Project

Profile

Help

Issue #3127

SECURITY: tags are used without sanitization

Added by mihai.ibanescu@gmail.com over 2 years ago. Updated 11 months ago.

Status:
CLOSED - WONTFIX
Priority:
High
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Severity:
3. High
Version - Docker:
Platform Release:
Blocks Release:
Target Release - Docker:
OS:
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:

Description

As a user, I can do:

pulp-admin docker repo tag --repo-id test-docker --tag-name
../just:kidding --digest
sha256:d5749b517161981ec3f189ff8a7d1dac3d15332c595b297cbc9246286fde34a3

which will result in the repo publishing the image as /var/lib/pulp/published/docker/v2/web/test-docker/manifests/just:kidding

(instead of under /var/lib/pulp/published/docker/v2/web/test-docker/manifests/2/)

It doesn't look like you can escape the repository directory structure with a cleverly crafted tag, but you can most certainly put a v2 image in the v1 namespace.

I think tags should follow a directory structure normalization, and any ../ should be stripped out.

History

#1 Updated by dalley over 2 years ago

  • Priority changed from Normal to High
  • Severity changed from 4. Urgent to 3. High
  • Triaged changed from No to Yes

#2 Updated by bmbouter 11 months ago

  • Status changed from NEW to CLOSED - WONTFIX

#3 Updated by bmbouter 11 months ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

#4 Updated by bmbouter 11 months ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF