fix(api): prevent the use of bind mounts in stacks if setting enabled (#3232)

2025-07-19 13:29:41 +02:00 · 2019-10-07 16:12:21 +13:00 · 2019-10-07 16:12:21 +13:00 · fb6f6738d9
commit fb6f6738d9
parent f7480c4ad4
6 changed files with 97 additions and 5 deletions
--- a/api/http/handler/stacks/stack_create.go
+++ b/api/http/handler/stacks/stack_create.go
@ -5,6 +5,9 @@ import (
 	"log"
 	"net/http"

+	"github.com/docker/cli/cli/compose/types"
+
+	"github.com/docker/cli/cli/compose/loader"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/portainer/api"
@ -87,3 +90,38 @@ func (handler *Handler) createSwarmStack(w http.ResponseWriter, r *http.Request,

 	return &httperror.HandlerError{http.StatusBadRequest, "Invalid value for query parameter: method. Value must be one of: string, repository or file", errors.New(request.ErrInvalidQueryParameter)}
 }
+
+func (handler *Handler) isValidStackFile(stackFileContent []byte) (bool, error) {
+	composeConfigYAML, err := loader.ParseYAML(stackFileContent)
+	if err != nil {
+		return false, err
+	}
+
+	composeConfigFile := types.ConfigFile{
+		Config: composeConfigYAML,
+	}
+
+	composeConfigDetails := types.ConfigDetails{
+		ConfigFiles: []types.ConfigFile{composeConfigFile},
+		Environment: map[string]string{},
+	}
+
+	composeConfig, err := loader.Load(composeConfigDetails, func(options *loader.Options) {
+		options.SkipValidation = true
+		options.SkipInterpolation = true
+	})
+	if err != nil {
+		return false, err
+	}
+
+	for key := range composeConfig.Services {
+		service := composeConfig.Services[key]
+		for _, volume := range service.Volumes {
+			if volume.Type == "bind" {
+				return false, nil
+			}
+		}
+	}
+
+	return true, nil
+}