DNP_DAPPMANAGER icon indicating copy to clipboard operation
DNP_DAPPMANAGER copied to clipboard

Published 20 hours ago verified publisher icon dappnode

Review DM security

Open dapplion opened this issue 3 years ago • 0 comments

  • [ ] Add rate-limiting to the HTTP API endpoints
  • [ ] Disable all binds expect for white-listed packages
  • [ ] Remove the types from the UI and leave there only what's strictly necessary for the API. Manifest and Compose types must not be there
  • [ ] Make compose validation much stricter, throw errors and abstract it to a different package that's shared with the DAppNodeSDK
  • [x] Implement web authentication
  • [ ] Document what's allowed and what's not in the docker-compose

Older notes, maybe duplicated:

  • [ ] Add super strict rules in compose verification
    • [ ] Allow only stricly a small subset of compose syntax (short syntax)
    • [ ] Block all bind volumes for unverified packages
    • [ ] Block volumes accessing any named volumes of core packages
    • [ ] Do some permissioning to allow other packages to use volumes
    • [ ] Deal with container_name and image name
  • [x] Figure out a way to guess the image name correctly

dapplion avatar Mar 22 '21 10:03 dapplion