search

louislam / dockge

A fancy, easy-to-use and reactive self-hosted docker compose.yaml stack-oriented manager
https://dockge.kuma.pet
MIT License
10.61k stars 293 forks source link

Allowed console commands can be easily bypassed #483

Open AlexPewMaster opened 3 months ago

AlexPewMaster commented 3 months ago

⚠️ Please verify that this bug has NOT been reported before.

πŸ›‘οΈ Security Policy

Description

Hi, I've recently discovered that the allowed console commands can be easily bypassed. The current allowed console commands are docker, ls, cd and dir. However, these can be easily bypassed by adding && <YOUR OTHER COMMAND> after one of the allowed commands. For example, if I want to run history, I could easily execute ls && history. In my eyes, this could be a potential security risk.

πŸ‘Ÿ Reproduction steps

  1. Go to the Dockge dashboard (standard landing page)
  2. Click on "Console" at the top-right
  3. Enter an allowed console command and add && YOUR_COMMAND, replacing YOUR_COMMAND with the command you wish to execute. For example: ls && history
  4. See successful execution.

πŸ‘€ Expected behavior

The command after && should be rejected.

πŸ˜“ Actual Behavior

The command after && gets executed successfully.

Dockge Version

1.4.2

πŸ’» Operating System and Arch

Fedora Linux 39 arm64

🌐 Browser

LibreWolf 124.0.1-1

πŸ‹ Docker Version

Docker 26.0.0

🟩 NodeJS Version

No response

πŸ“ Relevant log output

root@f8d00b415b7a:/opt/stacks# cd . && echo "This shouldn't work"
This shouldn't work
root@f8d00b415b7a:/opt/stacks#
dswd commented 3 months ago

There are many of such patterns:

There surely exist many more.

truthsword commented 2 months ago

Obviously I don't understand this constraint. I've found this β€œfeature” helpful. What is the security concern beyond the container?

dswd commented 2 months ago

Obviously I don't understand this constraint. I've found this β€œfeature” helpful. What is the security concern beyond the container?

The Dockge container needs access to the docker daemon of the host in order to work. If you can control docker, you can control the host (you can mount any path you want and use it with root permissions). So any security issue in this container like the reported one automatically affects the host as well.

truthsword commented 2 months ago

Thanks. I β€œassumed” this was the same as running the bash terminal on the managed containers.

eliaspizarro commented 2 months ago

suggest allow any command and add disable bash option.

LorneCash commented 3 weeks ago

PLEASE DON'T FIX THIS until you add a way to authenticate with at least with Docker Hub (to avoid the rate limit when updating containers). I was able to use this "exploit" to authenticate. For me personally I'd just say remove the limitation all together, but I understand why some people would want it. Please consider adding a configuration option to allow unrestricted access for those of us that this security issue is not a concern for.

On a side note I'm not really sure why this command was not allowed since it is a docker command: docker login -u your-username -p your-password