Project

Profile

Help

Issue #3127

closed

SECURITY: tags are used without sanitization

Added by mihai.ibanescu@gmail.com over 6 years ago. Updated almost 5 years ago.

Status:
CLOSED - WONTFIX
Priority:
High
Assignee:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version - Docker:
Platform Release:
Target Release - Docker:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

As a user, I can do:

pulp-admin docker repo tag --repo-id test-docker --tag-name
../just:kidding --digest
sha256:d5749b517161981ec3f189ff8a7d1dac3d15332c595b297cbc9246286fde34a3

which will result in the repo publishing the image as /var/lib/pulp/published/docker/v2/web/test-docker/manifests/just:kidding

(instead of under /var/lib/pulp/published/docker/v2/web/test-docker/manifests/2/)

It doesn't look like you can escape the repository directory structure with a cleverly crafted tag, but you can most certainly put a v2 image in the v1 namespace.

I think tags should follow a directory structure normalization, and any ../ should be stripped out.

Actions #1

Updated by dalley over 6 years ago

  • Priority changed from Normal to High
  • Severity changed from 4. Urgent to 3. High
  • Triaged changed from No to Yes
Actions #2

Updated by bmbouter almost 5 years ago

  • Status changed from NEW to CLOSED - WONTFIX
Actions #3

Updated by bmbouter almost 5 years ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

Actions #4

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF