logo

Database

Insecure service configuration - Docker

Need

Secure configuration of Docker services

Context

• Usage of Docker for containerizing and deploying applications

• Usage of Ubuntu 18.04 as the operating system for development or deployment

Description

1. Non compliant code

FROM ubuntu:18.04
ADD malicious.tar.gz /var/www/html/

In the above Dockerfile, the `ADD` command is used to copy the `malicious.tar.gz` file from the local system to the `/var/www/html/` directory in the Docker container. The `ADD` command in Docker has the functionality of automatically extracting compressed files when copying them into the container. This can be beneficial in some cases, but it also creates a significant security risk. In this case, if the `malicious.tar.gz` file contains a zip bomb or is crafted to exploit the Zip Slip vulnerability, it could cause damage as soon as it is extracted in the Docker container. A zip bomb is a malicious archive file designed to crash or render useless the program or system reading it, because its content are extremely large. Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The `ADD` command is also more prone to cache invalidation issues, which can lead to unexpected behavior in your Docker builds. The recommended way to copy files in a Dockerfile is to use the `COPY` command, which does not have these security issues and is less prone to cache invalidation issues.

2. Steps

• Replace the ADD command with the COPY command

• Specify the source file or directory and the destination directory in the COPY command

• Ensure that the source file or directory is not a compressed archive file that could potentially contain malicious content

3. Secure code example

FROM ubuntu:18.04
COPY malicious.tar.gz /var/www/html/

The original code was using the `ADD` command to copy a tar file from the local system to the Docker image. This is a potential security risk as the `ADD` command automatically extracts tar files, which could lead to the exploitation of vulnerabilities such as zip bombs and Zip Slip. The fixed code replaces the `ADD` command with the `COPY` command. The `COPY` command simply copies the file or directory from the local system to the Docker image without extracting it. This reduces the risk of automatic activation of potential vulnerabilities contained within the tar file. Please note that the `COPY` command requires that the source file or directory and the destination directory be specified. Also, it is important to ensure that the source file or directory does not contain any compressed archive files that could potentially contain malicious content.