Volume Has Sensitive Host Directory
- Query id: 1c1325ff-831d-43a1-973e-839ae57dfcc0
- Query name: Volume Has Sensitive Host Directory
- Platform: DockerCompose
- Severity: High
- Category: Build Process
- CWE: 668
- URL: Github
Description¶
Container has sensitive host directory mounted as a volume
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
version: "3.9"
services:
db:
image: db
volumes:
- data-volume:/var/lib/db
backup:
image: backup-service
volumes:
- /var/lib/backup/data
volumes:
data-volume:
Positive test num. 2 - yaml file
version: "3.9"
services:
web:
image: nginx:alpine
volumes:
- type: volume
source: vol
target: /data
volume:
nocopy: true
- type: bind
source: ./static
target: /opt/app/static
volumes:
vol:
driver: local
driver_opts:
device: /var/lib/backup/data
o: bind
Positive test num. 3 - yaml file
version: '3'
services:
image: docker
volumes:
wordpress-db-data:
driver: local-persist
driver_opts:
mountpoint: ${CONTAINERVOLUME}/dockerData/mysql
wordpress:
wp-content:
driver: local-persist
driver_opts:
mountpoint: /var/data
Positive test num. 4 - yaml file
version: "3.8"
services:
yesno:
image: docker.encEx.com/yesno/yesno:v1.1
container_name: "yesno-${MODE}"
entrypoint: "/bin/sh"
restart: unless-stopped
volumes:
- type: bind
source: /etc/exercise
target: /etc/exercise
- type: volume
source: yesno-1
target: /var/www/yesno
- type: volume
source: yesno-2
target: /var/lib/exercise
volumes:
yesno-1:
name: yesno-1
yesno-2:
name: yesno-2
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
version: "3"
services:
proxy:
build: ./pyproxy
deploy:
mode: replicated
placement:
constraints: [node.role == manager]
replicas: 8
depends_on:
- storage-node-1
- storage-node-2
- storage-node-3
- storage-node-4
- storage-node-5
- storage-node-6
- storage-node-7
- storage-node-8
- storage-node-9
- storage-node-10
- storage-node-11
- storage-node-12
- storage-node-13
- storage-node-14
- storage-node-15
- storage-node-16
zoo1:
image: zookeeper
restart: always
ports:
- 2181:2181
environment:
- ZOO_MY_ID=1
deploy:
mode: replicated
placement:
constraints: [node.role == manager]
metadata:
image: redis:3.2.8
command: redis-server --appendonly yes
deploy:
mode: replicated
placement:
constraints: [node.role == manager]
volumes:
- ./volumes/metadata/:/data/