fix(volume): prevent bind mounts and allow named volumes [EE-2364] (#6771)

* check bindmounts via absolute path

* check bindmounts via absolute path
pull/6762/head
sunportainer 3 years ago committed by GitHub
parent 360701e256
commit 76d1b70644
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -7,6 +7,7 @@ import (
"errors" "errors"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"strings"
"github.com/docker/docker/client" "github.com/docker/docker/client"
portainer "github.com/portainer/portainer/api" portainer "github.com/portainer/portainer/api"
@ -221,8 +222,12 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req
} }
if !securitySettings.AllowBindMountsForRegularUsers && (len(partialContainer.HostConfig.Binds) > 0) { if !securitySettings.AllowBindMountsForRegularUsers && (len(partialContainer.HostConfig.Binds) > 0) {
for _, bind := range partialContainer.HostConfig.Binds {
if strings.HasPrefix(bind, "/") {
return forbiddenResponse, errors.New("forbidden to use bind mounts") return forbiddenResponse, errors.New("forbidden to use bind mounts")
} }
}
}
request.Body = ioutil.NopCloser(bytes.NewBuffer(body)) request.Body = ioutil.NopCloser(bytes.NewBuffer(body))
} }

Loading…
Cancel
Save