Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allowed console commands can be easily bypassed #483

Open
2 tasks done
AlexPewMaster opened this issue Apr 8, 2024 · 6 comments
Open
2 tasks done

Allowed console commands can be easily bypassed #483

AlexPewMaster opened this issue Apr 8, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@AlexPewMaster
Copy link

AlexPewMaster commented Apr 8, 2024
edited
Loading

⚠️ Please verify that this bug has NOT been reported before.

  • I checked and didn't find similar issue

🛡️ Security Policy

Description

Hi, I've recently discovered that the allowed console commands can be easily bypassed. The current allowed console commands are docker, ls, cd and dir. However, these can be easily bypassed by adding && <YOUR OTHER COMMAND> after one of the allowed commands. For example, if I want to run history, I could easily execute ls && history. In my eyes, this could be a potential security risk.

👟 Reproduction steps

  1. Go to the Dockge dashboard (standard landing page)
  2. Click on "Console" at the top-right
  3. Enter an allowed console command and add && YOUR_COMMAND, replacing YOUR_COMMAND with the command you wish to execute. For example: ls && history
  4. See successful execution.

👀 Expected behavior

The command after && should be rejected.

😓 Actual Behavior

The command after && gets executed successfully.

Dockge Version

1.4.2

💻 Operating System and Arch

Fedora Linux 39 arm64

🌐 Browser

LibreWolf 124.0.1-1

🐋 Docker Version

Docker 26.0.0

🟩 NodeJS Version

No response

📝 Relevant log output

root@f8d00b415b7a:/opt/stacks# cd . && echo "This shouldn't work"
This shouldn't work
root@f8d00b415b7a:/opt/stacks#
@AlexPewMaster AlexPewMaster added the bug Something isn't working label Apr 8, 2024
@dswd
Copy link

dswd commented Apr 9, 2024

There are many of such patterns:

  • ls ; history
  • ls DOESNOTEXIST || history
  • ls $(history >&2)
  • ls `history >&2`

There surely exist many more.

@truthsword
Copy link

Obviously I don't understand this constraint. I've found this “feature” helpful. What is the security concern beyond the container?

@dswd
Copy link

dswd commented Apr 9, 2024

Obviously I don't understand this constraint. I've found this “feature” helpful. What is the security concern beyond the container?

The Dockge container needs access to the docker daemon of the host in order to work. If you can control docker, you can control the host (you can mount any path you want and use it with root permissions). So any security issue in this container like the reported one automatically affects the host as well.

@truthsword
Copy link

Thanks. I “assumed” this was the same as running the bash terminal on the managed containers.

@eliaspizarro
Copy link

suggest allow any command and add disable bash option.

@LorneCash
Copy link

PLEASE DON'T FIX THIS until you add a way to authenticate with at least with Docker Hub (to avoid the rate limit when updating containers). I was able to use this "exploit" to authenticate. For me personally I'd just say remove the limitation all together, but I understand why some people would want it. Please consider adding a configuration option to allow unrestricted access for those of us that this security issue is not a concern for.

On a side note I'm not really sure why this command was not allowed since it is a docker command:
docker login -u your-username -p your-password

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dswd @eliaspizarro @truthsword @LorneCash @AlexPewMaster