Insecure service configuration - Docker - Docker

Insecure service configuration - Docker - Docker

Need

Secure configuration of Docker services

Context

  • Usage of Docker for containerizing and deploying applications
  • Usage of Ubuntu 18.04 as the operating system for development or deployment

Description

Non compliant code

        FROM ubuntu:18.04
ADD malicious.tar.gz /var/www/html/
        
        

In the above Dockerfile, the ADD command is used to copy the malicious.tar.gz file from the local system to the /var/www/html/ directory in the Docker container.

The ADD command in Docker has the functionality of automatically extracting compressed files when copying them into the container. This can be beneficial in some cases, but it also creates a significant security risk.

In this case, if the malicious.tar.gz file contains a zip bomb or is crafted to exploit the Zip Slip vulnerability, it could cause damage as soon as it is extracted in the Docker container. A zip bomb is a malicious archive file designed to crash or render useless the program or system reading it, because its content are extremely large. Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive.

The ADD command is also more prone to cache invalidation issues, which can lead to unexpected behavior in your Docker builds.

The recommended way to copy files in a Dockerfile is to use the COPY command, which does not have these security issues and is less prone to cache invalidation issues.

Steps

  • Replace the ADD command with the COPY command
  • Specify the source file or directory and the destination directory in the COPY command
  • Ensure that the source file or directory is not a compressed archive file that could potentially contain malicious content

Compliant code

        FROM ubuntu:18.04
COPY malicious.tar.gz /var/www/html/
        
        

The original code was using the ADD command to copy a tar file from the local system to the Docker image. This is a potential security risk as the ADD command automatically extracts tar files, which could lead to the exploitation of vulnerabilities such as zip bombs and Zip Slip.

The fixed code replaces the ADD command with the COPY command. The COPY command simply copies the file or directory from the local system to the Docker image without extracting it. This reduces the risk of automatic activation of potential vulnerabilities contained within the tar file.

Please note that the COPY command requires that the source file or directory and the destination directory be specified. Also, it is important to ensure that the source file or directory does not contain any compressed archive files that could potentially contain malicious content.

References