Add Instead of Copy

• Query id: 9513a694-aa0d-41d8-be61-3271e056f36b
• Query name: Add Instead of Copy
• Platform: Dockerfile
• Severity: Medium
• Category: Supply-Chain
• URL: Github

Description

Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - dockerfile file

FROM openjdk:10-jdk
VOLUME /tmp
ADD http://source.file/package.file.tar.gz /temp
RUN tar -xjf /temp/package.file.tar.gz \
  && make -C /tmp/package.file \
  && rm /tmp/ package.file.tar.gz
ARG JAR_FILE
ADD ${JAR_FILE} app.jar
ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"]

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file

FROM openjdk:10-jdk
VOLUME /tmp
ARG JAR_FILE
COPY ${JAR_FILE} app.jar
ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"]
ADD http://source.file/package.file.tar.gz /temp
RUN tar -xjf /temp/package.file.tar.gz \
  && make -C /tmp/package.file \
  && rm /tmp/ package.file.tar.gz
# trigger validation