-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
package/docker-engine: backport fix for host header check
Go 1.20.6 and 1.19.11 include a security check of the http Host header: golang/go#60374 docker-cli does not satisfy this check: $ docker exec -it ctr bash http: invalid Host header This is a backported patch to fix this issue: Issue: moby/moby#45935 Upstream PR: moby/moby#45942 The upstream PR has been merged and will be included in v24.0.5. Signed-off-by: Christian Stewart <christian@aperture.us>
- Loading branch information
Showing
2 changed files
with
243 additions
and
0 deletions.
There are no files selected for viewing
174 changes: 174 additions & 0 deletions
174
package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,174 @@ | ||
| From 8ced4331e5e3a6760465a8ce2bd42c66d3232c96 Mon Sep 17 00:00:00 2001 | ||
| From: Sebastiaan van Stijn <github@gone.nl> | ||
| Date: Wed, 12 Jul 2023 14:15:38 +0200 | ||
| Subject: [PATCH] client: define a "dummy" hostname to use for local | ||
| connections | ||
|
|
||
| Go 1.20.6 and 1.19.11 include a security check of the http Host header: | ||
|
|
||
| https://github.com/golang/go/issues/60374 | ||
|
|
||
| This is a backported patch to fix this issue. | ||
|
|
||
| Issue: https://github.com/moby/moby/issues/45935 | ||
| Upstream PR: https://github.com/moby/moby/pull/45942 | ||
|
|
||
| The upstream PR has been merged and will be included in v24.0.5. | ||
|
|
||
| Signed-off-by: Christian Stewart <christian@aperture.us> | ||
|
|
||
| --- | ||
|
|
||
| For local communications (npipe://, unix://), the hostname is not used, | ||
| but we need valid and meaningful hostname. | ||
|
|
||
| The current code used the client's `addr` as hostname in some cases, which | ||
| could contain the path for the unix-socket (`/var/run/docker.sock`), which | ||
| gets rejected by go1.20.6 and go1.19.11 because of a security fix for | ||
| [CVE-2023-29406 ][1], which was implemented in https://go.dev/issue/60374. | ||
|
|
||
| Prior versions go Go would clean the host header, and strip slashes in the | ||
| process, but go1.20.6 and go1.19.11 no longer do, and reject the host | ||
| header. | ||
|
|
||
| This patch introduces a `DummyHost` const, and uses this dummy host for | ||
| cases where we don't need an actual hostname. | ||
|
|
||
| Before this patch (using go1.20.6): | ||
|
|
||
| make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration | ||
| === RUN TestAttachWithTTY | ||
| attach_test.go:46: assertion failed: error is not nil: http: invalid Host header | ||
| --- FAIL: TestAttachWithTTY (0.11s) | ||
| === RUN TestAttachWithoutTTy | ||
| attach_test.go:46: assertion failed: error is not nil: http: invalid Host header | ||
| --- FAIL: TestAttachWithoutTTy (0.02s) | ||
| FAIL | ||
|
|
||
| With this patch applied: | ||
|
|
||
| make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration | ||
| INFO: Testing against a local daemon | ||
| === RUN TestAttachWithTTY | ||
| --- PASS: TestAttachWithTTY (0.12s) | ||
| === RUN TestAttachWithoutTTy | ||
| --- PASS: TestAttachWithoutTTy (0.02s) | ||
| PASS | ||
|
|
||
| [1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx | ||
|
|
||
| Signed-off-by: Sebastiaan van Stijn <github@gone.nl> | ||
| (cherry picked from commit 92975f0c11f0566cc3c36659f5e3bb9faf5cb176) | ||
| Signed-off-by: Sebastiaan van Stijn <github@gone.nl> | ||
| --- | ||
| client/client.go | 30 ++++++++++++++++++++++++++++++ | ||
| client/hijack.go | 6 +++++- | ||
| client/request.go | 10 ++++------ | ||
| client/request_test.go | 4 ++-- | ||
| 4 files changed, 41 insertions(+), 9 deletions(-) | ||
|
|
||
| diff --git a/client/client.go b/client/client.go | ||
| index 1c081a51ae..54fa36cca8 100644 | ||
| --- a/client/client.go | ||
| +++ b/client/client.go | ||
| @@ -56,6 +56,36 @@ import ( | ||
| "github.com/pkg/errors" | ||
| ) | ||
|
|
||
| +// DummyHost is a hostname used for local communication. | ||
| +// | ||
| +// It acts as a valid formatted hostname for local connections (such as "unix://" | ||
| +// or "npipe://") which do not require a hostname. It should never be resolved, | ||
| +// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2] | ||
| +// and [RFC 6761, Section 6.3]). | ||
| +// | ||
| +// [RFC 7230, Section 5.4] defines that an empty header must be used for such | ||
| +// cases: | ||
| +// | ||
| +// If the authority component is missing or undefined for the target URI, | ||
| +// then a client MUST send a Host header field with an empty field-value. | ||
| +// | ||
| +// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not | ||
| +// allow an empty header to be used, and requires req.URL.Scheme to be either | ||
| +// "http" or "https". | ||
| +// | ||
| +// For further details, refer to: | ||
| +// | ||
| +// - https://github.com/docker/engine-api/issues/189 | ||
| +// - https://github.com/golang/go/issues/13624 | ||
| +// - https://github.com/golang/go/issues/61076 | ||
| +// - https://github.com/moby/moby/issues/45935 | ||
| +// | ||
| +// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2 | ||
| +// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3 | ||
| +// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4 | ||
| +// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569 | ||
| +const DummyHost = "api.moby.localhost" | ||
