Mongoku icon indicating copy to clipboard operation
Mongoku copied to clipboard

Security concern while using mongoku in docker

Open sukesh-ak opened this issue 2 years ago • 1 comments

First of all, thank you for mongoku. It works well and its fast as well.

Docker setup

Both of these containers (mongodb & mongoku) runs within the same docker network

version: "3.9"
services:
  mongoku:
    image: huggingface/mongoku
    container_name: mongoku
    hostname: mongoku
    ports:
      - 3100:3100
  mongo:
    image: mongo
    container_name: mongo
    hostname: mongo
    restart: always
    ports:
      - 27017:27017     # server access
    environment:
      MONGO_INITDB_ROOT_USERNAME: ${MONGODB_ADMIN_USERNAME}
      MONGO_INITDB_ROOT_PASSWORD: ${MONGODB_ADMIN_PASSWORD}
      MONGO_INITDB_DATABASE: ${MONGODB_INITDB_DATABASE}

What happens

From my host machine If I access the web UI, it prompts to add a server. Once you add the server, I guess the connection string including username/password is persisted inside the container and not the user HTTP session.

Security Issue

When you open another browser (in private mode) and open the Web UI, you see the server which was added by the previous session. This becomes a security concern since any user can open the UI and see the servers added by other users.

Do let me know if there is a way around this.

Fix

The server list should be persisted in the user HTTP session and not inside the docker container.

sukesh-ak avatar Jan 08 '23 16:01 sukesh-ak

same concern here.

saibimajdi avatar Mar 01 '23 01:03 saibimajdi