Volume Has Sensitive Host Directory

  • Query id: 1c1325ff-831d-43a1-973e-839ae57dfcc0
  • Query name: Volume Has Sensitive Host Directory
  • Platform: DockerCompose
  • Severity: High
  • Category: Build Process
  • CWE: 668
  • URL: Github

Description

Container has sensitive host directory mounted as a volume
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
version: "3.9"

services:
  db:
    image: db
    volumes:
      - data-volume:/var/lib/db
  backup:
    image: backup-service
    volumes:
      - /var/lib/backup/data

volumes:
  data-volume:
Positive test num. 2 - yaml file
version: "3.9"
services:
  web:
    image: nginx:alpine
    volumes:
      - type: volume
        source: vol
        target: /data
        volume:
          nocopy: true
      - type: bind
        source: ./static
        target: /opt/app/static
volumes:
  vol:
    driver: local
    driver_opts:
      device: /var/lib/backup/data
      o: bind
Positive test num. 3 - yaml file
version: '3'

services:
    image: docker
volumes:
  wordpress-db-data:
     driver: local-persist
     driver_opts:
       mountpoint: ${CONTAINERVOLUME}/dockerData/mysql
  wordpress:
  wp-content:
     driver: local-persist
     driver_opts:
       mountpoint: /var/data

Positive test num. 4 - yaml file 
version: "3.8"

services:
  yesno:
    image: docker.encEx.com/yesno/yesno:v1.1
    container_name: "yesno-${MODE}"
    entrypoint: "/bin/sh"
    restart: unless-stopped
    volumes:
      - type: bind
        source: /etc/exercise
        target: /etc/exercise
      - type: volume
        source: yesno-1
        target: /var/www/yesno
      - type: volume
        source: yesno-2
        target: /var/lib/exercise
volumes:
  yesno-1:
    name: yesno-1
  yesno-2:
    name: yesno-2

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
version: "3"
services:
    proxy:
        build: ./pyproxy
        deploy:
            mode: replicated
            placement:
                constraints: [node.role == manager]
            replicas: 8
        depends_on:
          - storage-node-1
          - storage-node-2
          - storage-node-3
          - storage-node-4
          - storage-node-5
          - storage-node-6
          - storage-node-7
          - storage-node-8
          - storage-node-9
          - storage-node-10
          - storage-node-11
          - storage-node-12
          - storage-node-13
          - storage-node-14
          - storage-node-15
          - storage-node-16
    zoo1:
        image: zookeeper
        restart: always
        ports:
          - 2181:2181
        environment:
          - ZOO_MY_ID=1
        deploy:
            mode: replicated
            placement:
                constraints: [node.role == manager]

    metadata:
        image: redis:3.2.8
        command: redis-server --appendonly yes
        deploy:
            mode: replicated
            placement:
                constraints: [node.role == manager]
        volumes:
          - ./volumes/metadata/:/data/
Negative test num. 2 - yaml file
version: '3'

services:
    image: docker
volumes:
  wordpress-db-data:
     driver: local-persist
     driver_opts:
       mountpoint: ${CONTAINERVOLUME}/dockerData/mysql
  wordpress:
  wp-content:
     driver: local-persist
     driver_opts:
       mountpoint: ${CONTAINERVOLUME}/wp-content
Negative test num. 3 - yaml file
version: "3.9"
services:
  web:
    image: nginx:alpine
    ports:
      - "80:80"
    volumes:
      - type: volume
        source: mydata
        target: /data
        volume:
          nocopy: true
      - type: bind
        source: ./static
        target: /opt/app/static

networks:
  webnet:

volumes:
  mydata: