Upload dockerd socket mount detection rule and test file (#3360)

* Upload dockerd socket mount detection rule and test file * Update dockerd-socket-mount.dockerfile * Update documentbuilderfactory-disallow-doctype-decl-missing.yaml Update the rule for checking if FEATURE_SECURE_PROCESSING is set to TRUE for DocumentBuilderFactory object. * Revert "Update documentbuilderfactory-disallow-doctype-decl-missing.yaml" This reverts commit c1e2281. --------- Co-authored-by: Pieter De Cremer (Semgrep) <pieter@r2c.dev>
semgrep · Sep 19, 2024 · 7427b82 · 7427b82
1 parent 6d1b466
commit 7427b82
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 0 deletions.
diff --git a/dockerfile/security/dockerd-socket-mount.dockerfile b/dockerfile/security/dockerd-socket-mount.dockerfile
@@ -0,0 +1,11 @@
+FROM docker:latest
+
+WORKDIR /app
+
+# ruleid: dockerfile-dockerd-socket-mount
+VOLUME /var/run/docker.sock:/var/run/docker.sock
+
+# ok: dockerfile-dockerd-socket-mount
+VOLUME ./app/main.py:/main.py
+
+CMD ["docker", "images"]
diff --git a/dockerfile/security/dockerd-socket-mount.yaml b/dockerfile/security/dockerd-socket-mount.yaml
@@ -0,0 +1,36 @@
+rules:
+  - id: dockerfile-dockerd-socket-mount
+    message: >-
+        The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container
+        to escape container and execute arbitrary commands on the host machine.
+    languages:
+      - dockerfile
+      - yaml
+    severity: ERROR
+    metadata:
+      cwe:
+        - "CWE-862: Missing Authorization"
+        - "CWE-269: Improper Privilege Management"
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: HIGH
+      subcategory:
+        - audit
+      technology:
+        - dockerfile
+      category: security
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
+        - https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/
+        - https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html
+    pattern-either:
+      - patterns:
+        - pattern: VOLUME $X
+        - metavariable-regex:
+            metavariable: $X
+            regex: "/var/run/docker.sock"
+      - patterns:
+        - pattern-regex: '- "/var/run/docker.sock:.*"'
+        - pattern-inside: |
+            volumes:
+              ...