Skip to content

Commit

Permalink
Limit the options for HostIP
Browse files Browse the repository at this point in the history 
This will restrict the options for HostIP to either "127.0.0.1" or "0.0.0.0"
to validate user input for docker/nerdctl run with the "-p" option on Windows.
The potential issues are as follows:

On Docker, if users provide any option for "-p" other than "127.0.0.1" or
"0.0.0.0," the Docker proxy will fail to create the port mapping because those
IP addresses are not visible to the Docker proxy process. However, users can
still specify an IP address from the internal network that is visible to the
Docker proxy, allowing Docker to create the published port; however, that port
will not be accessible from the host.

On containerd, the backend containerd engine will create port mappings for
published ports without any errors (silently failing); however, the published
ports will not be accessible.

Therefore, to prevent the scenarios mentioned above, we need to manually validate
user input to limit it to either localhost or INADDR_ANY.

Signed-off-by: Nino Kodabande <nkodabande@suse.com>
  • Loading branch information
@Nino-K
Nino-K committed Oct 3, 2024
1 parent a70a532 commit 32a9b6d
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 2 deletions.
12 changes: 11 additions & 1 deletion src/go/guestagent/pkg/containerd/events.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -428,7 +428,7 @@ func createPortMappingFromString(portMapping string) (nat.PortMap, error) {
}

portBinding := nat.PortBinding{
HostIP: port.HostIP,
HostIP: ValidateHostIP(port.HostIP),
HostPort: strconv.Itoa(port.HostPort),
}
if pb, ok := portMap[portMapKey]; ok {
Expand Down Expand Up @@ -475,6 +475,16 @@ func mustFormatHashWithPrefix(length int, prefix string, toHash string) string {
return fmt.Sprintf("%s%x", prefix, output)[:length]
}

// ValidateHostIP checks if the provided IP address is valid.
// The valid options are "127.0.0.1" and "0.0.0.0". If the input is "127.0.0.1",
// it returns "127.0.0.1". Any other address will be mapped to "0.0.0.0".
func ValidateHostIP(ip string) string {
if ip == "127.0.0.1" || ip == "localhost" {
return ip
}
return "0.0.0.0"
}

// Port is representing nerdctl/ports entry in the
// event envelope's labels.
type Port struct {
Expand Down
2 changes: 1 addition & 1 deletion src/go/guestagent/pkg/docker/events.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ func createPortMapping(ports []types.Port) (nat.PortMap, error) {
}

portBinding := nat.PortBinding{
HostIP: port.IP,
HostIP: containerd.ValidateHostIP(port.IP),
HostPort: strconv.Itoa(int(port.PublicPort)),
}

Expand Down

0 comments on commit 32a9b6d

Please sign in to comment.