Merge pull request #8978 from sohankunkerkar/release-1.30

openshift-merge-bot[bot] · web-flow · commit d088fcfa5f57 · 2025-02-03T17:22:57.000Z
[release-1.30] CVE: Fix path traversal in CRI-O log handling
diff --git a/internal/linklogs/link_logs.go b/internal/linklogs/link_logs.go
@@ -5,9 +5,10 @@ import (
 	"errors"
 	"fmt"
 	"os"
-	"path/filepath"
+	"strings"
 
 	"github.com/cri-o/cri-o/internal/log"
+	securejoin "github.com/cyphar/filepath-securejoin"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"golang.org/x/sys/unix"
 	"k8s.io/apimachinery/pkg/util/validation"
@@ -28,12 +29,22 @@ func MountPodLogs(ctx context.Context, kubePodUID, emptyDirVolName, namespace, k
 	if errs := validation.IsDNS1123Label(emptyDirVolName); len(errs) != 0 {
 		return errors.New("empty dir vol name is invalid")
 	}
-	emptyDirLoggingVolumePath := podEmptyDirPath(kubePodUID, emptyDirVolName)
+
+	emptyDirLoggingVolumePath, err := podEmptyDirPath(kubePodUID, emptyDirVolName)
+	if err != nil {
+		return fmt.Errorf("failed to get empty dir path: %w", err)
+	}
+
 	if _, err := os.Stat(emptyDirLoggingVolumePath); err != nil {
 		return fmt.Errorf("failed to find %v: %w", emptyDirLoggingVolumePath, err)
 	}
 	podLogsDirectory := namespace + "_" + kubeName + "_" + kubePodUID
-	podLogsPath := filepath.Join(kubeletPodLogsRootDir, podLogsDirectory)
+
+	podLogsPath, err := securejoin.SecureJoin(kubeletPodLogsRootDir, podLogsDirectory)
+	if err != nil {
+		return fmt.Errorf("failed to join %v and %v: %w", kubeletPodLogsRootDir, podLogsDirectory, err)
+	}
+
 	log.Infof(ctx, "Mounting from %s to %s for linked logs", podLogsPath, emptyDirLoggingVolumePath)
 	if err := unix.Mount(podLogsPath, emptyDirLoggingVolumePath, "bind", unix.MS_BIND|unix.MS_RDONLY, ""); err != nil {
 		return fmt.Errorf("failed to mount %v to %v: %w", podLogsPath, emptyDirLoggingVolumePath, err)
@@ -46,7 +57,11 @@ func MountPodLogs(ctx context.Context, kubePodUID, emptyDirVolName, namespace, k
 
 // UnmountPodLogs unmounts the pod log directory from the specified empty dir volume
 func UnmountPodLogs(ctx context.Context, kubePodUID, emptyDirVolName string) error {
-	emptyDirLoggingVolumePath := podEmptyDirPath(kubePodUID, emptyDirVolName)
+	emptyDirLoggingVolumePath, err := podEmptyDirPath(kubePodUID, emptyDirVolName)
+	if err != nil {
+		return fmt.Errorf("failed to get empty dir path: %w", err)
+	}
+
 	log.Infof(ctx, "Unmounting %s for linked logs", emptyDirLoggingVolumePath)
 	if _, err := os.Stat(emptyDirLoggingVolumePath); !os.IsNotExist(err) {
 		if err := unix.Unmount(emptyDirLoggingVolumePath, unix.MNT_DETACH); err != nil {
@@ -57,14 +72,30 @@ func UnmountPodLogs(ctx context.Context, kubePodUID, emptyDirVolName string) err
 }
 
 func LinkContainerLogs(ctx context.Context, kubePodUID, emptyDirVolName, id string, metadata *types.ContainerMetadata) error {
-	emptyDirLoggingVolumePath := podEmptyDirPath(kubePodUID, emptyDirVolName)
+	emptyDirLoggingVolumePath, err := podEmptyDirPath(kubePodUID, emptyDirVolName)
+	if err != nil {
+		return fmt.Errorf("failed to get empty dir path: %w", err)
+	}
+
 	// Symlink a relative path so the location is legitimate inside and outside the container.
 	from := fmt.Sprintf("%s/%d.log", metadata.Name, metadata.Attempt)
-	to := filepath.Join(emptyDirLoggingVolumePath, id+".log")
+
+	to, err := securejoin.SecureJoin(emptyDirLoggingVolumePath, id+".log")
+	if err != nil {
+		return fmt.Errorf("failed to join %v and %v: %w", emptyDirLoggingVolumePath, id+".log", err)
+	}
+
 	log.Infof(ctx, "Symlinking from %s to %s for linked logs", from, to)
 	return os.Symlink(from, to)
 }
 
-func podEmptyDirPath(podUID, emptyDirVolName string) string {
-	return filepath.Join(kubeletPodsRootDir, podUID, "volumes", kubeletEmptyDirLogDir, emptyDirVolName)
+func podEmptyDirPath(podUID, emptyDirVolName string) (string, error) {
+	relativePath := strings.Join([]string{podUID, "volumes", kubeletEmptyDirLogDir, emptyDirVolName}, "/")
+
+	dirPath, err := securejoin.SecureJoin(kubeletPodsRootDir, relativePath)
+	if err != nil {
+		return "", fmt.Errorf("failed to join %v and %v: %w", kubeletPodsRootDir, relativePath, err)
+	}
+
+	return dirPath, err
 }
diff --git a/test/ctr.bats b/test/ctr.bats
@@ -62,6 +62,54 @@ function create_test_rro_mounts() {
 	echo "$directory"
 }
 
+function setup_log_linking_test() {
+	local pod_uid=$1
+	local pod_name pod_namespace pod_log_dir pod_empty_dir_volume_path pod_id ctr_name ctr_attempt ctr_id
+
+	pod_name=$(jq -r '.metadata.name' "$TESTDATA/sandbox_config.json")
+	pod_namespace=$(jq -r '.metadata.namespace' "$TESTDATA/sandbox_config.json")
+	pod_log_dir="/var/log/pods/${pod_namespace}_${pod_name}_${pod_uid}"
+	pod_empty_dir_volume_path="/var/lib/kubelet/pods/$pod_uid/volumes/kubernetes.io~empty-dir/logging-volume"
+
+	# Create directories and set up pod/container.
+	mkdir -p "$pod_log_dir" "$pod_empty_dir_volume_path"
+	jq --arg pod_log_dir "$pod_log_dir" --arg pod_uid "$pod_uid" '.annotations["io.kubernetes.cri-o.LinkLogs"] = "logging-volume"
+	| .log_directory = $pod_log_dir | .metadata.uid = $pod_uid' \
+		"$TESTDATA/sandbox_config.json" > "$TESTDIR/sandbox_config.json"
+	pod_id=$(crictl runp "$TESTDIR/sandbox_config.json")
+
+	# Touch the log file.
+	ctr_name=$(jq -r '.metadata.name' "$TESTDATA/container_config.json")
+	ctr_attempt=$(jq -r '.metadata.attempt' "$TESTDATA/container_config.json")
+	mkdir -p "$pod_log_dir/$ctr_name"
+	touch "$pod_log_dir/$ctr_name/$ctr_attempt.log"
+
+	jq --arg host_path "$pod_empty_dir_volume_path" --arg ctr_path "/mnt/logging-volume" --arg log_path "$ctr_name/$ctr_attempt.log" \
+		'.command = ["sh", "-c", "echo Hello log linking && sleep 1000"]
+		| .log_path = $log_path
+		| .mounts = [ { host_path: $host_path, container_path: $ctr_path } ]' \
+		"$TESTDATA"/container_config.json > "$TESTDIR/container_config.json"
+	ctr_id=$(crictl create "$pod_id" "$TESTDIR/container_config.json" "$TESTDIR/sandbox_config.json")
+}
+
+function assert_log_linking() {
+	local pod_empty_dir_volume_path=$1
+	local ctr_name=$2
+	local ctr_attempt=$3
+	local ctr_id=$4
+	local should_succeed=$5
+
+	if $should_succeed; then
+		[ -f "$pod_empty_dir_volume_path/$ctr_name/$ctr_attempt.log" ]
+		[ -f "$pod_empty_dir_volume_path/$ctr_id.log" ]
+		grep -E "Hello log linking" "$pod_empty_dir_volume_path/$ctr_name/$ctr_attempt.log"
+		grep -E "Hello log linking" "$pod_empty_dir_volume_path/$ctr_id.log"
+	else
+		[ ! -f "$pod_empty_dir_volume_path/$ctr_name/$ctr_attempt.log" ]
+		[ ! -f "$pod_empty_dir_volume_path/$ctr_id.log" ]
+	fi
+}
+
 @test "ctr not found correct error message" {
 	start_crio
 	run ! crictl inspect "container_not_exist"
@@ -1356,6 +1404,32 @@ function create_test_rro_mounts() {
 	[ ! -f "$linked_log_path" ]
 }
 
+@test "ctr log linking with malicious paths" {
+	if [[ $RUNTIME_TYPE == vm ]]; then
+		skip "not applicable to vm runtime type"
+	fi
+	setup_crio
+	create_runtime_with_allowed_annotation logs io.kubernetes.cri-o.LinkLogs
+	start_crio_no_setup
+
+	read -r pod_empty_dir_volume_path ctr_name ctr_attempt ctr_id <<< "$(setup_log_linking_test "../../../malicious")"
+	assert_log_linking "$pod_empty_dir_volume_path" "$ctr_name" "$ctr_attempt" "$ctr_id" false
+	crictl rmp -fa
+}
+
+@test "ctr log linking with invalid paths" {
+	if [[ $RUNTIME_TYPE == vm ]]; then
+		skip "not applicable to vm runtime type"
+	fi
+	setup_crio
+	create_runtime_with_allowed_annotation logs io.kubernetes.cri-o.LinkLogs
+	start_crio_no_setup
+
+	read -r pod_empty_dir_volume_path ctr_name ctr_attempt ctr_id <<< "$(setup_log_linking_test "invalid path")"
+	assert_log_linking "$pod_empty_dir_volume_path" "$ctr_name" "$ctr_attempt" "$ctr_id" false
+	crictl rmp -fa
+}
+
 @test "ctr stop loop kill retry attempts" {
 	FAKE_RUNTIME_BINARY_PATH="$TESTDIR"/fake
 	FAKE_RUNTIME_ATTEMPTS_LOG="$TESTDIR"/fake.log
