prevent mounting run/drone directory

CHANGELOG.md

@@ -5,6 +5,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - handle pipelines with missing names
+- prevent mounting /run/drone directory
 
 ## 1.0.0
 ### Added

engine/linter/linter.go

@@ -7,6 +7,8 @@ package linter
 import (
 	"errors"
 	"fmt"
+	"path/filepath"
+	"strings"
 
 	"github.com/drone-runners/drone-runner-docker/engine/resource"
 )
@@ -123,6 +125,9 @@ func checkStep(step *resource.Step, trusted bool) error {
 		case "workspace", "_workspace", "_docker_socket":
 			return fmt.Errorf("linter: invalid volume name: %s", mount.Name)
 		}
+		if strings.HasPrefix(filepath.Clean(mount.MountPath), "/run/drone") {
+			return fmt.Errorf("linter: cannot mount volume at /run/drone")
+		}
 	}
 	return nil
 }

engine/linter/linter_test.go

@@ -48,6 +48,14 @@ func TestLint(t *testing.T) {
 			invalid: true,
 			message: "linter: invalid volume name: _docker_socket",
 		},
+		// user should not be trying to mount internal or restricted
+		// volume paths.
+		{
+			path:    "testdata/volume_restricted.yml",
+			trusted: false,
+			invalid: true,
+			message: "linter: cannot mount volume at /run/drone",
+		},
 		// user should not be able to mount host path
 		// volumes unless the repository is trusted.
 		{

engine/linter/testdata/volume_restricted.yml

@@ -0,0 +1,18 @@
+---
+kind: pipeline
+type: docker
+name: linux
+
+steps:
+- name: test
+  image: golang
+  commands:
+  - go build
+  - go test
+  volumes:
+  - name: vol
+    path: /run/drone/env
+
+volumes:
+- name: vol
+  temp: {}