Update docker-build-context-abuse.md

2025-12-05 20:40:18 -08:00 · 2025-10-25 17:38:18 +02:00
parent 1c91bb9cf9
commit 92ec260969
1 changed files with 0 additions and 15 deletions
--- a/src/pentesting-ci-cd/docker-build-context-abuse.md
+++ b/src/pentesting-ci-cd/docker-build-context-abuse.md
@@ -101,21 +101,6 @@ curl -s -X POST -H "Authorization: Bearer fm2_..." \

 Captured requests often contain client credentials in headers, bodies, or query params.

-## Detection ideas
-
- Flag suspicious build contexts ("..", absolute paths, or paths escaping the repo root).
- Build logs showing COPY of non-repo paths or network egress during build (curl, wget) from Dockerfile RUN.
- Control-plane audit anomalies (e.g., spikes in exec calls, package installs like apk add tcpdump).
- Egress monitoring from builder hosts and hosted servers.
-
-## Mitigations
-
- Canonicalize and constrain build contexts to the repository root (disallow ".." and absolute paths). Allow-list subpaths only.
- Mount a minimal, read-only build context; run builds in ephemeral, sandboxed builders with least-privilege.
- Separate credentials and scope them narrowly (registry vs control-plane). Prefer short-lived tokens and automatic rotation.
- Restrict egress from build steps and from hosted servers; block unsolid outbound exfiltration.
- Prefer OAuth with narrow scopes and short lifetimes for client-to-server authentication, reducing blast radius.
-
 ## References

 - [Breaking MCP Server Hosting: Build-Context Path Traversal to Org-wide RCE and Secret Theft](https://blog.gitguardian.com/breaking-mcp-server-hosting/)