4e3f7e8ab7
- C1: Replace all ClickHouse string interpolation with parameterized queries (query_params) to eliminate SQL injection in analytics endpoints - C3: Strip Caddy placeholder patterns from redirect rules, protected paths, and Authentik auth endpoint to prevent config injection - C4: Replace WAF custom directive blocklist with allowlist approach — only SecRule/SecAction/SecMarker/SecDefaultAction permitted; block ctl:ruleEngine and Include directives - H2: Validate GCM authentication tag is exactly 16 bytes before decryption - H3: Validate forward auth redirect URIs (scheme, no credentials) to prevent open redirects - H4: Switch 11 analytics/WAF/geoip endpoints from session-only requireAdmin to requireApiAdmin supporting both Bearer token and session auth - H5: Add input validation for instance-mode (whitelist) and sync-token (32-char minimum) in settings API - M1: Add non-root user to l4-port-manager Dockerfile - M5: Document Caddy admin API binding security rationale - Document C2 (custom config injection) and H1 (SSRF via upstreams) as intentional admin features Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
16 lines
560 B
Docker
16 lines
560 B
Docker
FROM docker:cli
|
|
|
|
# Only need docker compose CLI and basic shell tools
|
|
RUN apk add --no-cache bash
|
|
|
|
COPY docker/l4-port-manager/entrypoint.sh /entrypoint.sh
|
|
RUN chmod +x /entrypoint.sh
|
|
|
|
# Runs as root intentionally: this sidecar executes `docker compose` to
|
|
# recreate the caddy container and writes status files to the shared
|
|
# caddy-manager-data volume (owned by the web container's UID).
|
|
# Access to the Docker API is scoped via the docker-socket-proxy service
|
|
# which restricts to GET/POST on /containers/ and /compose/ only.
|
|
|
|
ENTRYPOINT ["/entrypoint.sh"]
|