cp copy-out sibling-directory escapeA process inside a running container can race a host-initiated
docker cp copy-out so that a container-controlled file is
written into a host directory next to — but outside of
— the destination the operator actually named.
1. Containment by raw string prefix. The host-side extractor
keeps symlink targets "inside" the destination with a string-prefix test.
pulled2 passes the check against pulled — it
only starts with the same characters, it is not actually inside.
2. The archive is built from the live tree. The daemon walks the container's live filesystem to build the copy-out tar. Swapping a directory leaf into a symlink mid-walk smuggles the symlink and the files beneath it into one tar; extraction writes them through the symlink into the sibling directory.
git clone https://github.com/ajtazer/docker-cp-copyout-sibling-escape
cd docker-cp-copyout-sibling-escape
chmod +x reproduce.sh
WORK_ROOT=/tmp/copyout-escape-repro ./reproduce.sh
A successful run reports success=yes and an
escape_marker_path under the sibling pulled2
directory. The race is timing dependent; raise PAD_COUNT on a
busy host.
strings.HasPrefix.openat2 with
RESOLVE_BENEATH) so attacker-supplied symlinks cannot be
followed out of the extraction root.docker cp copy-out from containers whose contents are
controlled by an untrusted party.