fix(security): added a check to allow only docker run commands in edit container feature

2024-08-22 23:27:15 +03:00 · 2024-08-19 00:36:04 +07:00
parent 643260752b
commit 1928ef5c2e
1 changed files with 16 additions and 2 deletions
--- a/app/server/server/containers.go
+++ b/app/server/server/containers.go
@@ -384,7 +384,7 @@ func (Containers) RunCommand(server *Server, session _session.GenericSession, co
 					},
 				}),
 			)
-			return
+			break
 		}

 		var container resources.Container
@@ -425,12 +425,26 @@ func (Containers) RunCommand(server *Server, session _session.GenericSession, co
 					},
 				}),
 			)
-			return
+			break
 		}

 		var container resources.Container
 		mapstructure.Decode(command.Args["Resource"], &container)

+		newCommand := command.Args["Content"].(string)
+		if !strings.HasPrefix(newCommand, "docker run") {
+			server.SendNotification(
+				session,
+				ui.NotificationError(ui.NP{
+					Content: ui.JSON{
+						"Message": "For your own security, you can only run a \"docker run\" command." +
+							" Please make sure that your command starts, indeed, with \"docker run\"",
+					},
+				}),
+			)
+			break
+		}
+
 		task := process.LongTask{
 			Function: container.Edit,
 			Args:     command.Args, // Expects : { "Content": <string> }