| + | ||
| // ErrRedirect is the error returned by checkRedirect when the request is non-GET. | ||
| var ErrRedirect = errors.New("unexpected redirect in response") | ||
|
|
||
| diff --git a/client/hijack.go b/client/hijack.go | ||
| index 6bdacab10a..4dcaaca4c5 100644 | ||
| --- a/client/hijack.go | ||
| +++ b/client/hijack.go | ||
| @@ -64,7 +64,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) { | ||
| } | ||
|
|
||
| func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) { | ||
| - req.Host = cli.addr | ||
| + req.URL.Host = cli.addr | ||
| + if cli.proto == "unix" || cli.proto == "npipe" { | ||
| + // Override host header for non-tcp connections. | ||
| + req.Host = DummyHost | ||
| + } | ||
| req.Header.Set("Connection", "Upgrade") | ||
| req.Header.Set("Upgrade", proto) | ||
|
|
||
| diff --git a/client/request.go b/client/request.go | ||
| index c799095c12..bcedcf3bd9 100644 | ||
| --- a/client/request.go | ||
| +++ b/client/request.go | ||
| @@ -96,16 +96,14 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea | ||
| return nil, err | ||
| } | ||
| req = cli.addHeaders(req, headers) | ||
| + req.URL.Scheme = cli.scheme | ||
| + req.URL.Host = cli.addr | ||
|
|
||
| if cli.proto == "unix" || cli.proto == "npipe" { | ||
| - // For local communications, it doesn't matter what the host is. We just | ||
| - // need a valid and meaningful host name. (See #189) | ||
| - req.Host = "docker" | ||
| + // Override host header for non-tcp connections. | ||
| + req.Host = DummyHost | ||
| } | ||
|
|
||
| - req.URL.Host = cli.addr | ||
| - req.URL.Scheme = cli.scheme | ||
| - | ||
| if expectedPayload && req.Header.Get("Content-Type") == "" { | ||
| req.Header.Set("Content-Type", "text/plain") | ||
| } | ||
| diff --git a/client/request_test.go b/client/request_test.go | ||
| index 6e5a6e81f2..50b09d954c 100644 | ||
| --- a/client/request_test.go | ||
| +++ b/client/request_test.go | ||
| @@ -29,12 +29,12 @@ func TestSetHostHeader(t *testing.T) { | ||
| }{ | ||
| { | ||
| "unix:///var/run/docker.sock", | ||
| - "docker", | ||
| + DummyHost, | ||
| "/var/run/docker.sock", | ||
| }, | ||
| { | ||
| "npipe:////./pipe/docker_engine", | ||
| - "docker", | ||
| + DummyHost, | ||
| "//./pipe/docker_engine", | ||
| }, | ||
| { | ||
| -- | ||
| 2.41.0 | ||
|
|
69 changes: 69 additions & 0 deletions
69
package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| From 09306e7eb3c26ade69ef1e4c99d5b1fd9c0b7364 Mon Sep 17 00:00:00 2001 | ||
| From: Sebastiaan van Stijn <github@gone.nl> | ||
| Date: Wed, 12 Jul 2023 15:07:59 +0200 | ||
| Subject: [PATCH] pkg/plugins: use a dummy hostname for local connections | ||
|
|
||
| For local communications (npipe://, unix://), the hostname is not used, | ||
| but we need valid and meaningful hostname. | ||
|
|
||
| The current code used the socket path as hostname, which gets rejected by | ||
| go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1], | ||
| which was implemented in https://go.dev/issue/60374. | ||
|
|
||
| Prior versions go Go would clean the host header, and strip slashes in the | ||
| process, but go1.20.6 and go1.19.11 no longer do, and reject the host | ||
| header. | ||
|
|
||
| Before this patch, tests would fail on go1.20.6: | ||
|
|
||
| === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s) | ||
| time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s" | ||
| time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s" | ||
| time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s" | ||
| time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s" | ||
| authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header | ||
|
|
||
| [1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx | ||
|
|
||
| Signed-off-by: Sebastiaan van Stijn <github@gone.nl> | ||
| (cherry picked from commit 6b7705d5b29e226a24902a8dcc488836faaee33c) | ||
| Signed-off-by: Sebastiaan van Stijn <github@gone.nl> | ||
| --- | ||
| pkg/plugins/client.go | 14 ++++++++++++-- | ||
| 1 file changed, 12 insertions(+), 2 deletions(-) | ||
|
|
||
| diff --git a/pkg/plugins/client.go b/pkg/plugins/client.go | ||
| index 752fecd0ae..e683eb777d 100644 | ||
| --- a/pkg/plugins/client.go | ||
| +++ b/pkg/plugins/client.go | ||
| @@ -18,6 +18,12 @@ import ( | ||
|
|
||
| const ( | ||
| defaultTimeOut = 30 | ||
| + | ||
| + // dummyHost is a hostname used for local communication. | ||
| + // | ||
| + // For local communications (npipe://, unix://), the hostname is not used, | ||
| + // but we need valid and meaningful hostname. | ||
| + dummyHost = "plugin.moby.localhost" | ||
| ) | ||
|
|
||
| func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transport, error) { | ||
| @@ -44,8 +50,12 @@ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transpor | ||
| return nil, err | ||
| } | ||
| scheme := httpScheme(u) | ||
| - | ||
| - return transport.NewHTTPTransport(tr, scheme, socket), nil | ||
| + hostName := u.Host | ||
| + if hostName == "" || u.Scheme == "unix" || u.Scheme == "npipe" { | ||
| + // Override host header for non-tcp connections. | ||
| + hostName = dummyHost | ||
| + } | ||
| + return transport.NewHTTPTransport(tr, scheme, hostName), nil | ||
| } | ||
|
|
||
| // NewClient creates a new plugin client (http). | ||
| -- | ||
| 2.41.0 | ||
|
|