sneak/upaas
1
0
Fork 0
Code Issues 9 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

CRITICAL: Port mappings bind to 0.0.0.0 with no restriction on privileged ports or conflicts #113

New Issue
Closed
opened 2026-02-20 13:50:59 +01:00 by clawbot · 1 comment
clawbot commented 2026-02-20 13:50:59 +01:00
Collaborator
Copy Link

Summary

Port mappings hardcode HostIP: "0.0.0.0" (all interfaces) and allow any port 1-65535 including privileged ports. No conflict detection between apps.

Location

  • internal/docker/client.gobuildPortConfig() hardcodes HostIP: "0.0.0.0"
  • internal/handlers/app.goparsePortValues() only checks range 1-65535

Impact

  1. Privileged port binding: Users can bind to ports 1-1023 (e.g., port 80, 443, 22) potentially hijacking host services
  2. Service exposure: All ports bound to all interfaces — no way to restrict to localhost or internal networks
  3. Port conflicts: Two apps can try to bind the same port, causing deployment failure with an unclear error. The DB has UNIQUE(host_port, protocol) but only within a single app
  4. Port 8080 hijack: A user could bind to port 8080 and intercept upaas's own traffic (depending on network setup)

Suggested Fix

  1. Add configurable minimum port (e.g., UPAAS_MIN_HOST_PORT=1024) to block privileged ports
  2. Add configurable bind IP (e.g., UPAAS_BIND_IP=127.0.0.1)
  3. Add cross-app port conflict detection before creating container
  4. Block upaas's own port from being mapped

Severity

CRITICAL — Privileged port hijacking can intercept host services including upaas itself.

## Summary Port mappings hardcode `HostIP: "0.0.0.0"` (all interfaces) and allow any port 1-65535 including privileged ports. No conflict detection between apps. ## Location - `internal/docker/client.go` — `buildPortConfig()` hardcodes `HostIP: "0.0.0.0"` - `internal/handlers/app.go` — `parsePortValues()` only checks range 1-65535 ## Impact 1. **Privileged port binding**: Users can bind to ports 1-1023 (e.g., port 80, 443, 22) potentially hijacking host services 2. **Service exposure**: All ports bound to all interfaces — no way to restrict to localhost or internal networks 3. **Port conflicts**: Two apps can try to bind the same port, causing deployment failure with an unclear error. The DB has `UNIQUE(host_port, protocol)` but only within a single app 4. **Port 8080 hijack**: A user could bind to port 8080 and intercept upaas's own traffic (depending on network setup) ## Suggested Fix 1. Add configurable minimum port (e.g., `UPAAS_MIN_HOST_PORT=1024`) to block privileged ports 2. Add configurable bind IP (e.g., `UPAAS_BIND_IP=127.0.0.1`) 3. Add cross-app port conflict detection before creating container 4. Block upaas's own port from being mapped ## Severity **CRITICAL** — Privileged port hijacking can intercept host services including upaas itself.
sneak commented 2026-02-20 14:27:43 +01:00
Owner
Copy Link

WONTFIX

WONTFIX
sneak closed this issue 2026-02-20 14:27:43 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bot
Agent's turn to work
 bug
Something is not working
 duplicate
This issue or pull request already exists
 enhancement
New feature
 help wanted
Need some help
 invalid
Something is wrong
 merge-ready
All checks pass, reviewed, rebased, ready for merge
 needs-checks
make check does not pass cleanly
 needs-rebase
PR has merge conflicts or is behind main
 needs-review
Code review not yet done
 needs-rework
Code review found issues to fix
 notplanned
question
More information is needed
 wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
clawbot sneak
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sneak/upaas#113
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?