Security Vulnerabilities identified in api.go Code Patch (CID 111479)

[Tarwinderkaur]

We have identified security vulnerability CID 111479 [Filesystem path, filename, or URI manipulation] in api.go file.

Identified Issues:
1️⃣ Tainted Data from User Input (Line 158-159)
The request (req.Name) is directly obtained from an HTTP request via sdk.DecodeRequest(w, r, req), making it tainted.
This data should be sanitised before further processing to prevent potential security risks.
2️⃣ Path Manipulation Vulnerability (Line 163)
The req.Name parameter is directly passed to the h.driver.Mount(req) function.
If an attacker manipulates the input, it could trick the system into accessing unintended file paths.
Proper validation should be implemented to restrict directory traversal attacks.

Code Patch for Reference:
func (h *Handler) initMux() {
h.HandleFunc(mountPath, func(w http.ResponseWriter, r *http.Request) {
// 1️⃣ Tainted Data from User Input
req := &MountRequest{}
err := sdk.DecodeRequest(w, r, req)
if err != nil {
return
}
// 2️⃣ Path Manipulation Vulnerability
res, err := h.driver.Mount(req) // Issue: Potential directory traversal attack
if err != nil {
sdk.EncodeResponse(w, NewErrorResponse(err.Error()), true)
return
}
sdk.EncodeResponse(w, res, false)
})
}

File:-
https://github.com/docker/go-plugins-helpers/blob/main/volume/api.go

Expectation:
Check if it is indeed a security issue, If not please provide the details.
And if it is an issue, then take appropriate action.