From 92ec260969e48b97c533c620a81e08ddef69a21c Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Sat, 25 Oct 2025 17:38:18 +0200 Subject: [PATCH] Update docker-build-context-abuse.md --- .../docker-build-context-abuse.md | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/src/pentesting-ci-cd/docker-build-context-abuse.md b/src/pentesting-ci-cd/docker-build-context-abuse.md index 52075b204..bbd6bf947 100644 --- a/src/pentesting-ci-cd/docker-build-context-abuse.md +++ b/src/pentesting-ci-cd/docker-build-context-abuse.md @@ -101,21 +101,6 @@ curl -s -X POST -H "Authorization: Bearer fm2_..." \ Captured requests often contain client credentials in headers, bodies, or query params. -## Detection ideas - -- Flag suspicious build contexts ("..", absolute paths, or paths escaping the repo root). -- Build logs showing COPY of non-repo paths or network egress during build (curl, wget) from Dockerfile RUN. -- Control-plane audit anomalies (e.g., spikes in exec calls, package installs like apk add tcpdump). -- Egress monitoring from builder hosts and hosted servers. - -## Mitigations - -- Canonicalize and constrain build contexts to the repository root (disallow ".." and absolute paths). Allow-list subpaths only. -- Mount a minimal, read-only build context; run builds in ephemeral, sandboxed builders with least-privilege. -- Separate credentials and scope them narrowly (registry vs control-plane). Prefer short-lived tokens and automatic rotation. -- Restrict egress from build steps and from hosted servers; block unsolid outbound exfiltration. -- Prefer OAuth with narrow scopes and short lifetimes for client-to-server authentication, reducing blast radius. - ## References - [Breaking MCP Server Hosting: Build-Context Path Traversal to Org-wide RCE and Secret Theft](https://blog.gitguardian.com/breaking-mcp-server-hosting/)