Allowed console commands can be easily bypassed

Question

Allowed console commands can be easily bypassed

AlexPewMaster opened this issue 2 months ago · comments

AlexPewMaster commented 2 months ago

⚠️ Please verify that this bug has NOT been reported before.

I checked and didn't find similar issue

🛡️ Security Policy

I agree to have read this project Security Policy

Description

Hi, I've recently discovered that the allowed console commands can be easily bypassed. The current allowed console commands are docker, ls, cd and dir. However, these can be easily bypassed by adding && <YOUR OTHER COMMAND> after one of the allowed commands. For example, if I want to run history, I could easily execute ls && history. In my eyes, this could be a potential security risk.

👟 Reproduction steps

Go to the Dockge dashboard (standard landing page)
Click on "Console" at the top-right
Enter an allowed console command and add && YOUR_COMMAND, replacing YOUR_COMMAND with the command you wish to execute. For example: ls && history
See successful execution.

👀 Expected behavior

The command after && should be rejected.

😓 Actual Behavior

The command after && gets executed successfully.

Dockge Version

1.4.2

💻 Operating System and Arch

Fedora Linux 39 arm64

🌐 Browser

LibreWolf 124.0.1-1

🐋 Docker Version

Docker 26.0.0

🟩 NodeJS Version

No response

📝 Relevant log output

root@f8d00b415b7a:/opt/stacks# cd . && echo "This shouldn't work"
This shouldn't work
root@f8d00b415b7a:/opt/stacks#

dswd · Answer 1 · Tue Apr 09 2024 15:32:34 GMT+0800 (China Standard Time)

There are many of such patterns:

ls ; history
ls DOESNOTEXIST || history
ls $(history >&2)
ls `history >&2`

There surely exist many more.

truthsword · Answer 2 · Tue Apr 09 2024 23:25:01 GMT+0800 (China Standard Time)

Obviously I don't understand this constraint. I've found this “feature” helpful. What is the security concern beyond the container?

dswd · Answer 3 · Wed Apr 10 2024 03:03:27 GMT+0800 (China Standard Time)

Obviously I don't understand this constraint. I've found this “feature” helpful. What is the security concern beyond the container?

The Dockge container needs access to the docker daemon of the host in order to work. If you can control docker, you can control the host (you can mount any path you want and use it with root permissions). So any security issue in this container like the reported one automatically affects the host as well.

truthsword · Answer 4 · Wed Apr 10 2024 23:37:02 GMT+0800 (China Standard Time)

Thanks. I “assumed” this was the same as running the bash terminal on the managed containers.

Elias Pizarro Rodríguez · Answer 5 · Thu May 09 2024 11:44:22 GMT+0800 (China Standard Time)

suggest allow any command and add disable bash option.