feat(checks): Add check to detect Leaky Vessels exploit

Details: https://github.com/snyk/leaky-vessels-static-detector/
aquasecurity · Feb 7, 2024 · c962cb7 · c962cb7
1 parent 38c3895
commit c962cb7
Show file tree

Hide file tree

Showing 2 changed files with 131 additions and 0 deletions.
diff --git a/checks/docker/prevent_sys_workdir_mount_test.rego b/checks/docker/prevent_sys_workdir_mount_test.rego
@@ -0,0 +1,91 @@
+package builtin.dockerfile.DS030
+
+test_basic_denied {
+	r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [
+		{"Cmd": "from", "Value": ["alpine:3.5"]},
+		{
+			"Cmd": "run",
+			"Value": ["apk add --update py2-pip"],
+		},
+		{
+			"Cmd": "workdir",
+			"Value": ["/proc/self/fd/1"],
+		},
+	]}]}
+
+	count(r) == 1
+	r[_].msg == "WORKDIR path '/proc/self/fd/1' should not mount system directories"
+}
+
+test_no_work_dir_allowed {
+	r := deny with input as {"Stages": [{"Name": "alpine:3.3", "Commands": [
+		{
+			"Cmd": "from",
+			"Value": ["alpine:3.3"],
+		},
+		{
+			"Cmd": "run",
+			"Value": ["apk --no-cache add nginx"],
+		},
+	]}]}
+
+	count(r) == 0
+}
+
+test_non_sys_work_dir_allowed {
+	r := deny with input as {"Stages": [{"Name": "alpine:3.3", "Commands": [
+		{
+			"Cmd": "from",
+			"Value": ["alpine:3.3"],
+		},
+		{
+			"Cmd": "run",
+			"Value": ["apk --no-cache add nginx"],
+		},
+		{
+			"Cmd": "workdir",
+			"Value": ["/path/to/workdir"],
+		},
+	]}]}
+
+	count(r) == 0
+}
+
+test_absolute_work_dir_with_quotes_allowed {
+	r := deny with input as {"Stages": [{"Name": "alpine:3.3", "Commands": [
+		{
+			"Cmd": "from",
+			"Value": ["alpine:3.3"],
+		},
+		{
+			"Cmd": "run",
+			"Value": ["apk --no-cache add nginx"],
+		},
+		{
+			"Cmd": "workdir",
+			"Value": ["\"/path/to/workdir\""],
+		},
+	]}]}
+
+	count(r) == 0
+}
+
+test_absolute_work_dir_with_quotes_with_sys_dir_denied {
+	r := deny with input as {"Stages": [{"Name": "alpine:3.3", "Commands": [
+		{
+			"Cmd": "from",
+			"Value": ["alpine:3.3"],
+		},
+		{
+			"Cmd": "run",
+			"Value": ["apk --no-cache add nginx"],
+		},
+		{
+			"Cmd": "workdir",
+			"Value": ["\"/proc/self/fd/1\""],
+		},
+	]}]}
+
+	count(r) == 1
+	r[_].msg == "WORKDIR path '\"/proc/self/fd/1\"' should not mount system directories"
+}
diff --git a/checks/docker/prevent_sys_workdir_mounts.rego b/checks/docker/prevent_sys_workdir_mounts.rego
@@ -0,0 +1,40 @@
+# METADATA
+# title: "WORKDIR should not be mounted on system dirs"
+# description: "WORKDIR should not be mounted on system directories to avoid container breakouts"
+# scope: package
+# schemas:
+# - input: schema["dockerfile"]
+# related_resources:
+# - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir
+# custom:
+#   id: DS030
+#   avd_id: AVD-DS-0030
+#   severity: HIGH
+#   short_code: avoid-sys-workdir-mounts
+#   recommended_action: "Avoid using system directories to mount WORKDIR"
+#   input:
+#     selector:
+#     - type: dockerfile
+package builtin.dockerfile.DS030
+
+import data.lib.docker
+
+sysdirs := {"/proc", "/boot", "/dev", "/initrd", "/lost+found"}
+
+is_workdir_in_sysdirs[output] {
+	workdir := docker.workdir[_]
+	arg := workdir.Value[0]
+
+    trimmed := trim(arg, "\"")
+    startswith(trimmed, sysdirs[_])
+	output := {
+		"cmd": workdir,
+		"arg": arg,
+	}
+}
+
+deny[res] {
+	output := is_workdir_in_sysdirs[_]
+	msg := sprintf("WORKDIR path '%s' should not mount system directories", [output.arg])
+	res := result.new(msg, output.cmd)
+}