include v0.28.1 patches and extra os.Root hardening by tonistiigi · Pull Request #6613 · moby/buildkit (original) (raw)
added 9 commits
Add executor.ValidContainerID and enforce it in runc/containerd Run paths.
Only runc executor used the ID in filesystem operations.
Signed-off-by: Tonis Tiigi tonistiigi@gmail.com (cherry picked from commit 789df2422341960b7549d14ea475add43e73cd74)
Add safeFileName and route all getFileName sources through it.
Signed-off-by: Tonis Tiigi tonistiigi@gmail.com (cherry picked from commit 9d117af5ab1e1032f75658884384328fea440843)
Open the snapshot mount as an os.Root and perform file write/chown/chtimes through root-relative APIs to keep operations constrained to the mount root.
Signed-off-by: Tonis Tiigi tonistiigi@gmail.com (cherry picked from commit d568881c97278d87e4f6f01a1f8a67ad807152bb)
Move safeFileName from source/http to source/util/pathutil and apply it to the containerblob source as well. Harden containerblob/pull.go to use os.OpenRoot for file writes, preventing path traversal via crafted filenames.
Signed-off-by: Tonis Tiigi tonistiigi@gmail.com (cherry picked from commit 3d6e587655d72c343f6fdc7268480a900ba45b0c)
Normalize Git subdir fragments and validate checkout subdir components so each segment must be a real directory, preventing traversal and symlink escapes.
Signed-off-by: Tonis Tiigi tonistiigi@gmail.com (cherry picked from commit 8c994eb561a2646b35352e5663afecd225306214)
Validate user-provided refs once during identifier construction and reject option-like refs with leading '-'. There is no known attack related to previous core, patch is to make ref handling more robust and improve errors.
Signed-off-by: Tonis Tiigi tonistiigi@gmail.com (cherry picked from commit e7f8093e1b386ffe711c8468ca8cdde8cfea0c72)
Open the snapshot mount as an os.Root and perform file reads through root-relative APIs in verifySignature and computeChecksumResponse, consistent with the write path.
Signed-off-by: Tonis Tiigi tonistiigi@gmail.com
Use os.OpenRoot for git dir and checkout subdir access, and share root- relative path normalization between validation and open paths.
Signed-off-by: Tonis Tiigi tonistiigi@gmail.com
Use os.OpenRoot for resolv.conf and hosts state file creation, and adapt executor callers and tests to the root-relative helper API.
Signed-off-by: Tonis Tiigi tonistiigi@gmail.com
smerkviladze added a commit to smerkviladze/buildkit that referenced this pull request
…2.x branch with Go 1.20-compatible replacements.
Fixes CVE-2026-33748 (git source path traversal and option injection):
- Normalize and validate git subdir paths and reject non-directory/symlink components.
- Reject refs starting with - and add -- separators to git subprocess calls.
Fixes CVE-2026-33747 (frontend file write and container ID path traversal):
- Sanitize HTTP source filenames and use securejoin for root-confined writes.
- Validate container IDs before filesystem use.
Includes tests for path validation, git ref validation, filename sanitization, and container ID checks.
Signed-off-by: Sopho Merkviladze smerkviladze@mirantis.com
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
[ Show hidden characters]({{ revealButtonHref }})