dockge icon indicating copy to clipboard operation
dockge copied to clipboard

Published 20 hours ago verified publisher icon louislam

fix(security): bypass allowed cmds

Open asdfzxcvbn opened this issue 1 year ago • 2 comments

using control operators, you can use disallowed commands. see screenshot below for example.

this fix simply creates a list of all known operators that can be used and checks the input for them.

image

asdfzxcvbn avatar Nov 14 '23 01:11 asdfzxcvbn

Hi, Using a temp docker container (for each console request) witch has docker client cli that for running command is safer than doing this

mhkarimi1383 avatar Nov 14 '23 19:11 mhkarimi1383

Using a temp docker container (for each console request) witch has docker client cli that for running command is safer than doing this

yeah, maybe safer, but definitely not as performant. i doubt you can do any real damage with only 4 commands, anyway. blocking control operators is probably the best solution.

asdfzxcvbn avatar Nov 16 '23 01:11 asdfzxcvbn