You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I've recently discovered that the allowed console commands can be easily bypassed. The current allowed console commands are docker, ls, cd and dir. However, these can be easily bypassed by adding && <YOUR OTHER COMMAND> after one of the allowed commands. For example, if I want to run history, I could easily execute ls && history. In my eyes, this could be a potential security risk.
👟 Reproduction steps
Go to the Dockge dashboard (standard landing page)
Click on "Console" at the top-right
Enter an allowed console command and add && YOUR_COMMAND, replacing YOUR_COMMAND with the command you wish to execute. For example: ls && history
See successful execution.
👀 Expected behavior
The command after && should be rejected.
😓 Actual Behavior
The command after && gets executed successfully.
Dockge Version
1.4.2
💻 Operating System and Arch
Fedora Linux 39 arm64
🌐 Browser
LibreWolf 124.0.1-1
🐋 Docker Version
Docker 26.0.0
🟩 NodeJS Version
No response
📝 Relevant log output
root@f8d00b415b7a:/opt/stacks# cd.&&echo"This shouldn't work"
This shouldn't workroot@f8d00b415b7a:/opt/stacks#
The text was updated successfully, but these errors were encountered:
Obviously I don't understand this constraint. I've found this “feature” helpful. What is the security concern beyond the container?
The Dockge container needs access to the docker daemon of the host in order to work. If you can control docker, you can control the host (you can mount any path you want and use it with root permissions). So any security issue in this container like the reported one automatically affects the host as well.
🛡️ Security Policy
Description
Hi, I've recently discovered that the allowed console commands can be easily bypassed. The current allowed console commands are
docker
,ls
,cd
anddir
. However, these can be easily bypassed by adding&& <YOUR OTHER COMMAND>
after one of the allowed commands. For example, if I want to runhistory
, I could easily executels && history
. In my eyes, this could be a potential security risk.👟 Reproduction steps
&& YOUR_COMMAND
, replacingYOUR_COMMAND
with the command you wish to execute. For example:ls && history
👀 Expected behavior
The command after
&&
should be rejected.😓 Actual Behavior
The command after
&&
gets executed successfully.Dockge Version
1.4.2
💻 Operating System and Arch
Fedora Linux 39 arm64
🌐 Browser
LibreWolf 124.0.1-1
🐋 Docker Version
Docker 26.0.0
🟩 NodeJS Version
No response
📝 Relevant log output
The text was updated successfully, but these errors were encountered: