dockerfile.best-practice.prefer-copy-over-add.prefer-copy-over-add
semgrepAuthor
unknown
Download Count*
License
The ADD command will accept and include files from a URL and automatically extract archives. This potentially exposes the container to a man-in-the-middle attack or other attacks if a malicious actor can tamper with the source archive. Since ADD can have this and other unexpected side effects, the use of the more explicit COPY command is preferred.
Run Locally
Run in CI
Defintion
rules:
- id: prefer-copy-over-add
severity: INFO
languages:
- dockerfile
message: The ADD command will accept and include files from a URL and
automatically extract archives. This potentially exposes the container to
a man-in-the-middle attack or other attacks if a malicious actor can
tamper with the source archive. Since ADD can have this and other
unexpected side effects, the use of the more explicit COPY command is
preferred.
metadata:
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
category: best-practice
technology:
- dockerfile
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
patterns:
- pattern: |
ADD $FROM $TO
- metavariable-regex:
metavariable: $FROM
regex: (^[A-Za-z]+:\/\/|.*[.](gz|bz2|zip|tar)$)
- focus-metavariable: $FROM
Examples
prefer-copy-over-add.dockerfile
FROM busybox
# ruleid: prefer-copy-over-add
ADD http://foo bar
# ruleid: prefer-copy-over-add
ADD https://foo bar
# ruleid: prefer-copy-over-add
ADD foo.tar.gz bar
# ruleid: prefer-copy-over-add
ADD foo.bz2 bar
# ok: prefer-copy-over-add
ADD foo bar
# ok: prefer-copy-over-add
ADD foo* /mydir/
# ok: prefer-copy-over-add
ADD hom?.txt /mydir/o
# ok: prefer-copy-over-add
ADD arr[[]0].txt /mydir/o
# ok: prefer-copy-over-add
ADD --chown=55:mygroup files* /somedir/
# ok: prefer-copy-over-add
ADD --chown=bin files* /somedir/
Short Link: https://sg.run/EzoA