python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run

profile photo of semgrepsemgrep
Author
1,201
Download Count*
LGPL Commons Clause
License

If unverified user data can reach the run or create method it can result in running arbitrary container.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: docker-arbitrary-container-run
    patterns:
      - pattern-either:
          - pattern-inside: |
              $CLIENT = docker.from_env()
              ...
          - pattern-inside: |
              $CLIENT = docker.DockerClient(...)
              ...
      - pattern-either:
          - pattern: |
              $CLIENT.containers.run(...)
          - pattern: |
              $CLIENT.containers.create(...)
      - pattern-not: |
          $CLIENT.containers.run("...",...)
      - pattern-not: |
          $CLIENT.containers.create("...",...)
    message: If unverified user data can reach the `run` or `create` method it can
      result in running arbitrary container.
    languages:
      - python
    severity: WARNING
    metadata:
      cwe:
        - "CWE-250: Execution with Unnecessary Privileges"
      category: security
      technology:
        - docker
      references:
        - https://cwe.mitre.org/data/definitions/250.html
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization

Examples

docker-arbitrary-container-run.py

import docker
client = docker.from_env()

def bad1(user_input):
    # ruleid: docker-arbitrary-container-run
    client.containers.run(user_input, 'echo hello world')

def bad2(user_input):
    # ruleid: docker-arbitrary-container-run
    client.containers.create(user_input, 'echo hello world')

def ok1():
    # ok: docker-arbitrary-container-run
    client.containers.run("alpine", 'echo hello world')

def ok2():
    # ok: docker-arbitrary-container-run
    client.containers.create("alpine", 'echo hello world')