fix CVE-2024-10220

Signed-off-by: liuxu <liuxu156@huawei.com>
2024-12-05 11:06:32 +08:00 · 2024-12-05 11:06:32 +08:00 · fe15e15e97
commit fe15e15e97
parent d8397b11a3
2 changed files with 64 additions and 1 deletions
--- a/0021-gitRepo-volume-directory-must-be-max-1-level-deep.patch
+++ b/0021-gitRepo-volume-directory-must-be-max-1-level-deep.patch
@ -0,0 +1,56 @@
 From c7846fd24c16266a3bfd86315171f5b4d5f0c9c9 Mon Sep 17 00:00:00 2001
 From: Imre Rad <imrer@google.com>
 Date: Thu, 25 Apr 2024 14:21:51 +0000
 Subject: [PATCH] gitRepo volume: directory must be max 1 level deep
 More details on Hackerone #2266560
 ---
 pkg/volume/git_repo/git_repo.go      |  6 ++++++
 pkg/volume/git_repo/git_repo_test.go | 14 ++++++++++++++
 2 files changed, 20 insertions(+)
 diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
 index 995018d9007..b3827b92ad0 100644
 --- a/pkg/volume/git_repo/git_repo.go
 +++ b/pkg/volume/git_repo/git_repo.go
@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
 	if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
 		return err
 	}
 +	if (src.Revision != "") && (src.Directory != "") {
 +		cleanedDir := filepath.Clean(src.Directory)
 +		if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) {
 +			return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
 +		}
 +	}
 	return nil
 }
 diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
 index 5b1461be892..650f765cc48 100644
 --- a/pkg/volume/git_repo/git_repo_test.go
 +++ b/pkg/volume/git_repo/git_repo_test.go
@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
 			},
 			isExpectedFailure: true,
 		},
 +		{
 +			name: "invalid-revision-directory-combo",
 +			vol: &v1.Volume{
 +				Name: "vol1",
 +				VolumeSource: v1.VolumeSource{
 +					GitRepo: &v1.GitRepoVolumeSource{
 +						Repository: gitURL,
 +						Revision:   "main",
 +						Directory:  "foo/bar",
 +					},
 +				},
 +			},
 +			isExpectedFailure: true,
 +		},
 	}
 	for _, scenario := range scenarios {
 -- 
 2.34.1
--- a/kubernetes.spec
+++ b/kubernetes.spec
@ -3,7 +3,7 @@
 Name:         kubernetes
 Version:      1.20.2
-Release:      25
+Release:      26
 Summary:      Container cluster management
 License:      ASL 2.0
 URL:          https://k8s.io/kubernetes
@ -44,6 +44,7 @@ Patch6016: 0017-backport-Fix-kubelet-panic-when-allocate-resource-for-pod.patch
 Patch6017: 0018-backport-reduce-configmap-and-secret-watch-of-kubelet.patch
 Patch6018: 0019-backport-Don-t-prematurely-close-reflectors-in-case-of-slow-i.patch
 Patch6019: 0020-backport-Fix-cpu-share-issues-on-systems-with-large-amounts-o.patch
 Patch6020: 0021-gitRepo-volume-directory-must-be-max-1-level-deep.patch
 %description
 Container cluster management.
@ -275,6 +276,12 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \
 %systemd_postun kubelet kube-proxy
 %changelog
 * Thu Dec 05 2024 liuxu <liuxu156@huawei.com> - 1.20.2-26
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC:fix CVE-2024-10220
 * Tue Aug 27 2024 zhaoxiaohu <zhaoxiaohu@kuaishou.com> - 1.20.2-25
 - Type:bugfix
 - CVE:NA