Skip to content

Validate credential store name before process execution#978

Merged
dmandalidis merged 3 commits intomainfrom
copilot/fix-security-vulnerabilities
Mar 26, 2026
Merged

Validate credential store name before process execution#978
dmandalidis merged 3 commits intomainfrom
copilot/fix-security-vulnerabilities

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 25, 2026
edited
Loading

SystemCredentialHelperDelegate passed the credsStore value from ~/.docker/config.json directly into ProcessBuilder without validation, allowing path traversal via a crafted config (e.g., credsStore: "../../usr/bin/evil") to execute arbitrary binaries.

Changes

  • SystemCredentialHelperDelegate: Added input validation on credsStore before constructing the executable name. Only [a-zA-Z0-9_-]+ is accepted; anything else throws IOException.
// Before — no validation
return new ProcessBuilder("docker-credential-" + credsStore, subcommand).start();

// After — reject anything that isn't a plain helper name
if (!VALID_CREDS_STORE_PATTERN.matcher(credsStore).matches()) {
    throw new IOException("Invalid credential store name: " + credsStore);
}
return new ProcessBuilder("docker-credential-" + credsStore, subcommand).start();
  • SystemCredentialHelperDelegateTest: Added tests covering path traversal (../../usr/bin/evil) and shell metacharacter injection across all four operations (get, store, erase, list).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • 240.0.0.1
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -javaagent:/home/REDACTED/.m2/repository/org/jacoco/org.jacoco.agent/0.8.14/org.jacoco.agent-0.8.14-runtime.jar=destfile=/home/REDACTED/work/docker-client/docker-client/target/jacoco.exec -jar /home/REDACTED/work/docker-client/docker-client/target/surefire/surefirebooter-20260325082914938_3.jar /home/REDACTED/work/docker-client/docker-client/target/surefire 2026-03-25T08-29-14_531-jvmRun1 surefire-20260325082914938_1tmp surefire_0-20260325082914938_2tmp (packet block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

find and fix security vulnerabilities

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

Copilot AI changed the title [WIP] Fix security vulnerabilities in the codebase Validate credential store name before process execution Mar 25, 2026
Copilot AI requested a review from dmandalidis March 25, 2026 08:37
@dmandalidis dmandalidis marked this pull request as ready for review March 26, 2026 09:12
@dmandalidis dmandalidis merged commit f7060bd into main Mar 26, 2026
3 checks passed
@dmandalidis dmandalidis deleted the copilot/fix-security-vulnerabilities branch March 26, 2026 09:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@dmandalidis dmandalidis dmandalidis approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@dmandalidis dmandalidis

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dmandalidis