summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAditya Rajan <arajan@redhat.com>2021-11-30 14:15:53 +0530
committerAditya Rajan <arajan@redhat.com>2021-11-30 15:44:10 +0530
commitc80a2e4495f877bc0f6a522e99b511de6c0d525d (patch)
treecdddb70203a49f8f0a9a3789651e689d2b700e59
parente7204178e175d8ad619faa626ba284c777886cd3 (diff)
downloadpodman-c80a2e4495f877bc0f6a522e99b511de6c0d525d.tar.gz
podman-c80a2e4495f877bc0f6a522e99b511de6c0d525d.tar.bz2
podman-c80a2e4495f877bc0f6a522e99b511de6c0d525d.zip
podman-remote: prevent leaking secret into image
Prevents temp secrets leaking into image by moving it away from context directory to parent builder directory. Builder directory automatically gets cleaned up when we are done with the build. Signed-off-by: Aditya Rajan <arajan@redhat.com>
-rw-r--r--pkg/api/handlers/compat/images_build.go14
-rw-r--r--test/e2e/build/Dockerfile.with-secret-verify-leak3
-rw-r--r--test/e2e/build_test.go16
3 files changed, 32 insertions, 1 deletions
diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go
index 200d72192..3aa1af71a 100644
--- a/pkg/api/handlers/compat/images_build.go
+++ b/pkg/api/handlers/compat/images_build.go
@@ -259,7 +259,19 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
arr := strings.SplitN(token, "=", 2)
if len(arr) > 1 {
if arr[0] == "src" {
- modifiedSrc := fmt.Sprintf("src=%s", filepath.Join(contextDirectory, arr[1]))
+ /* move secret away from contextDir */
+ /* to make sure we dont accidentally commit temporary secrets to image*/
+ builderDirectory, _ := filepath.Split(contextDirectory)
+ // following path is outside build context
+ newSecretPath := filepath.Join(builderDirectory, arr[1])
+ oldSecretPath := filepath.Join(contextDirectory, arr[1])
+ err := os.Rename(oldSecretPath, newSecretPath)
+ if err != nil {
+ utils.BadRequest(w, "secrets", query.Secrets, err)
+ return
+ }
+
+ modifiedSrc := fmt.Sprintf("src=%s", newSecretPath)
modifiedOpt = append(modifiedOpt, modifiedSrc)
} else {
modifiedOpt = append(modifiedOpt, token)
diff --git a/test/e2e/build/Dockerfile.with-secret-verify-leak b/test/e2e/build/Dockerfile.with-secret-verify-leak
new file mode 100644
index 000000000..0957ac6a6
--- /dev/null
+++ b/test/e2e/build/Dockerfile.with-secret-verify-leak
@@ -0,0 +1,3 @@
+FROM alpine
+COPY * /
+RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
diff --git a/test/e2e/build_test.go b/test/e2e/build_test.go
index ad401ca83..c541f25ae 100644
--- a/test/e2e/build_test.go
+++ b/test/e2e/build_test.go
@@ -82,6 +82,22 @@ var _ = Describe("Podman build", func() {
Expect(session).Should(Exit(0))
})
+ It("podman build with a secret from file and verify if secret file is not leaked into image", func() {
+ session := podmanTest.Podman([]string{"build", "-f", "build/Dockerfile.with-secret-verify-leak", "-t", "secret-test-leak", "--secret", "id=mysecret,src=build/secret.txt", "build/"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ Expect(session.OutputToString()).To(ContainSubstring("somesecret"))
+
+ session = podmanTest.Podman([]string{"run", "--rm", "secret-test-leak", "ls"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ Expect(session.OutputToString()).To(Not(ContainSubstring("podman-build-secret")))
+
+ session = podmanTest.Podman([]string{"rmi", "secret-test-leak"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ })
+
It("podman build with logfile", func() {
logfile := filepath.Join(podmanTest.TempDir, "logfile")
session := podmanTest.Podman([]string{"build", "--pull-never", "--tag", "test", "--logfile", logfile, "build/basicalpine"})