Merge pull request cri-o#6450 from haircommander/homedir-drop

openshift-merge-robot · web-flow · commit 3e342bff116e · 2022-12-20T09:23:24.000-05:00
server: fail if HOME variable has a newline
diff --git a/server/container_create.go b/server/container_create.go
@@ -201,6 +201,9 @@ func setupContainerUser(ctx context.Context, specgen *generate.Generator, rootfs
 	for _, env := range specgen.Config.Process.Env {
 		if strings.HasPrefix(env, "HOME=") {
 			homedir = strings.TrimPrefix(env, "HOME=")
+			if idx := strings.Index(homedir, `\n`); idx > -1 {
+				return fmt.Errorf("invalid HOME environment; newline not allowed")
+			}
 			break
 		}
 	}
diff --git a/test/ctr.bats b/test/ctr.bats
@@ -1024,3 +1024,11 @@ function check_oci_annotation() {
 		! ps -p "$process" o pid=,stat= | grep -v 'Z'
 	done
 }
+
+@test "ctr HOME env newline invalid" {
+	start_crio
+	jq ' .envs = [{"key": "HOME=", "value": "/root:/sbin/nologin\\ntest::0:0::/:/bin/bash"}]' \
+		"$TESTDATA"/container_config.json > "$newconfig"
+
+	! crictl run "$newconfig" "$TESTDATA"/sandbox_config.json
+}

Original file line number	Diff line number	Diff line change
`@@ -201,6 +201,9 @@ func setupContainerUser(ctx context.Context, specgen *generate.Generator, rootfs`
`201`	`201`	`for _, env := range specgen.Config.Process.Env {`
`202`	`202`	`if strings.HasPrefix(env, "HOME=") {`
`203`	`203`	`homedir = strings.TrimPrefix(env, "HOME=")`
	`204`	+ if idx := strings.Index(homedir, `\n`); idx > -1 {
	`205`	`+ return fmt.Errorf("invalid HOME environment; newline not allowed")`
	`206`	`+ }`
`204`	`207`	`break`
`205`	`208`	`}`
`206`	`209`	`}`