AutoGPT icon indicating copy to clipboard operation
AutoGPT copied to clipboard

Published 20 hours ago verified publisher icon Significant-Gravitas

Security issue - Docker-compose persisted volumes

Open Josh-XT opened this issue 1 year ago • 2 comments

I was just looking at the security tab and saw this warning. https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-x5gj-2chr-4ch6

I'm not sure if there is a reason but I noticed that the docker-compose.yml and Dockerfile as well as the rest of the whole directory is persisted in the docker-compose.yml file. You should pick and choose what directories need to be persisted locally. The whole folder should not be persisted. For example, if things in data and logs folders are the important things to save, persist those instead of the whole folder. If things are saving in the root of the project, I would consider a refactor.

https://github.com/Significant-Gravitas/AutoGPT/blob/180de0c9a9ce79939a8aae2b55d01e2bf2a5becb/autogpts/autogpt/docker-compose.yml#L14-L17

Josh-XT avatar Apr 30 '24 11:04 Josh-XT

Replace this (persists everything)

  • ./:/app

With this (persists only data and logs)

  • ./data:/app/data
  • ./logs:/app/logs

this should solve it

ghost avatar Apr 30 '24 12:04 ghost

Please open a pr to fix

ntindle avatar Jun 10 '24 02:06 ntindle

This issue has automatically been marked as stale because it has not had any activity in the last 50 days. You can unstale it by commenting or removing the label. Otherwise, this issue will be closed in 10 days.

github-actions[bot] avatar Jul 31 '24 01:07 github-actions[bot]

This issue was closed automatically because it has been stale for 10 days with no activity.

github-actions[bot] avatar Aug 10 '24 01:08 github-actions[bot]