Summary
User-supplied dockerargs values from config files are passed directly to docker run/docker exec without any validation. This allows injecting dangerous Docker flags.
Location
entrypoint.sh lines 55, 81
Attack Vector
A config file with crafted dockerargs can inject flags such as:
--privileged — full host device access-v /:/host — mount the host filesystem--cap-add SYS_ADMIN — elevated capabilities--network=host — access host network stack
Any of these can lead to complete host compromise from within the container.
Recommended Fix
Implement an allowlist of safe Docker flags, or validate and reject known dangerous flags before passing dockerargs to Docker commands.
# Example: reject dangerous flags
if echo "${DOCKERARGS}" | grep -qE '(--privileged|--cap-add|--device)'; then
echo "Error: disallowed dockerargs detected"
exit 1
fiSeverity
High
Summary
User-supplied
dockerargsvalues from config files are passed directly todocker run/docker execwithout any validation. This allows injecting dangerous Docker flags.Location
entrypoint.shlines 55, 81Attack Vector
A config file with crafted
dockerargscan inject flags such as:--privileged— full host device access-v /:/host— mount the host filesystem--cap-add SYS_ADMIN— elevated capabilities--network=host— access host network stackAny of these can lead to complete host compromise from within the container.
Recommended Fix
Implement an allowlist of safe Docker flags, or validate and reject known dangerous flags before passing
dockerargsto Docker commands.Severity
High