Summary
Pre-launch security audit (PR #210) identified 5 medium-priority items that should be addressed after launch. None are exploitable remotely — they require LAN access.
Findings
1. Dozzle Web Shell Access
File: install/management_compose.yaml:56
DOZZLE_ENABLE_SHELL=true gives anyone on the LAN a web shell into containers via port 9999. Combined with Docker socket access in nomad_admin, this creates a path from LAN access to host root.
Fix: Set DOZZLE_ENABLE_SHELL=false. Log viewing and container restart still work.
2. Unvalidated Settings Key Read
File: admin/app/controllers/settings_controller.ts
GET /api/system/settings?key=... accepts any arbitrary key string. The write endpoint validates against an enum, but the read doesn't. Currently harmless but could leak sensitive data if new keys are added.
Fix: Apply the same enum validation to the read endpoint.
3. Content Update URL Injection
File: admin/app/validators/common.ts
POST /api/content-updates/apply accepts download_url directly from the client. An attacker could supply any URL. The URL should be looked up server-side from the cached content manifest.
Fix: Validate download_url against the cached manifest, or rely on the loopback/link-local protection added in PR #210.
4. Verbose Error Messages
Files: rag_controller.ts, docker_service.ts, system_update_service.ts
Several controllers return raw error.message in API responses, potentially leaking internal paths, stack details, or Docker error messages.
Fix: Return generic error messages in production. Log details server-side.
5. npm Dependency Vulnerabilities
tar (HIGH) — CVE via node-pre-gyp → @openzim/libzimajv (MODERATE) — prototype pollution via @inertiajs/react
Fix: Update upstream dependencies when patches are available. npm audit fix --force can address ajv but may introduce breaking changes.
Context
Full audit report attached to PR #210 as admin/docs/security-audit-v1.md.
Summary
Pre-launch security audit (PR #210) identified 5 medium-priority items that should be addressed after launch. None are exploitable remotely — they require LAN access.
Findings
1. Dozzle Web Shell Access
File:
install/management_compose.yaml:56DOZZLE_ENABLE_SHELL=truegives anyone on the LAN a web shell into containers via port 9999. Combined with Docker socket access innomad_admin, this creates a path from LAN access to host root.Fix: Set
DOZZLE_ENABLE_SHELL=false. Log viewing and container restart still work.2. Unvalidated Settings Key Read
File:
admin/app/controllers/settings_controller.tsGET /api/system/settings?key=...accepts any arbitrary key string. The write endpoint validates against an enum, but the read doesn't. Currently harmless but could leak sensitive data if new keys are added.Fix: Apply the same enum validation to the read endpoint.
3. Content Update URL Injection
File:
admin/app/validators/common.tsPOST /api/content-updates/applyacceptsdownload_urldirectly from the client. An attacker could supply any URL. The URL should be looked up server-side from the cached content manifest.Fix: Validate
download_urlagainst the cached manifest, or rely on the loopback/link-local protection added in PR #210.4. Verbose Error Messages
Files:
rag_controller.ts,docker_service.ts,system_update_service.tsSeveral controllers return raw
error.messagein API responses, potentially leaking internal paths, stack details, or Docker error messages.Fix: Return generic error messages in production. Log details server-side.
5. npm Dependency Vulnerabilities
tar(HIGH) — CVE vianode-pre-gyp→@openzim/libzimajv(MODERATE) — prototype pollution via@inertiajs/reactFix: Update upstream dependencies when patches are available.
npm audit fix --forcecan addressajvbut may introduce breaking changes.Context
Full audit report attached to PR #210 as
admin/docs/security-audit-v1.md.