Skip to content

[CHORE] docker-compose publishes all service ports on 0.0.0.0 with default credentials #150

Description

@martian56

Summary

docker-compose.yml publishes every service port using Docker's short syntax, which binds 0.0.0.0 (all host interfaces). Combined with the default credentials baked into the file (postgres/postgres, guest/guest, minioadmin/minioadmin), anyone reachable on the host's network can connect to the datastores.

Severity

Low (local-dev convenience file, but unnecessary exposure)

Affected code

  • docker-compose.yml — Postgres "15432:5432", Redis "6379:6379", RabbitMQ "5672:5672"/"15672:15672", MinIO "9000:9000"/"9001:9001" all bind all interfaces by default.

Impact

On a developer machine on an untrusted network (or if reused beyond pure local dev), the datastores are exposed with well-known default credentials.

Suggested fix

Bind published ports to loopback, e.g. "127.0.0.1:15432:5432", for each service, and add a comment noting this file is local-dev-only.

Metadata

Metadata

Labels

choreMaintenance / cleanup

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions