[Buildroot] [PATCH v1 1/2] package/docker-engine: backport fix for host header check
Christian Stewart
christian at aperture.us
Mon Jul 17 04:10:46 UTC 2023
Go 1.20.6 and 1.19.11 include a security check of the http Host header:
https://github.com/golang/go/issues/60374
docker-cli does not satisfy this check:
$ docker exec -it ctr bash
http: invalid Host header
This is a backported patch to fix this issue:
Issue: https://github.com/moby/moby/issues/45935
Upstream PR: https://github.com/moby/moby/pull/45942
The upstream PR has been merged and will be included in v24.0.5.
Signed-off-by: Christian Stewart <christian at aperture.us>
---
...dummy-hostname-to-use-for-local-conn.patch | 174 ++++++++++++++++++
...a-dummy-hostname-for-local-connectio.patch | 69 +++++++
2 files changed, 243 insertions(+)
create mode 100644 package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch
create mode 100644 package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch
diff --git a/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch b/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch
new file mode 100644
index 0000000000..c5f8d1eb71
--- /dev/null
+++ b/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch
@@ -0,0 +1,174 @@
+From 8ced4331e5e3a6760465a8ce2bd42c66d3232c96 Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <github at gone.nl>
+Date: Wed, 12 Jul 2023 14:15:38 +0200
+Subject: [PATCH] client: define a "dummy" hostname to use for local
+ connections
+
+Go 1.20.6 and 1.19.11 include a security check of the http Host header:
+
+ https://github.com/golang/go/issues/60374
+
+This is a backported patch to fix this issue.
+
+Issue: https://github.com/moby/moby/issues/45935
+Upstream PR: https://github.com/moby/moby/pull/45942
+
+The upstream PR has been merged and will be included in v24.0.5.
+
+Signed-off-by: Christian Stewart <christian at aperture.us>
+
+---
+
+For local communications (npipe://, unix://), the hostname is not used,
+but we need valid and meaningful hostname.
+
+The current code used the client's `addr` as hostname in some cases, which
+could contain the path for the unix-socket (`/var/run/docker.sock`), which
+gets rejected by go1.20.6 and go1.19.11 because of a security fix for
+[CVE-2023-29406 ][1], which was implemented in https://go.dev/issue/60374.
+
+Prior versions go Go would clean the host header, and strip slashes in the
+process, but go1.20.6 and go1.19.11 no longer do, and reject the host
+header.
+
+This patch introduces a `DummyHost` const, and uses this dummy host for
+cases where we don't need an actual hostname.
+
+Before this patch (using go1.20.6):
+
+ make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
+ === RUN TestAttachWithTTY
+ attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
+ --- FAIL: TestAttachWithTTY (0.11s)
+ === RUN TestAttachWithoutTTy
+ attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
+ --- FAIL: TestAttachWithoutTTy (0.02s)
+ FAIL
+
+With this patch applied:
+
+ make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
+ INFO: Testing against a local daemon
+ === RUN TestAttachWithTTY
+ --- PASS: TestAttachWithTTY (0.12s)
+ === RUN TestAttachWithoutTTy
+ --- PASS: TestAttachWithoutTTy (0.02s)
+ PASS
+
+[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
+
+Signed-off-by: Sebastiaan van Stijn <github at gone.nl>
+(cherry picked from commit 92975f0c11f0566cc3c36659f5e3bb9faf5cb176)
+Signed-off-by: Sebastiaan van Stijn <github at gone.nl>
+---
+ client/client.go | 30 ++++++++++++++++++++++++++++++
+ client/hijack.go | 6 +++++-
+ client/request.go | 10 ++++------
+ client/request_test.go | 4 ++--
+ 4 files changed, 41 insertions(+), 9 deletions(-)
+
+diff --git a/client/client.go b/client/client.go
+index 1c081a51ae..54fa36cca8 100644
+--- a/client/client.go
++++ b/client/client.go
+@@ -56,6 +56,36 @@ import (
+ "github.com/pkg/errors"
+ )
+
++// DummyHost is a hostname used for local communication.
++//
++// It acts as a valid formatted hostname for local connections (such as "unix://"
++// or "npipe://") which do not require a hostname. It should never be resolved,
++// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2]
++// and [RFC 6761, Section 6.3]).
++//
++// [RFC 7230, Section 5.4] defines that an empty header must be used for such
++// cases:
++//
++// If the authority component is missing or undefined for the target URI,
++// then a client MUST send a Host header field with an empty field-value.
++//
++// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not
++// allow an empty header to be used, and requires req.URL.Scheme to be either
++// "http" or "https".
++//
++// For further details, refer to:
++//
++// - https://github.com/docker/engine-api/issues/189
++// - https://github.com/golang/go/issues/13624
++// - https://github.com/golang/go/issues/61076
++// - https://github.com/moby/moby/issues/45935
++//
++// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2
++// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3
++// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
++// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569
++const DummyHost = "api.moby.localhost"
++
+ // ErrRedirect is the error returned by checkRedirect when the request is non-GET.
+ var ErrRedirect = errors.New("unexpected redirect in response")
+
+diff --git a/client/hijack.go b/client/hijack.go
+index 6bdacab10a..4dcaaca4c5 100644
+--- a/client/hijack.go
++++ b/client/hijack.go
+@@ -64,7 +64,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
+ }
+
+ func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) {
+- req.Host = cli.addr
++ req.URL.Host = cli.addr
++ if cli.proto == "unix" || cli.proto == "npipe" {
++ // Override host header for non-tcp connections.
++ req.Host = DummyHost
++ }
+ req.Header.Set("Connection", "Upgrade")
+ req.Header.Set("Upgrade", proto)
+
+diff --git a/client/request.go b/client/request.go
+index c799095c12..bcedcf3bd9 100644
+--- a/client/request.go
++++ b/client/request.go
+@@ -96,16 +96,14 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea
+ return nil, err
+ }
+ req = cli.addHeaders(req, headers)
++ req.URL.Scheme = cli.scheme
++ req.URL.Host = cli.addr
+
+ if cli.proto == "unix" || cli.proto == "npipe" {
+- // For local communications, it doesn't matter what the host is. We just
+- // need a valid and meaningful host name. (See #189)
+- req.Host = "docker"
++ // Override host header for non-tcp connections.
++ req.Host = DummyHost
+ }
+
+- req.URL.Host = cli.addr
+- req.URL.Scheme = cli.scheme
+-
+ if expectedPayload && req.Header.Get("Content-Type") == "" {
+ req.Header.Set("Content-Type", "text/plain")
+ }
+diff --git a/client/request_test.go b/client/request_test.go
+index 6e5a6e81f2..50b09d954c 100644
+--- a/client/request_test.go
++++ b/client/request_test.go
+@@ -29,12 +29,12 @@ func TestSetHostHeader(t *testing.T) {
+ }{
+ {
+ "unix:///var/run/docker.sock",
+- "docker",
++ DummyHost,
+ "/var/run/docker.sock",
+ },
+ {
+ "npipe:////./pipe/docker_engine",
+- "docker",
++ DummyHost,
+ "//./pipe/docker_engine",
+ },
+ {
+--
+2.41.0
+
diff --git a/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch b/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch
new file mode 100644
index 0000000000..5bd8682927
--- /dev/null
+++ b/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch
@@ -0,0 +1,69 @@
+From 09306e7eb3c26ade69ef1e4c99d5b1fd9c0b7364 Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <github at gone.nl>
+Date: Wed, 12 Jul 2023 15:07:59 +0200
+Subject: [PATCH] pkg/plugins: use a dummy hostname for local connections
+
+For local communications (npipe://, unix://), the hostname is not used,
+but we need valid and meaningful hostname.
+
+The current code used the socket path as hostname, which gets rejected by
+go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
+which was implemented in https://go.dev/issue/60374.
+
+Prior versions go Go would clean the host header, and strip slashes in the
+process, but go1.20.6 and go1.19.11 no longer do, and reject the host
+header.
+
+Before this patch, tests would fail on go1.20.6:
+
+ === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s)
+ time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s"
+ time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s"
+ time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s"
+ time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s"
+ authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header
+
+[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
+
+Signed-off-by: Sebastiaan van Stijn <github at gone.nl>
+(cherry picked from commit 6b7705d5b29e226a24902a8dcc488836faaee33c)
+Signed-off-by: Sebastiaan van Stijn <github at gone.nl>
+---
+ pkg/plugins/client.go | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/pkg/plugins/client.go b/pkg/plugins/client.go
+index 752fecd0ae..e683eb777d 100644
+--- a/pkg/plugins/client.go
++++ b/pkg/plugins/client.go
+@@ -18,6 +18,12 @@ import (
+
+ const (
+ defaultTimeOut = 30
++
++ // dummyHost is a hostname used for local communication.
++ //
++ // For local communications (npipe://, unix://), the hostname is not used,
++ // but we need valid and meaningful hostname.
++ dummyHost = "plugin.moby.localhost"
+ )
+
+ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transport, error) {
+@@ -44,8 +50,12 @@ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transpor
+ return nil, err
+ }
+ scheme := httpScheme(u)
+-
+- return transport.NewHTTPTransport(tr, scheme, socket), nil
++ hostName := u.Host
++ if hostName == "" || u.Scheme == "unix" || u.Scheme == "npipe" {
++ // Override host header for non-tcp connections.
++ hostName = dummyHost
++ }
++ return transport.NewHTTPTransport(tr, scheme, hostName), nil
+ }
+
+ // NewClient creates a new plugin client (http).
+--
+2.41.0
+
--
2.41.0
More information about the buildroot
mailing list