Volume Mounted In Multiple Containers

  • Query id: baa452f0-1f21-4a25-ace5-844e7a5f410d
  • Query name: Volume Mounted In Multiple Containers
  • Platform: DockerCompose
  • Severity: High
  • Category: Build Process
  • CWE: 668
  • URL: Github

Description

Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave'
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
version: "3.2"
services:
  old8k:
    image: notreal
    container_name: "c1"
    restart: always
    expose:
      - 74746
      - 76867
    volumes:
      - type: bind
        source: $ENVVAR/.whew/path/datapath
        target: "/data"
        bind:
          propagation: rshared
Positive test num. 2 - yaml file
version: "3.2"
services:
  old8k:
    image: notreal
    container_name: "c2"
    restart: always
    expose:
      - 74746
      - 76867
    volumes:
      - type: bind
        source: $ENVVAR/.whew/path/datapath
        target: "/data"
        bind:
          propagation: shared
Positive test num. 3 - yaml file
version: "3.2"
services:
  old8k:
    image: notreal
    container_name: "c3"
    restart: always
    expose:
      - 74746
      - 76867
    volumes:
      - type: bind
        source: $ENVVAR/.whew/path/datapath
        target: "/data"
        bind:
          propagation: rslave

Positive test num. 4 - yaml file
version: "3.2"
services:
  old8k:
    image: notreal
    container_name: "c4"
    restart: always
    expose:
      - 74746
      - 76867
    volumes:
      - type: bind
        source: $ENVVAR/.whew/path/datapath
        target: "/data"
        bind:
          propagation: slave

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
version: "3.2"
services:
  old8k:
    image: notreal
    container_name: "c5"
    restart: always
    expose:
      - 74746
      - 76867
    volumes:
      - type: bind
        source: $ENVVAR/.whew/path/datapath
        target: "/data"
        bind:
          propagation: private
Negative test num. 2 - yaml file
version: "3.2"
services:
  old8k:
    image: notreal
    container_name: "c6"
    restart: always
    expose:
      - 74746
      - 76867
    volumes:
      - type: bind
        source: $ENVVAR/.whew/path/datapath
        target: "/data"
        bind:
          propagation: rprivate #this is the default value
Negative test num. 3 - yaml file
version: "3.2"
services:
  old8k:
    image: notreal
    container_name: "c7"
    restart: always
    expose:
      - 74746
      - 76867
    volumes:
      - type: bind
        source: $ENVVAR/.whew/path/datapath
        target: "/data"