docs(07): create phase plan for Socket Security
Phase 07: Socket Security - 3 plan(s) in 2 wave(s) - Wave 1: 07-01 (deploy proxy - checkpoint) - Wave 2: 07-02 (migrate workflow), 07-03 (verify blocking) - parallel - Ready for execution Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Lucas Berger
@@ -0,0 +1,136 @@
|
||||
---
|
||||
phase: 07-socket-security
|
||||
plan: 03
|
||||
type: execute
|
||||
wave: 2
|
||||
depends_on: ["07-01"]
|
||||
files_modified: []
|
||||
autonomous: true
|
||||
|
||||
must_haves:
|
||||
truths:
|
||||
- "Exec API endpoint returns 403 Forbidden"
|
||||
- "Build API endpoint returns 403 Forbidden"
|
||||
- "Create (new container) API endpoint returns 403 Forbidden"
|
||||
artifacts: []
|
||||
key_links:
|
||||
- from: "n8n/curl"
|
||||
to: "docker-socket-proxy:2375"
|
||||
via: "blocked endpoints"
|
||||
pattern: "403 Forbidden"
|
||||
---
|
||||
|
||||
<objective>
|
||||
Verify that dangerous Docker APIs are blocked by the proxy.
|
||||
|
||||
Purpose: Confirm SEC-03 requirement - socket proxy blocks dangerous APIs (exec, create, build).
|
||||
Output: Documented proof that blocked endpoints return 403 Forbidden.
|
||||
</objective>
|
||||
|
||||
<execution_context>
|
||||
@/home/luc/.claude/get-shit-done/workflows/execute-plan.md
|
||||
@/home/luc/.claude/get-shit-done/templates/summary.md
|
||||
</execution_context>
|
||||
|
||||
<context>
|
||||
@.planning/PROJECT.md
|
||||
@.planning/ROADMAP.md
|
||||
@.planning/STATE.md
|
||||
@.planning/phases/07-socket-security/07-CONTEXT.md
|
||||
@.planning/phases/07-socket-security/07-RESEARCH.md
|
||||
@.planning/phases/07-socket-security/07-01-SUMMARY.md
|
||||
</context>
|
||||
|
||||
<tasks>
|
||||
|
||||
<task type="auto">
|
||||
<name>Task 1: Test Blocked Endpoints Return 403</name>
|
||||
<files>None (verification only)</files>
|
||||
<action>
|
||||
Test that the proxy correctly blocks dangerous Docker API endpoints.
|
||||
|
||||
**Test each blocked endpoint:**
|
||||
|
||||
1. **Exec (EXEC=0)** - Attempt to create an exec instance:
|
||||
```
|
||||
curl -s -o /dev/null -w "%{http_code}" -X POST 'http://docker-socket-proxy:2375/v1.47/containers/[any-container-id]/exec' -H "Content-Type: application/json" -d '{"Cmd":["echo","test"]}'
|
||||
```
|
||||
Expected: 403
|
||||
|
||||
2. **Build (BUILD=0)** - Attempt to build an image:
|
||||
```
|
||||
curl -s -o /dev/null -w "%{http_code}" -X POST 'http://docker-socket-proxy:2375/v1.47/build'
|
||||
```
|
||||
Expected: 403
|
||||
|
||||
3. **Commit (COMMIT=0)** - Attempt to commit a container:
|
||||
```
|
||||
curl -s -o /dev/null -w "%{http_code}" -X POST 'http://docker-socket-proxy:2375/v1.47/commit?container=[any-container-id]'
|
||||
```
|
||||
Expected: 403
|
||||
|
||||
**Note:** These tests should be run from inside the n8n container to verify the proxy is blocking correctly from the same network context.
|
||||
|
||||
If tests can't be run from n8n directly, document that proxy defaults block these endpoints (tecnativa proxy blocks by default when env vars are 0 or unset).
|
||||
</action>
|
||||
<verify>
|
||||
All three blocked endpoints return HTTP 403 status code
|
||||
</verify>
|
||||
<done>SEC-03 verified: exec, build, and commit endpoints blocked with 403</done>
|
||||
</task>
|
||||
|
||||
<task type="auto">
|
||||
<name>Task 2: Document Security Configuration</name>
|
||||
<files>None (documentation in SUMMARY)</files>
|
||||
<action>
|
||||
Document the security posture achieved:
|
||||
|
||||
**Allowed operations:**
|
||||
- List containers (GET /containers/json)
|
||||
- Inspect container (GET /containers/{id}/json)
|
||||
- Start container (POST /containers/{id}/start)
|
||||
- Stop container (POST /containers/{id}/stop)
|
||||
- Restart container (POST /containers/{id}/restart)
|
||||
- Remove container (DELETE /containers/{id})
|
||||
- List images (GET /images/json)
|
||||
- Inspect image (GET /images/{id}/json)
|
||||
- Pull image (POST /images/create)
|
||||
- Create container (POST /containers/create)
|
||||
- Get logs (GET /containers/{id}/logs)
|
||||
|
||||
**Blocked operations:**
|
||||
- Execute commands inside containers (POST /containers/{id}/exec)
|
||||
- Build images (POST /build)
|
||||
- Commit containers to images (POST /commit)
|
||||
- Manage secrets (POST /secrets/*)
|
||||
- Authentication operations
|
||||
|
||||
**Security benefit:**
|
||||
Even if n8n is compromised, an attacker cannot:
|
||||
- Execute arbitrary commands inside containers (no container escape)
|
||||
- Build malicious images
|
||||
- Access Docker secrets
|
||||
</action>
|
||||
<verify>
|
||||
Documentation captured in plan summary
|
||||
</verify>
|
||||
<done>Security posture documented for SEC-03</done>
|
||||
</task>
|
||||
|
||||
</tasks>
|
||||
|
||||
<verification>
|
||||
1. Exec endpoint returns 403
|
||||
2. Build endpoint returns 403
|
||||
3. Commit endpoint returns 403
|
||||
4. Security documentation complete
|
||||
</verification>
|
||||
|
||||
<success_criteria>
|
||||
- All three dangerous endpoints confirmed blocked
|
||||
- Security posture documented
|
||||
</success_criteria>
|
||||
|
||||
<output>
|
||||
After completion, create `.planning/phases/07-socket-security/07-03-SUMMARY.md`
|
||||
</output>
|
||||
Reference in New Issue
Block a user