server: fail if HOME variable has a newline

haircommander · openshift-cherrypick-robot · commit 98a49cf00b3a · 2023-02-22T21:19:44.000Z
to prevent CVE-2022-4318 Signed-off-by: Peter Hunt~ <pehunt@redhat.com>
diff --git a/server/container_create.go b/server/container_create.go
@@ -195,6 +195,9 @@ func setupContainerUser(ctx context.Context, specgen *generate.Generator, rootfs
 	for _, env := range specgen.Config.Process.Env {
 		if strings.HasPrefix(env, "HOME=") {
 			homedir = strings.TrimPrefix(env, "HOME=")
+			if idx := strings.Index(homedir, `\n`); idx > -1 {
+				return fmt.Errorf("invalid HOME environment; newline not allowed")
+			}
 			break
 		}
 	}
diff --git a/test/ctr.bats b/test/ctr.bats
@@ -1025,3 +1025,11 @@ function check_oci_annotation() {
 		! ps -p "$process" o pid=,stat= | grep -v 'Z'
 	done
 }
+
+@test "ctr HOME env newline invalid" {
+	start_crio
+	jq ' .envs = [{"key": "HOME=", "value": "/root:/sbin/nologin\\ntest::0:0::/:/bin/bash"}]' \
+		"$TESTDATA"/container_config.json > "$newconfig"
+
+	! crictl run "$newconfig" "$TESTDATA"/sandbox_config.json
+}

Original file line number	Diff line number	Diff line change
`@@ -195,6 +195,9 @@ func setupContainerUser(ctx context.Context, specgen *generate.Generator, rootfs`
`195`	`195`	`for _, env := range specgen.Config.Process.Env {`
`196`	`196`	`if strings.HasPrefix(env, "HOME=") {`
`197`	`197`	`homedir = strings.TrimPrefix(env, "HOME=")`
	`198`	+ if idx := strings.Index(homedir, `\n`); idx > -1 {
	`199`	`+ return fmt.Errorf("invalid HOME environment; newline not allowed")`
	`200`	`+ }`
`198`	`201`	`break`
`199`	`202`	`}`
`200`	`203`	`}`