mirror of
https://github.com/kemko/nomad.git
synced 2026-01-01 16:05:42 +03:00
0d3cd1427f
During allocation directory migration, the client was not checking that any symlinks in the archive aren't pointing to somewhere outside the allocation directory. While task driver sandboxing will protect against processes inside the task from reading/writing thru the symlink, this doesn't protect against the client itself from performing unintended operations outside the sandbox. This changeset includes two changes: * Update the archive unpacking to check the source of symlinks and require that they fall within the sandbox. * Fix a bug in the symlink check where it was using `filepath.Rel` which doesn't work for paths in the sibling directories of the sandbox directory. This bug doesn't appear to be exploitable but caused errors in testing. Fixes: https://github.com/hashicorp/nomad/issues/19887
4 lines
154 B
Plaintext
4 lines
154 B
Plaintext
```release-note:security
|
|
migration: Fixed a bug where archives used for migration were not checked for symlinks that escaped the allocation directory
|
|
```
|