New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: lack of input validation in APIs leads to command injection #23
Comments
|
Thanks @retpoline for the details and the references. Will look into it asap! |
|
Hey @rakibtg, Just following up here-- did you get a chance to look into hardening the APIs to fix the command injection security issues? |
|
@retpoline Hi, sorry for the delay. Sadly, I will not available till this Tuesday! |
|
Fixed security issue with terminal by introducing controlled method that execute queries in docker-web-gui/backend/utilities/terminal.js Lines 18 to 76 in 79cdc41
Let me know your opinion! Thanks. |
|
CVE-2021-27886 was assigned to this issue. |
For example, making GET requests such as the following results in arbitrary commands being executed on the server, outside of the intended docker process only. This is otherwise known as a remote command injection bug (especially since app.js listens on the network interface by default, accessible by anyone on the network, even though the intended access is localhost).
For example executing the id command may return:
Some of the other APIs seem vulnerable to injection as well.
Recommended easiest fix would be the following
Terminal(cmd)or in terminal.js itself. Return a "bad parameter" error message if the validation doesn't pass.Additional references for hardening the code
The text was updated successfully, but these errors were encountered: