ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6470/docker/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

105 lines
3.1 KiB
Plaintext
Raw Permalink Blame History

When building a Docker image from a Dockerfile, a context directory is used and
sent to the Docker daemon before the actual build starts. This context
directory usually contains the Dockerfile itself, along with all the files that
will be necessary for the build to succeed. This generally includes:
* the source code of applications to set up in the container.
* configuration files for other software components.
* other necessary packages or components.
The `COPY` and `ADD` directives in the Dockerfiles are then used to actually
copy content from the context directory to the image file system.
When `COPY` or `ADD` are used to recursively copy entire top-level directories
or multiple items whose names are determined at build-time, unexpected files
might get copied to the image filesystem. It could affect their
confidentiality.
== Ask Yourself Whether
* The copied files and directories might contain sensitive data that should be
kept confidential.
* The context directory contains files and directories that have no functional
purpose for the final container image.
There is a risk if you answered yes to any of those questions.
Keep in mind that the content of the context directory might change depending
on the build environment and over time.
== Recommended Secure Coding Practices
* Limit the usage of globbing in the `COPY` and `ADD` sources definition.
* Avoid copying the entire context directory to the image filesystem.
* Prefer providing an explicit list of files and directories that are required for the image to properly run.
== Sensitive Code Example
Copying the complete context directory:
[source,docker]
----
FROM ubuntu:22.04
# Sensitive
COPY . .
CMD /run.sh
----
Copying multiple files and directories whose names are expanded at build time:
[source,docker]
----
FROM ubuntu:22.04
# Sensitive
COPY ./example* /
COPY ./run.sh /
CMD /run.sh
----
== Compliant Solution
[source,docker]
----
FROM ubuntu:22.04
COPY ./example1 /example1
COPY ./example2 /example2
COPY ./run.sh /
CMD /run.sh
----
== See
* https://docs.docker.com/engine/reference/builder/#copy[Dockerfile reference] - COPY directive
* https://docs.docker.com/engine/reference/builder/#add[Dockerfile reference] - ADD directive
* CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere]
* CWE - https://cwe.mitre.org/data/definitions/497[CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
== Message
When a dangerous wildcard is found:
* COPY: Copying using a glob pattern might inadvertently add sensitive data to the container. Make sure it is safe here.
* ADD: Adding files using a glob pattern might inadvertently add sensitive data to the container. Make sure it is safe here.
In any other case:
* COPY: Copying recursively might inadvertently add sensitive data to the container. Make sure it is safe here.
* ADD: Adding files recursively might inadvertently add sensitive data to the container. Make sure it is safe here.
== Highlighting
The `COPY` or `ADD` dangerous source.
'''
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink