Add Instead of Copy
- Query id: 9513a694-aa0d-41d8-be61-3271e056f36b
- Query name: Add Instead of Copy
- Platform: Dockerfile
- Severity: Medium
- Category: Supply-Chain
- URL: Github
Description¶
Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - dockerfile file
FROM openjdk:10-jdk
VOLUME /tmp
ADD http://source.file/package.file.tar.gz /temp
RUN tar -xjf /temp/package.file.tar.gz \
&& make -C /tmp/package.file \
&& rm /tmp/ package.file.tar.gz
ARG JAR_FILE
ADD ${JAR_FILE} app.jar
ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"]
Code samples without security vulnerabilities¶
Negative test num. 1 - dockerfile file
FROM openjdk:10-jdk
VOLUME /tmp
ARG JAR_FILE
COPY ${JAR_FILE} app.jar
ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"]
ADD http://source.file/package.file.tar.gz /temp
RUN tar -xjf /temp/package.file.tar.gz \
&& make -C /tmp/package.file \
&& rm /tmp/ package.file.tar.gz
# trigger validation