fix(git): Fix path traversal vulnerability in git remote loader #13331
Conversation
Signed-off-by: Suleiman Dibirov <[email protected]>
Signed-off-by: Suleiman Dibirov <[email protected]>
|
@idsulik can you create a dedicated PR for the e2e flaky test fix please? I need to merge this one |
Yes, working on it, can't find why it fails on GitHub while locally it works stably |
|
Great work guys, can i assign it as a cve ? |
|
@0pepsi No, please, you should have followed the recommendations in our security policy I’m currently checking with our internal security team to determine the best process to follow. |
|
Sounds good, mb i thought the whole thing was over (: (👍 |
|
@0pepsi because this vulnerability was disclosed publicly, via a github issue, we had to urgently patch and release a new version, and bypass the proper workflow via a private Github Security Advisory and a CVE publication. Hence, no CVE will be issued for this. Our security policy asks that researchers disclose secuity issues privately via [email protected] and follow a responsible disclosure policy which allows us to privately review a submission within 72 hours, and work on a patch before it is disclosed publicly (we ask for up to 90 days of keeping an issue confidential to allow us to properly patch depending on complexity). We will now proceed to delete this issue. Please reach out directly to [email protected] with any follow-up questions or additional findings. Thank you |
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [docker/compose](https://github.com/docker/compose) | patch | `v2.40.2` -> `v2.40.3` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>docker/compose (docker/compose)</summary> ### [`v2.40.3`](https://github.com/docker/compose/releases/tag/v2.40.3) [Compare Source](docker/compose@v2.40.2...v2.40.3) #### What's Changed ##### 🐛 Fixes - Fix OCI compose override support by [@​ndeloof](https://github.com/ndeloof) [#​13311](docker/compose#13311) - Fix help output for "exec --no-tty" option by [@​tonyo](https://github.com/tonyo) [#​13314](docker/compose#13314) - Prompt default implementation to prevent a panic by [@​ndeloof](https://github.com/ndeloof) [#​13317](docker/compose#13317) - Run hooks on restart by [@​ndeloof](https://github.com/ndeloof) [#​13321](docker/compose#13321) - Fix(run): Ensure images exist only for the target service in run command by [@​idsulik](https://github.com/idsulik) [#​13325](docker/compose#13325) - Fix(git): Fix path traversal vulnerability in git remote loader by [@​idsulik](https://github.com/idsulik) [#​13331](docker/compose#13331) ##### 🔧 Internal - Test to check writeComposeFile detects invalid OCI artifact by [@​ndeloof](https://github.com/ndeloof) [#​13309](docker/compose#13309) - Code Cleanup by [@​ndeloof](https://github.com/ndeloof) [#​13315](docker/compose#13315) ##### ⚙️ Dependencies - Bump compose-go to version v2.9.1 by [@​glours](https://github.com/glours) [#​13332](docker/compose#13332) **Full Changelog**: <docker/compose@v2.40.2...v2.40.3> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNjkuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE2OS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
So you aren't going to tell the world about the vulnerability because you didn't like the way it was disclosed? |
|
We've taken a closer look at this issue and appreciated the feedback from community members. While our earlier statement about the CVE disclosure process was inaccurate, we want to clarify that, after further analysis, this is not a vulnerability in Docker Compose and does not warrant a CVE ID. We apologize for the confusion and are sharing the following technical details to provide more context. Understanding the Reported Behavior Considering a hypothetical scenario in which a third party application allows untrusted and unsanitized input to be injected into a part of the -f CLI option or in a part of an include or extends field of an otherwise trusted Compose file, that would be a vulnerability of the hypothetical third party application. That said, this PR fixes an actual bug which is the fact that the git loader used to accept an invalid input. |
What I did
This PR fixes a path traversal vulnerability in the Git remote loader where subdirectory components containing .. sequences could escape the cached repository directory and load arbitrary files from the host filesystem (e.g.,
https://github.com/docker/compose.git#main:../../../../../../../tmp/pwned). The fix adds avalidateGitSubDirfunction that validates subdirectory paths before joining them with the cache directory, using multiple defense-in-depth checks: rejecting absolute paths, detecting..traversal patterns after path normalization, and verifying the final resolved path remains within the base directoryRelated issue
(not mandatory) A picture of a cute animal, if possible in relation to what you did
