ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6469/docker/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

64 lines
1.8 KiB
Plaintext
Raw Blame History

== Why is this an issue?
Docker offers a feature to mount files and directories for specific `RUN`
instructions when building Docker images. This feature can be used to provide
secrets to the commands that are executed during the build without baking them
into the image. Additionally, it can be used to access SSH agents during the
build.
By using the `mode` option the permissions of the secrets or agents can be
modified. By default, access is limited to the root user.
When such secrets are exposed with lax permissions, they might get compromised
during the image build process. A successful compromise can only happen during
the execution of the command the `mount` option has been added to. While this
might seem like a very hard exploitation requirement, supply chain attacks, and
other related threats, should still be considered.
If you are executing a command as a low-privileged user and need to access
secrets or agents, you can use the options `uid` and `gid` to provide access
without having to resort to world-readable or writable permissions that might
expose them to unintended parties.
=== Noncompliant code example
[source,docker]
----
RUN --mount=type=secret,id=build_secret,mode=0777 ./installer.sh # Noncompliant
----
=== Compliant solution
[source,docker]
----
RUN --mount=type=secret,id=build_secret,uid=1000 ./installer.sh
----
== Resources
* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource
* https://docs.docker.com/engine/reference/builder/#run---mounttypesecret[Dockerfile reference] - RUN --mount
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
For secret:
* Remove world permissions for this sensitive file.
For ssh:
* Remove world permissions for this sensitive agent.
'''
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink