harden against docker api path traversal

Validate container IDs (12-64 hex) in hub container endpoints and agent Docker requests, and build Docker URLs with escaped path segments. Add regression tests for traversal/malformed container inputs and safe endpoint construction.
2026-03-21 21:26:16 +01:00 · 2026-02-18 17:33:00 -05:00
parent 4869c834bb
commit 311095cfdd
4 changed files with 174 additions and 3 deletions
--- a/internal/hub/hub.go
+++ b/internal/hub/hub.go
@@ -9,6 +9,7 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"regexp"
 	"strings"
 	"time"

@@ -41,6 +42,8 @@ type Hub struct {
 	appURL string
 }

+var containerIDPattern = regexp.MustCompile(`^[a-fA-F0-9]{12,64}$`)
+
 // NewHub creates a new Hub instance with default configuration
 func NewHub(app core.App) *Hub {
 	hub := &Hub{}
@@ -461,6 +464,9 @@ func (h *Hub) containerRequestHandler(e *core.RequestEvent, fetchFunc func(*syst
 	if systemID == "" || containerID == "" {
 		return e.JSON(http.StatusBadRequest, map[string]string{"error": "system and container parameters are required"})
 	}
+	if !containerIDPattern.MatchString(containerID) {
+		return e.JSON(http.StatusBadRequest, map[string]string{"error": "invalid container parameter"})
+	}

 	system, err := h.sm.GetSystem(systemID)
 	if err != nil {
--- a/internal/hub/hub_test.go
+++ b/internal/hub/hub_test.go
@@ -545,7 +545,7 @@ func TestApiRoutesAuthentication(t *testing.T) {
 		{
 			Name:   "GET /containers/logs - with auth but invalid system should fail",
 			Method: http.MethodGet,
-			URL:    "/api/beszel/containers/logs?system=invalid-system&container=test-container",
+			URL:    "/api/beszel/containers/logs?system=invalid-system&container=0123456789ab",
 			Headers: map[string]string{
 				"Authorization": userToken,
 			},
@@ -553,6 +553,39 @@ func TestApiRoutesAuthentication(t *testing.T) {
 			ExpectedContent: []string{"system not found"},
 			TestAppFactory:  testAppFactory,
 		},
+		{
+			Name:   "GET /containers/logs - traversal container should fail validation",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/containers/logs?system=" + system.Id + "&container=..%2F..%2Fversion",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"invalid container parameter"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /containers/info - traversal container should fail validation",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/containers/info?system=" + system.Id + "&container=../../version?x=",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"invalid container parameter"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /containers/info - non-hex container should fail validation",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/containers/info?system=" + system.Id + "&container=container_name",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"invalid container parameter"},
+			TestAppFactory:  testAppFactory,
+		},

 		// Auth Optional Routes - Should work without authentication
 		{