From 32a9b6dda10960474a5c241a5bcd18fa72f2dc7a Mon Sep 17 00:00:00 2001
From: Nino Kodabande <nkodabande@suse.com>
Date: Thu, 3 Oct 2024 11:21:11 -0700
Subject: [PATCH] Limit the options for HostIP

This will restrict the options for HostIP to either "127.0.0.1" or "0.0.0.0"
to validate user input for docker/nerdctl run with the "-p" option on Windows.
The potential issues are as follows:

On Docker, if users provide any option for "-p" other than "127.0.0.1" or
"0.0.0.0," the Docker proxy will fail to create the port mapping because those
IP addresses are not visible to the Docker proxy process. However, users can
still specify an IP address from the internal network that is visible to the
Docker proxy, allowing Docker to create the published port; however, that port
will not be accessible from the host.

On containerd, the backend containerd engine will create port mappings for
published ports without any errors (silently failing); however, the published
ports will not be accessible.

Therefore, to prevent the scenarios mentioned above, we need to manually validate
user input to limit it to either localhost or INADDR_ANY.

Signed-off-by: Nino Kodabande <nkodabande@suse.com>
---
 src/go/guestagent/pkg/containerd/events.go | 12 +++++++++++-
 src/go/guestagent/pkg/docker/events.go     |  2 +-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/go/guestagent/pkg/containerd/events.go b/src/go/guestagent/pkg/containerd/events.go
index 0dedaae5152..4423f327775 100644
--- a/src/go/guestagent/pkg/containerd/events.go
+++ b/src/go/guestagent/pkg/containerd/events.go
@@ -428,7 +428,7 @@ func createPortMappingFromString(portMapping string) (nat.PortMap, error) {
 		}
 
 		portBinding := nat.PortBinding{
-			HostIP:   port.HostIP,
+			HostIP:   ValidateHostIP(port.HostIP),
 			HostPort: strconv.Itoa(port.HostPort),
 		}
 		if pb, ok := portMap[portMapKey]; ok {
@@ -475,6 +475,16 @@ func mustFormatHashWithPrefix(length int, prefix string, toHash string) string {
 	return fmt.Sprintf("%s%x", prefix, output)[:length]
 }
 
+// ValidateHostIP checks if the provided IP address is valid.
+// The valid options are "127.0.0.1" and "0.0.0.0". If the input is "127.0.0.1",
+// it returns "127.0.0.1". Any other address will be mapped to "0.0.0.0".
+func ValidateHostIP(ip string) string {
+	if ip == "127.0.0.1" || ip == "localhost" {
+		return ip
+	}
+	return "0.0.0.0"
+}
+
 // Port is representing nerdctl/ports entry in the
 // event envelope's labels.
 type Port struct {
diff --git a/src/go/guestagent/pkg/docker/events.go b/src/go/guestagent/pkg/docker/events.go
index 68d572559a3..87e52649009 100644
--- a/src/go/guestagent/pkg/docker/events.go
+++ b/src/go/guestagent/pkg/docker/events.go
@@ -186,7 +186,7 @@ func createPortMapping(ports []types.Port) (nat.PortMap, error) {
 		}
 
 		portBinding := nat.PortBinding{
-			HostIP:   port.IP,
+			HostIP:   containerd.ValidateHostIP(port.IP),
 			HostPort: strconv.Itoa(int(port.PublicPort)),
 		}