Bug 1376957

Summary: docker-novolume-plugin: bypass authorization (request uri regexp check fails)
Product: [Fedora] Fedora Reporter: Antonio Murdaca <amurdaca>
Component: dockerAssignee: Antonio Murdaca <amurdaca>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: adimania, admiller, amurdaca, dwalsh, extras-qa, ichavero, jcajka, jchaloup, lsm5, marianne, miminar, nalin, riek, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1376954 Environment:
Last Closed: 2016-09-17 08:51:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1376954    
Bug Blocks: 1376956    

Description Antonio Murdaca 2016-09-16 22:50:52 UTC 
+++ This bug was initially created as a clone of Bug #1376954 +++

Description of problem:

By using %2f instead of / in the URI path the plugin's
regex to hook specific docker API requests can be bypassed, allowing a user to
bypass the authorization plugin.


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. enable docker-novolume-plugin
2. docker create --name anonvol -v /test fedora bash
3. curl -vvv -X POST http://127.0.0.1:8080/containers/anonvol%2fstart

Actual results:

The plugin fails the request URI check because it doesn't decode %2f and allows to start the container which contains an anonymous volume.

Expected results:

The plugin should just block any attempt to start a container with anonymous volumes - the fix to this is to url.QueryUnescape the request URI received by the plugin.

Additional info:

the Docker CLI is not affected by this.

--- Additional comment from Antonio Murdaca on 2016-09-16 18:48:10 EDT ---

code already fixed in projectatomic/docker-novolume-plugin master branch - rebuilding and submitting an update shortly