unraid-docker-manager/.planning/phases/07-socket-security/07-03-PLAN.md

phase, plan, type, wave, depends_on, files_modified, autonomous, must_haves

phase	plan	type	wave	depends_on	files_modified	autonomous	must_haves
07-socket-security	03	execute	2	07-01		true	truths artifacts key_links Exec API endpoint returns 403 Forbidden Build API endpoint returns 403 Forbidden Create (new container) API endpoint returns 403 Forbidden from to via pattern n8n/curl docker-socket-proxy:2375 blocked endpoints 403 Forbidden

Verify that dangerous Docker APIs are blocked by the proxy.

Purpose: Confirm SEC-03 requirement - socket proxy blocks dangerous APIs (exec, create, build). Output: Documented proof that blocked endpoints return 403 Forbidden.

<execution_context> @/home/luc/.claude/get-shit-done/workflows/execute-plan.md @/home/luc/.claude/get-shit-done/templates/summary.md </execution_context>

@.planning/PROJECT.md @.planning/ROADMAP.md @.planning/STATE.md @.planning/phases/07-socket-security/07-CONTEXT.md @.planning/phases/07-socket-security/07-RESEARCH.md @.planning/phases/07-socket-security/07-01-SUMMARY.md Task 1: Test Blocked Endpoints Return 403 None (verification only) Test that the proxy correctly blocks dangerous Docker API endpoints.

**Test each blocked endpoint:**

1. **Exec (EXEC=0)** - Attempt to create an exec instance:
   ```
   curl -s -o /dev/null -w "%{http_code}" -X POST 'http://docker-socket-proxy:2375/v1.47/containers/[any-container-id]/exec' -H "Content-Type: application/json" -d '{"Cmd":["echo","test"]}'
   ```
   Expected: 403

2. **Build (BUILD=0)** - Attempt to build an image:
   ```
   curl -s -o /dev/null -w "%{http_code}" -X POST 'http://docker-socket-proxy:2375/v1.47/build'
   ```
   Expected: 403

3. **Commit (COMMIT=0)** - Attempt to commit a container:
   ```
   curl -s -o /dev/null -w "%{http_code}" -X POST 'http://docker-socket-proxy:2375/v1.47/commit?container=[any-container-id]'
   ```
   Expected: 403

**Note:** These tests should be run from inside the n8n container to verify the proxy is blocking correctly from the same network context.

If tests can't be run from n8n directly, document that proxy defaults block these endpoints (tecnativa proxy blocks by default when env vars are 0 or unset).

All three blocked endpoints return HTTP 403 status code SEC-03 verified: exec, build, and commit endpoints blocked with 403 Task 2: Document Security Configuration None (documentation in SUMMARY) Document the security posture achieved:

**Allowed operations:**
- List containers (GET /containers/json)
- Inspect container (GET /containers/{id}/json)
- Start container (POST /containers/{id}/start)
- Stop container (POST /containers/{id}/stop)
- Restart container (POST /containers/{id}/restart)
- Remove container (DELETE /containers/{id})
- List images (GET /images/json)
- Inspect image (GET /images/{id}/json)
- Pull image (POST /images/create)
- Create container (POST /containers/create)
- Get logs (GET /containers/{id}/logs)

**Blocked operations:**
- Execute commands inside containers (POST /containers/{id}/exec)
- Build images (POST /build)
- Commit containers to images (POST /commit)
- Manage secrets (POST /secrets/*)
- Authentication operations

**Security benefit:**
Even if n8n is compromised, an attacker cannot:
- Execute arbitrary commands inside containers (no container escape)
- Build malicious images
- Access Docker secrets

Documentation captured in plan summary Security posture documented for SEC-03 1. Exec endpoint returns 403 2. Build endpoint returns 403 3. Commit endpoint returns 403 4. Security documentation complete

<success_criteria>

• All three dangerous endpoints confirmed blocked
• Security posture documented </success_criteria>

After completion, create `.planning/phases/07-socket-security/07-03-SUMMARY.md`