Lucas Berger
f539bcbba4
Phase 07: Socket Security - 3 plan(s) in 2 wave(s) - Wave 1: 07-01 (deploy proxy - checkpoint) - Wave 2: 07-02 (migrate workflow), 07-03 (verify blocking) - parallel - Ready for execution Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
137 lines
4.2 KiB
Markdown
137 lines
4.2 KiB
Markdown
---
|
|
phase: 07-socket-security
|
|
plan: 03
|
|
type: execute
|
|
wave: 2
|
|
depends_on: ["07-01"]
|
|
files_modified: []
|
|
autonomous: true
|
|
|
|
must_haves:
|
|
truths:
|
|
- "Exec API endpoint returns 403 Forbidden"
|
|
- "Build API endpoint returns 403 Forbidden"
|
|
- "Create (new container) API endpoint returns 403 Forbidden"
|
|
artifacts: []
|
|
key_links:
|
|
- from: "n8n/curl"
|
|
to: "docker-socket-proxy:2375"
|
|
via: "blocked endpoints"
|
|
pattern: "403 Forbidden"
|
|
---
|
|
|
|
<objective>
|
|
Verify that dangerous Docker APIs are blocked by the proxy.
|
|
|
|
Purpose: Confirm SEC-03 requirement - socket proxy blocks dangerous APIs (exec, create, build).
|
|
Output: Documented proof that blocked endpoints return 403 Forbidden.
|
|
</objective>
|
|
|
|
<execution_context>
|
|
@/home/luc/.claude/get-shit-done/workflows/execute-plan.md
|
|
@/home/luc/.claude/get-shit-done/templates/summary.md
|
|
</execution_context>
|
|
|
|
<context>
|
|
@.planning/PROJECT.md
|
|
@.planning/ROADMAP.md
|
|
@.planning/STATE.md
|
|
@.planning/phases/07-socket-security/07-CONTEXT.md
|
|
@.planning/phases/07-socket-security/07-RESEARCH.md
|
|
@.planning/phases/07-socket-security/07-01-SUMMARY.md
|
|
</context>
|
|
|
|
<tasks>
|
|
|
|
<task type="auto">
|
|
<name>Task 1: Test Blocked Endpoints Return 403</name>
|
|
<files>None (verification only)</files>
|
|
<action>
|
|
Test that the proxy correctly blocks dangerous Docker API endpoints.
|
|
|
|
**Test each blocked endpoint:**
|
|
|
|
1. **Exec (EXEC=0)** - Attempt to create an exec instance:
|
|
```
|
|
curl -s -o /dev/null -w "%{http_code}" -X POST 'http://docker-socket-proxy:2375/v1.47/containers/[any-container-id]/exec' -H "Content-Type: application/json" -d '{"Cmd":["echo","test"]}'
|
|
```
|
|
Expected: 403
|
|
|
|
2. **Build (BUILD=0)** - Attempt to build an image:
|
|
```
|
|
curl -s -o /dev/null -w "%{http_code}" -X POST 'http://docker-socket-proxy:2375/v1.47/build'
|
|
```
|
|
Expected: 403
|
|
|
|
3. **Commit (COMMIT=0)** - Attempt to commit a container:
|
|
```
|
|
curl -s -o /dev/null -w "%{http_code}" -X POST 'http://docker-socket-proxy:2375/v1.47/commit?container=[any-container-id]'
|
|
```
|
|
Expected: 403
|
|
|
|
**Note:** These tests should be run from inside the n8n container to verify the proxy is blocking correctly from the same network context.
|
|
|
|
If tests can't be run from n8n directly, document that proxy defaults block these endpoints (tecnativa proxy blocks by default when env vars are 0 or unset).
|
|
</action>
|
|
<verify>
|
|
All three blocked endpoints return HTTP 403 status code
|
|
</verify>
|
|
<done>SEC-03 verified: exec, build, and commit endpoints blocked with 403</done>
|
|
</task>
|
|
|
|
<task type="auto">
|
|
<name>Task 2: Document Security Configuration</name>
|
|
<files>None (documentation in SUMMARY)</files>
|
|
<action>
|
|
Document the security posture achieved:
|
|
|
|
**Allowed operations:**
|
|
- List containers (GET /containers/json)
|
|
- Inspect container (GET /containers/{id}/json)
|
|
- Start container (POST /containers/{id}/start)
|
|
- Stop container (POST /containers/{id}/stop)
|
|
- Restart container (POST /containers/{id}/restart)
|
|
- Remove container (DELETE /containers/{id})
|
|
- List images (GET /images/json)
|
|
- Inspect image (GET /images/{id}/json)
|
|
- Pull image (POST /images/create)
|
|
- Create container (POST /containers/create)
|
|
- Get logs (GET /containers/{id}/logs)
|
|
|
|
**Blocked operations:**
|
|
- Execute commands inside containers (POST /containers/{id}/exec)
|
|
- Build images (POST /build)
|
|
- Commit containers to images (POST /commit)
|
|
- Manage secrets (POST /secrets/*)
|
|
- Authentication operations
|
|
|
|
**Security benefit:**
|
|
Even if n8n is compromised, an attacker cannot:
|
|
- Execute arbitrary commands inside containers (no container escape)
|
|
- Build malicious images
|
|
- Access Docker secrets
|
|
</action>
|
|
<verify>
|
|
Documentation captured in plan summary
|
|
</verify>
|
|
<done>Security posture documented for SEC-03</done>
|
|
</task>
|
|
|
|
</tasks>
|
|
|
|
<verification>
|
|
1. Exec endpoint returns 403
|
|
2. Build endpoint returns 403
|
|
3. Commit endpoint returns 403
|
|
4. Security documentation complete
|
|
</verification>
|
|
|
|
<success_criteria>
|
|
- All three dangerous endpoints confirmed blocked
|
|
- Security posture documented
|
|
</success_criteria>
|
|
|
|
<output>
|
|
After completion, create `.planning/phases/07-socket-security/07-03-SUMMARY.md`
|
|
</output>
|