Dokploy Command Injection Vulnerability in Docker File Upload Functionality Allowing Remote Code Execution

A command injection vulnerability allowing remote code execution has been identified in Dokploy versions through 0.29.1. The issue arises in the Docker file upload feature, where the destinationPath parameter is not properly sanitized. This flaw allows authenticated users to interpolate shell metacharacters into a command string, escaping the intended docker cp command and executing arbitrary operating system commands on the Dokploy host.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the Dokploy host, with the executed commands running in the context of the user running the Dokploy application.

Reproduction

To reproduce this vulnerability, log in to Dokploy as an authenticated user and upload a file to any container. Intercept the upload request and modify the destinationPath parameter to include shell metacharacters, such as a semicolon followed by a command (e.g., 'id' or 'uname -a'). Once the request is sent, the server will execute the injected commands, demonstrating the command execution vulnerability.

Remediation

To address this vulnerability, it is recommended to validate the destinationPath parameter against a strict regular expression that disallows shell metacharacters. Additionally, use execFile or spawn with an array of arguments instead of string interpolation with exec, to prevent command injection.