest.Podman([]string{"rmi", "secret-test-leak"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
})
It("podman build with logfile", func() {
logfile := filepath.Join(podmanTest.TempDir, "logfile")
session := podmanTest.Podman([]string{"build", "--pull-never", "--tag", "test", "--logfile", logfile, "build/basicalpine"})