fix: fixes missed cases to validate user scope when downloading, streaming and actions (#3460)

2025-12-24 06:28:42 +01:00 · 2024-12-14 13:12:43 -08:00
parent f2e56f79b7
commit bd0a81f332
4 changed files with 82 additions and 3 deletions
--- a/assets/auto-imports.d.ts
+++ b/assets/auto-imports.d.ts
@@ -369,6 +369,21 @@ declare global {
  // @ts-ignore
  export type { Component, ComponentPublicInstance, ComputedRef, DirectiveBinding, ExtractDefaultPropTypes, ExtractPropTypes, ExtractPublicPropTypes, InjectionKey, PropType, Ref, MaybeRef, MaybeRefOrGetter, VNode, WritableComputedRef } from 'vue'
  import('vue')
+  // @ts-ignore
+  export type { DrawerWidth } from './composable/drawer'
+  import('./composable/drawer')
+  // @ts-ignore
+  export type { LogStreamSource } from './composable/eventStreams'
+  import('./composable/eventStreams')
+  // @ts-ignore
+  export type { Config, Profile } from './stores/config'
+  import('./stores/config')
+  // @ts-ignore
+  export type { Host } from './stores/hosts'
+  import('./stores/hosts')
+  // @ts-ignore
+  export type { Settings } from './stores/settings'
+  import('./stores/settings')
 }

 // for vue template auto import
--- a/internal/web/actions.go
+++ b/internal/web/actions.go
@@ -14,6 +14,17 @@ func (h *handler) containerActions(w http.ResponseWriter, r *http.Request) {
 	action := chi.URLParam(r, "action")
 	id := chi.URLParam(r, "id")

+	validIdMap, err := h.validContainerIDsForHost(r, hostKey(r))
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	if _, ok := validIdMap[id]; !ok {
+		http.Error(w, "container not found", http.StatusUnauthorized)
+		return
+	}
+
 	containerService, err := h.multiHostService.FindContainer(hostKey(r), id)
 	if err != nil {
 		log.Error().Err(err).Msg("error while trying to find container")
--- a/internal/web/actions_test.go
+++ b/internal/web/actions_test.go
@@ -76,7 +76,7 @@ func Test_handler_containerActions_unknown_container(t *testing.T) {

 	rr := httptest.NewRecorder()
 	handler.ServeHTTP(rr, req)
-	assert.Equal(t, 404, rr.Code)
+	assert.Equal(t, 401, rr.Code)
 }

 func Test_handler_containerActions_start(t *testing.T) {
--- a/internal/web/logs.go
+++ b/internal/web/logs.go
@@ -26,12 +26,46 @@ import (
 	"github.com/docker/docker/pkg/stdcopy"
 	"github.com/dustin/go-humanize"
 	"github.com/go-chi/chi/v5"
+	"github.com/samber/lo"

 	"github.com/rs/zerolog/log"
 )

+func (h *handler) validContainerIDsForHost(r *http.Request, host string) (map[string]docker.Container, error) {
+	usersFilter := h.config.Filter
+	if h.config.Authorization.Provider != NONE {
+		user := auth.UserFromContext(r.Context())
+		if user.ContainerFilter.Exists() {
+			usersFilter = user.ContainerFilter
+		}
+	}
+
+	validContainers, err := h.multiHostService.ListContainersForHost(host, usersFilter)
+	if err != nil {
+		return nil, err
+	}
+
+	validIdMap := lo.KeyBy(validContainers, func(item docker.Container) string {
+		return item.ID
+	})
+
+	return validIdMap, nil
+}
+
 func (h *handler) downloadLogs(w http.ResponseWriter, r *http.Request) {
 	id := chi.URLParam(r, "id")
+
+	validIdMap, err := h.validContainerIDsForHost(r, hostKey(r))
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	if _, ok := validIdMap[id]; !ok {
+		http.Error(w, "container not found", http.StatusUnauthorized)
+		return
+	}
+
 	containerService, err := h.multiHostService.FindContainer(hostKey(r), id)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)
@@ -103,6 +137,17 @@ func (h *handler) fetchLogsBetweenDates(w http.ResponseWriter, r *http.Request)
 		return
 	}

+	validIdMap, err := h.validContainerIDsForHost(r, hostKey(r))
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	if _, ok := validIdMap[id]; !ok {
+		http.Error(w, "container not found", http.StatusUnauthorized)
+		return
+	}
+
 	containerService, err := h.multiHostService.FindContainer(hostKey(r), id)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusNotFound)
@@ -420,8 +465,16 @@ loop:
 			}
 			sseWriter.Message(logEvent)
 		case container := <-newContainers:
-			events <- &docker.ContainerEvent{ActorID: container.ID, Name: "container-started", Host: container.Host}
-			go streamLogs(container)
+			validIdMap, err := h.validContainerIDsForHost(r, container.Host)
+			if err != nil {
+				log.Error().Err(err).Msg("error fetching valid container IDs")
+				continue
+			}
+
+			if _, ok := validIdMap[container.ID]; ok {
+				events <- &docker.ContainerEvent{ActorID: container.ID, Name: "container-started", Host: container.Host}
+				go streamLogs(container)
+			}

 		case event := <-events:
 			log.Debug().Str("event", event.Name).Str("container", event.ActorID).Msg("received event")