diff options
author | Aditya Rajan <arajan@redhat.com> | 2021-11-30 14:15:53 +0530 |
---|---|---|
committer | Aditya Rajan <arajan@redhat.com> | 2021-11-30 15:44:10 +0530 |
commit | c80a2e4495f877bc0f6a522e99b511de6c0d525d (patch) | |
tree | cdddb70203a49f8f0a9a3789651e689d2b700e59 /pkg/api/handlers | |
parent | e7204178e175d8ad619faa626ba284c777886cd3 (diff) | |
download | podman-c80a2e4495f877bc0f6a522e99b511de6c0d525d.tar.gz podman-c80a2e4495f877bc0f6a522e99b511de6c0d525d.tar.bz2 podman-c80a2e4495f877bc0f6a522e99b511de6c0d525d.zip |
podman-remote: prevent leaking secret into image
Prevents temp secrets leaking into image by moving it away from context
directory to parent builder directory. Builder directory automatically
gets cleaned up when we are done with the build.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Diffstat (limited to 'pkg/api/handlers')
-rw-r--r-- | pkg/api/handlers/compat/images_build.go | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go index 200d72192..3aa1af71a 100644 --- a/pkg/api/handlers/compat/images_build.go +++ b/pkg/api/handlers/compat/images_build.go @@ -259,7 +259,19 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { arr := strings.SplitN(token, "=", 2) if len(arr) > 1 { if arr[0] == "src" { - modifiedSrc := fmt.Sprintf("src=%s", filepath.Join(contextDirectory, arr[1])) + /* move secret away from contextDir */ + /* to make sure we dont accidentally commit temporary secrets to image*/ + builderDirectory, _ := filepath.Split(contextDirectory) + // following path is outside build context + newSecretPath := filepath.Join(builderDirectory, arr[1]) + oldSecretPath := filepath.Join(contextDirectory, arr[1]) + err := os.Rename(oldSecretPath, newSecretPath) + if err != nil { + utils.BadRequest(w, "secrets", query.Secrets, err) + return + } + + modifiedSrc := fmt.Sprintf("src=%s", newSecretPath) modifiedOpt = append(modifiedOpt, modifiedSrc) } else { modifiedOpt = append(modifiedOpt, token) |