From 34dfa67eacd276af6dcf2c5c58fd9bd1c3f55d73 Mon Sep 17 00:00:00 2001
From: Gaetan de Villele <gdevillele@gmail.com>
Date: Fri, 5 May 2017 09:37:06 -0700
Subject: [PATCH] daemon refuses unknown filters in prune functions

- container prune
- volume prune
- image prune
- network prune

Signed-off-by: Gaetan de Villele <gdevillele@gmail.com>
Upstream-commit: 71760ae648e0597cb7c0f33b67fee55807c7293e
Component: engine
---
 components/engine/daemon/prune.go | 47 ++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/components/engine/daemon/prune.go b/components/engine/daemon/prune.go
index 7b8895946e..4fa6d94624 100644
--- a/components/engine/daemon/prune.go
+++ b/components/engine/daemon/prune.go
@@ -25,6 +25,27 @@ var (
 	// ErrPruneRunning is returned when a prune request is received while
 	// one is in progress
 	ErrPruneRunning = fmt.Errorf("a prune operation is already running")
+
+	containersAcceptedFilters = map[string]bool{
+		"label":  true,
+		"label!": true,
+		"until":  true,
+	}
+	volumesAcceptedFilters = map[string]bool{
+		"label":  true,
+		"label!": true,
+	}
+	imagesAcceptedFilters = map[string]bool{
+		"dangling": true,
+		"label":    true,
+		"label!":   true,
+		"until":    true,
+	}
+	networksAcceptedFilters = map[string]bool{
+		"label":  true,
+		"label!": true,
+		"until":  true,
+	}
 )
 
 // ContainersPrune removes unused containers
@@ -36,6 +57,12 @@ func (daemon *Daemon) ContainersPrune(ctx context.Context, pruneFilters filters.
 
 	rep := &types.ContainersPruneReport{}
 
+	// make sure that only accepted filters have been received
+	err := pruneFilters.Validate(containersAcceptedFilters)
+	if err != nil {
+		return nil, err
+	}
+
 	until, err := getUntilFromPruneFilters(pruneFilters)
 	if err != nil {
 		return nil, err
@@ -81,6 +108,12 @@ func (daemon *Daemon) VolumesPrune(ctx context.Context, pruneFilters filters.Arg
 	}
 	defer atomic.StoreInt32(&daemon.pruneRunning, 0)
 
+	// make sure that only accepted filters have been received
+	err := pruneFilters.Validate(volumesAcceptedFilters)
+	if err != nil {
+		return nil, err
+	}
+
 	rep := &types.VolumesPruneReport{}
 
 	pruneVols := func(v volume.Volume) error {
@@ -117,7 +150,7 @@ func (daemon *Daemon) VolumesPrune(ctx context.Context, pruneFilters filters.Arg
 		return nil
 	}
 
-	err := daemon.traverseLocalVolumes(pruneVols)
+	err = daemon.traverseLocalVolumes(pruneVols)
 
 	return rep, err
 }
@@ -129,6 +162,12 @@ func (daemon *Daemon) ImagesPrune(ctx context.Context, pruneFilters filters.Args
 	}
 	defer atomic.StoreInt32(&daemon.pruneRunning, 0)
 
+	// make sure that only accepted filters have been received
+	err := pruneFilters.Validate(imagesAcceptedFilters)
+	if err != nil {
+		return nil, err
+	}
+
 	rep := &types.ImagesPruneReport{}
 
 	danglingOnly := true
@@ -357,6 +396,12 @@ func (daemon *Daemon) NetworksPrune(ctx context.Context, pruneFilters filters.Ar
 	}
 	defer atomic.StoreInt32(&daemon.pruneRunning, 0)
 
+	// make sure that only accepted filters have been received
+	err := pruneFilters.Validate(networksAcceptedFilters)
+	if err != nil {
+		return nil, err
+	}
+
 	if _, err := getUntilFromPruneFilters(pruneFilters); err != nil {
 		return nil, err
 	}