jnd/beszel-ipv6
1
0
Fork 0
mirror of https://github.com/henrygd/beszel.git synced 2026-04-05 04:21:50 +02:00
Code Issues Packages Projects Releases 2 Wiki Activity

harden against docker api path traversal

Browse Source 
Validate container IDs (12-64 hex) in hub container endpoints and agent
Docker requests, and build Docker URLs with escaped path segments. Add
regression tests for traversal/malformed container inputs and safe
endpoint construction.
This commit is contained in:
henrygd
2026-02-18 17:33:00 -05:00
parent 4869c834bb
commit 311095cfdd
4 changed files with 174 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
internal/hub/hub.go
View File

@@ -9,6 +9,7 @@ import (
"net/url"
"os"
"path"
"regexp"
"strings"
"time"
@@ -41,6 +42,8 @@ type Hub struct {
appURL string
}
var containerIDPattern = regexp.MustCompile(`^[a-fA-F0-9]{12,64}$`)
// NewHub creates a new Hub instance with default configuration
func NewHub(app core.App) *Hub {
hub := &Hub{}
@@ -461,6 +464,9 @@ func (h *Hub) containerRequestHandler(e *core.RequestEvent, fetchFunc func(*syst
if systemID == "" || containerID == "" {
return e.JSON(http.StatusBadRequest, map[string]string{"error": "system and container parameters are required"})
}
if !containerIDPattern.MatchString(containerID) {
return e.JSON(http.StatusBadRequest, map[string]string{"error": "invalid container parameter"})
}
system, err := h.sm.GetSystem(systemID)
if err != nil {