Skip to content

Commit a3d4dd5

Browse files
kradalbykradalby
committed
streamlocal: document security considerations for Simple callbacks
SimpleUnixLocalForwardingCallback and SimpleUnixReverseForwardingCallback perform no validation on client-supplied socket paths. A malicious client can request forwarding to arbitrary paths, which in the reverse case causes directory creation (MkdirAll), file deletion (unlink), and socket binding at the requested path. Add prominent documentation warnings that these helpers are intended for trusted environments and that production deployments should implement custom callbacks with path validation and access control. Updates gliderlabs#196
1 parent a67d573 commit a3d4dd5

1 file changed

Lines changed: 12 additions & 0 deletions

File tree

streamlocal.go

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -254,6 +254,12 @@ func unlink(path string) error {
254254
// SimpleUnixLocalForwardingCallback provides a basic implementation for
255255
// LocalUnixForwardingCallback. It will simply dial the requested socket using
256256
// a context-aware dialer.
257+
//
258+
// WARNING: this callback performs no validation on the socket path. A
259+
// malicious client can request forwarding to any Unix socket the server
260+
// process can access (e.g. /var/run/docker.sock). Production deployments
261+
// should implement a custom callback with path validation and access
262+
// control.
257263
func SimpleUnixLocalForwardingCallback(ctx Context, socketPath string) (net.Conn, error) {
258264
var d net.Dialer
259265
return d.DialContext(ctx, "unix", socketPath)
@@ -262,6 +268,12 @@ func SimpleUnixLocalForwardingCallback(ctx Context, socketPath string) (net.Conn
262268
// SimpleUnixReverseForwardingCallback provides a basic implementation for
263269
// ReverseUnixForwardingCallback. The parent directory will be created (with
264270
// os.MkdirAll), and existing files with the same name will be removed.
271+
//
272+
// WARNING: this callback performs no validation on the client-supplied
273+
// socket path. It will create parent directories, unlink existing files,
274+
// and bind a socket at any path the server process can write to.
275+
// Production deployments should implement a custom callback with path
276+
// validation, access control, and appropriate socket permissions.
265277
func SimpleUnixReverseForwardingCallback(ctx Context, socketPath string) (net.Listener, error) {
266278
// Create socket parent dir if not exists.
267279
parentDir := filepath.Dir(socketPath)

0 commit comments

Comments
 (0)