Volume Mounted In Multiple Containers
- Query id: baa452f0-1f21-4a25-ace5-844e7a5f410d
- Query name: Volume Mounted In Multiple Containers
- Platform: DockerCompose
- Severity: High
- Category: Build Process
- CWE: 668
- URL: Github
Description¶
Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
version: "3.2"
services:
old8k:
image: notreal
container_name: "c1"
restart: always
expose:
- 74746
- 76867
volumes:
- type: bind
source: $ENVVAR/.whew/path/datapath
target: "/data"
bind:
propagation: rshared
Positive test num. 2 - yaml file
version: "3.2"
services:
old8k:
image: notreal
container_name: "c2"
restart: always
expose:
- 74746
- 76867
volumes:
- type: bind
source: $ENVVAR/.whew/path/datapath
target: "/data"
bind:
propagation: shared
Positive test num. 3 - yaml file
version: "3.2"
services:
old8k:
image: notreal
container_name: "c3"
restart: always
expose:
- 74746
- 76867
volumes:
- type: bind
source: $ENVVAR/.whew/path/datapath
target: "/data"
bind:
propagation: rslave
Positive test num. 4 - yaml file
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
version: "3.2"
services:
old8k:
image: notreal
container_name: "c5"
restart: always
expose:
- 74746
- 76867
volumes:
- type: bind
source: $ENVVAR/.whew/path/datapath
target: "/data"
bind:
propagation: private