Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Danger of using COPY and ADD instructions" is unclear #894

Closed
JeremyRand opened this issue Aug 1, 2021 · 2 comments
Closed

"Danger of using COPY and ADD instructions" is unclear #894

JeremyRand opened this issue Aug 1, 2021 · 2 comments
Labels

Comments

@JeremyRand
Copy link

Description

The warning introduced by #760 is a bit confusing. It's not clear who can do this attack. I.e. can the attack be performed by:

  • Only people with write privs to the victim repo? (Seems plausible since Cirrus repo config has an option for only allowing such users to write to caches.)
  • Only people who create a malicious PR to the victim repo? (Seems plausible since the warning mentions PR's.)
  • Anyone on GitHub who uses Cirrus and submits a Dockerfile that matches the victim repo's Dockerfile hash? (Seems plausible since Per-repository cache for Dockerfile as a CI environment #761 mentions a global cache.)

Context

Knowing who can do this attack will enable us to evaluate our risk and manage it accordingly.

Anything Else

N/A.

@fkorotkov
Copy link
Contributor

The danger is about the following scenario:

Let's say you have a PR with a Dockerfile like this from a potentially untrusted contributor:

FROM alpine:latest

RUN apk add --no-cache ...

ADD ci.sh /bin/ci.sh

Since contents of the ci.sh script is not part of the caching key for the image you can't be 100% sure that the ci.sh script from the PR is the actual ci.sh script that is inside the container and therefore it is a potential risk.

We recently migrated the internals of the Cirrus configuration parser from Kotlin to Go and now it will be much easier to include the contents of such scripts into the cache key. I've created cirruslabs/cirrus-cli#447 so please follow for the updates.

@fkorotkov
Copy link
Contributor

Closing the issue since I've clarified the concern and created an action item like cirruslabs/cirrus-cli#447

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants