mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2025-12-05 20:40:18 -08:00
Update docker-build-context-abuse.md
This commit is contained in:
SirBroccoli
@@ -101,21 +101,6 @@ curl -s -X POST -H "Authorization: Bearer fm2_..." \
|
|||||||
|
|
||||||
Captured requests often contain client credentials in headers, bodies, or query params.
|
Captured requests often contain client credentials in headers, bodies, or query params.
|
||||||
|
|
||||||
## Detection ideas
|
|
||||||
|
|
||||||
- Flag suspicious build contexts ("..", absolute paths, or paths escaping the repo root).
|
|
||||||
- Build logs showing COPY of non-repo paths or network egress during build (curl, wget) from Dockerfile RUN.
|
|
||||||
- Control-plane audit anomalies (e.g., spikes in exec calls, package installs like apk add tcpdump).
|
|
||||||
- Egress monitoring from builder hosts and hosted servers.
|
|
||||||
|
|
||||||
## Mitigations
|
|
||||||
|
|
||||||
- Canonicalize and constrain build contexts to the repository root (disallow ".." and absolute paths). Allow-list subpaths only.
|
|
||||||
- Mount a minimal, read-only build context; run builds in ephemeral, sandboxed builders with least-privilege.
|
|
||||||
- Separate credentials and scope them narrowly (registry vs control-plane). Prefer short-lived tokens and automatic rotation.
|
|
||||||
- Restrict egress from build steps and from hosted servers; block unsolid outbound exfiltration.
|
|
||||||
- Prefer OAuth with narrow scopes and short lifetimes for client-to-server authentication, reducing blast radius.
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- [Breaking MCP Server Hosting: Build-Context Path Traversal to Org-wide RCE and Secret Theft](https://blog.gitguardian.com/breaking-mcp-server-hosting/)
|
- [Breaking MCP Server Hosting: Build-Context Path Traversal to Org-wide RCE and Secret Theft](https://blog.gitguardian.com/breaking-mcp-server-hosting/)
|
||||||
|
|||||||
Reference in New Issue
Block a user