diff --git a/CHANGELOG.md b/CHANGELOG.md index bfbe648..dc3bb30 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed - handle pipelines with missing names +- prevent mounting /run/drone directory ## 1.0.0 ### Added diff --git a/engine/linter/linter.go b/engine/linter/linter.go index 34fdee3..bf43c4f 100644 --- a/engine/linter/linter.go +++ b/engine/linter/linter.go @@ -7,6 +7,8 @@ package linter import ( "errors" "fmt" + "path/filepath" + "strings" "github.com/drone-runners/drone-runner-docker/engine/resource" ) @@ -123,6 +125,9 @@ func checkStep(step *resource.Step, trusted bool) error { case "workspace", "_workspace", "_docker_socket": return fmt.Errorf("linter: invalid volume name: %s", mount.Name) } + if strings.HasPrefix(filepath.Clean(mount.MountPath), "/run/drone") { + return fmt.Errorf("linter: cannot mount volume at /run/drone") + } } return nil } diff --git a/engine/linter/linter_test.go b/engine/linter/linter_test.go index f0fdec6..ab51e33 100644 --- a/engine/linter/linter_test.go +++ b/engine/linter/linter_test.go @@ -48,6 +48,14 @@ func TestLint(t *testing.T) { invalid: true, message: "linter: invalid volume name: _docker_socket", }, + // user should not be trying to mount internal or restricted + // volume paths. + { + path: "testdata/volume_restricted.yml", + trusted: false, + invalid: true, + message: "linter: cannot mount volume at /run/drone", + }, // user should not be able to mount host path // volumes unless the repository is trusted. { diff --git a/engine/linter/testdata/volume_restricted.yml b/engine/linter/testdata/volume_restricted.yml new file mode 100644 index 0000000..3cec94b --- /dev/null +++ b/engine/linter/testdata/volume_restricted.yml @@ -0,0 +1,18 @@ +--- +kind: pipeline +type: docker +name: linux + +steps: +- name: test + image: golang + commands: + - go build + - go test + volumes: + - name: vol + path: /run/drone/env + +volumes: +- name: vol + temp: {} \ No newline at end of file