[v0.12 backport] security: path traversal and git option injection fixes#6650
Open
smerkviladze wants to merge 6 commits intomoby:v0.12from
Open
[v0.12 backport] security: path traversal and git option injection fixes#6650smerkviladze wants to merge 6 commits intomoby:v0.12from
smerkviladze wants to merge 6 commits intomoby:v0.12from
Conversation
Add executor.ValidContainerID and enforce it in runc/containerd Run paths. Only runc executor used the ID in filesystem operations. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 789df2422341960b7549d14ea475add43e73cd74) (cherry picked from commit 5e285127899ea49bad2437f2d53114bbe30dd36f) (cherry picked from commit 099cf80) Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
Add safeFileName and route all getFileName sources through it. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 9d117af5ab1e1032f75658884384328fea440843) (cherry picked from commit ee4de4c2aa53a76fb2ba135cfcb2daa8e45c5b80) (cherry picked from commit 9ce6f62) Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
Use securejoin.SecureJoin to compute a path confined to the root directory before performing operations such as opening, changing ownership, or updating timestamps on the downloaded file. This prevents path traversal attacks using crafted filenames. os.OpenRoot (introduced in Go 1.24) is not available on this branch; securejoin provides equivalent root confinement functionality. (cherry-picked from commit df43783) Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
Validate user-provided refs once during identifier construction and reject option-like refs with leading '-'. There is no known attack related to previous core, patch is to make ref handling more robust and improve errors. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit f5462c2) Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
Normalize Git subdir fragments and validate checkout subdir components so each segment must be a real directory, preventing traversal and symlink escapes. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 45b038c) Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
smerkviladze
changed the title
Linux:
- Uses openat with O_PATH | O_NOFOLLOW per component to eliminate TOCTOU
races.
- Traversal fd is only for validation; a readable fd is opened via
readdirnames for listing directory entries.
Windows:
- Falls back to os.Lstat per component and os.Open for readability.
- TOCTOU exists theoretically, but acceptable for controlled BuildKit
temp dirs.
Benefits:
- Prevents symlink escapes at kernel level, strengthening CVE-2026-33748 fix.
- Returns a reusable *os.File, removing the separate validate+open two-step.
- Cross-platform API via platform-specific files simplifies call site.
Updated tests verify openSubdirSafe correctness and that readdirnames
correctly obtains a readable fd from an O_PATH anchor on Linux.
Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
Author
|
Created PR #6663 to address the following CI error: |
smerkviladze
force-pushed
the
v0.12-cve-fixes
branch
from
a233a2a to
3b186a1
Compare
Collaborator
|
I'm going to close this because this is an old release branch that we don't build anymore. If you need the CVE to be patched, you can fork and build from your fork. |
github-project-automation
bot
moved this from New
to Complete
in 🔦 Maintainer spotlight
Member
|
These were backports for the mirantis 25.x LTS release; opening them again |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR backports the security fixes from https://github.com/moby/buildkit/releases/tag/v0.28.1 (PR #6613) to the v0.12 branch with Go 1.20-compatible implementations.
Fixes CVE-2026-33748 and CVE-2026-33747.