Issue #3127
closed
SECURITY: tags are used without sanitization
Description
As a user, I can do:
pulp-admin docker repo tag --repo-id test-docker --tag-name
../just:kidding --digest
sha256:d5749b517161981ec3f189ff8a7d1dac3d15332c595b297cbc9246286fde34a3
which will result in the repo publishing the image as /var/lib/pulp/published/docker/v2/web/test-docker/manifests/just:kidding
(instead of under /var/lib/pulp/published/docker/v2/web/test-docker/manifests/2/)
It doesn't look like you can escape the repository directory structure with a cleverly crafted tag, but you can most certainly put a v2 image in the v1 namespace.
I think tags should follow a directory structure normalization, and any ../ should be stripped out.
Updated by dalley about 7 years ago
- Priority changed from Normal to High
- Severity changed from 4. Urgent to 3. High
- Triaged changed from No to Yes
Updated by bmbouter over 5 years ago
- Status changed from NEW to CLOSED - WONTFIX
Updated by bmbouter over 5 years ago
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.
.