From 76d1b7064451be59f8c4cb8ce7f888137a1b80ab Mon Sep 17 00:00:00 2001 From: sunportainer <93502624+sunportainer@users.noreply.github.com> Date: Tue, 19 Apr 2022 20:05:16 +0800 Subject: [PATCH] fix(volume): prevent bind mounts and allow named volumes [EE-2364] (#6771) * check bindmounts via absolute path * check bindmounts via absolute path --- api/http/proxy/factory/docker/containers.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/api/http/proxy/factory/docker/containers.go b/api/http/proxy/factory/docker/containers.go index 953b591e9..573bfc21d 100644 --- a/api/http/proxy/factory/docker/containers.go +++ b/api/http/proxy/factory/docker/containers.go @@ -7,6 +7,7 @@ import ( "errors" "io/ioutil" "net/http" + "strings" "github.com/docker/docker/client" portainer "github.com/portainer/portainer/api" @@ -221,7 +222,11 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req } if !securitySettings.AllowBindMountsForRegularUsers && (len(partialContainer.HostConfig.Binds) > 0) { - return forbiddenResponse, errors.New("forbidden to use bind mounts") + for _, bind := range partialContainer.HostConfig.Binds { + if strings.HasPrefix(bind, "/") { + return forbiddenResponse, errors.New("forbidden to use bind mounts") + } + } } request.Body = ioutil.NopCloser(bytes.NewBuffer(body))