Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

genpolicy: block self paths for copyFile requests #271

Merged
merged 2 commits into from
Dec 16, 2024
Merged

genpolicy: block self paths for copyFile requests #271

merged 2 commits into from
Dec 16, 2024

Conversation

Redent0r
Copy link

@Redent0r Redent0r commented Dec 13, 2024
edited
Loading

Merge Checklist
  • Followed patch format from upstream recommendation: https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md#patch-format
    • Included a single commit in a given PR - at least unless there are related commits and each makes sense as a change on its own.
  • Aware about the PR to be merged using "create a merge commit" rather than "squash and merge" (or similar)
  • The upstream/missing label (or upstream/not-needed) has been set on the PR.
Summary

Self paths are not useful and may cause security issues

Test Methodology

https://dev.azure.com/mariner-org/mariner/_build/results?buildId=695294&view=results [pass]

@Redent0r Redent0r force-pushed the saulparedes/block_self_directory_path branch 2 times, most recently from 792a59b to aabde30 Compare December 13, 2024 20:33
@Redent0r
genpolicy: block self symlink paths for copyFile requests
eac886e 
Self symlink paths are not useful and may cause security issues. Also move parent directory check to check_symlink_source since we only need
this check for symlinks. We already filter self and parent input.path references in this regexp
https://github.com/microsoft/kata-containers/blob/06ea44595d084461340fe172ec59826c168763ff/src/tools/genpolicy/rules.rego#L1185

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r Redent0r force-pushed the saulparedes/block_self_directory_path branch from aabde30 to eac886e Compare December 13, 2024 20:36
@Redent0r
samples: update samples
876c404 
Update samples policy annotations

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r Redent0r added the upstream/missing PRs that are yet to be upstreamed label Dec 16, 2024
@Redent0r Redent0r marked this pull request as ready for review December 16, 2024 19:58
@Redent0r Redent0r requested review from a team as code owners December 16, 2024 19:58
@Redent0r Redent0r merged commit 9451ebe into msft-main Dec 16, 2024
131 of 154 checks passed
@Redent0r Redent0r deleted the saulparedes/block_self_directory_path branch December 16, 2024 21:14
@Redent0r Redent0r mentioned this pull request Dec 16, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danmihai1 danmihai1 danmihai1 approved these changes

Assignees
No one assigned
Labels
upstream/missing PRs that are yet to be upstreamed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Redent0r @danmihai1