Security Issue With Service Access Across Organization Users

by ADMIN 61 views

Introduction

As organizations grow and expand, ensuring the security and integrity of their services becomes increasingly crucial. Dokploy, a popular platform for managing and deploying services, is no exception. However, a recent security issue has come to light, where users within the same organization can access services that they should not have access to. In this article, we will delve into the details of this security issue, explore the steps to reproduce it, and discuss the expected behavior versus the current behavior.

Security Issue Overview

The security issue at hand revolves around the access control mechanism of Dokploy. Specifically, it appears that users within the same organization can access services that they should not have access to, even if they do not have explicit permission. This issue can be reproduced using two different methods, which we will outline below.

Method 1: Accessing an Inaccessible Service

To reproduce this issue, follow these steps:

Step 1: Create a Project in Dokploy

Create a new project in Dokploy. This will serve as the foundation for our test.

Step 2: Add a Service to the Project

Add a new service to the project. This service will be the one that we will attempt to access later.

Step 3: Grant Access to Another User for Your Project

Grant access to another user for your project. However, do not grant them access to the service that we added in Step 2.

Step 4: Log in to Dokploy Using the Newly Granted User Account

Log in to Dokploy using the newly granted user account.

Step 5: Navigate to the Assigned Project

Navigate to the assigned project.

Step 6: Refresh the Page Multiple Times

Refresh the page multiple times.

Step 7: Observe the User's Access to the Service

Observe that the user now has access to the service that should have been inaccessible for a quick period of time.

Method 2: Direct URL Access

Another way to reproduce this issue is by using the direct URL access method. Follow these steps:

Step 1: Copy the URL of an Existing Service

Copy the URL of an existing service.

Step 2: Open the URL While Logged into Another Account Within the Same Organization

Open this URL while logged into another account within the same organization.

Step 3: Notice the Service's Accessibility

Notice that the service is accessible despite the account not having explicit permission.

Step 4: Use the Navigation Path to Return to the Project

Use the navigation path to return to the project.

Step 5: Observe the Accessibility of Other Services Within the Project

Observe that all other services within the project become visible and accessible.

Current vs. Expected Behavior

The expected behavior is that users within the same organization should not be able to access services that they do not have explicit permission to access. However, the current behavior is that users can access these services, even if they do not have permission.

Provide Environment Information

The environment information for this issue is as follows:

  • Dokploy version: 0.21.8

Which Area(s) are Affected?

The areas affected by this issue are:

  • Application
  • Databases
  • Docker Compose
  • Cloud Version

Are You Deploying the Applications Where Dokploy is Installed or on a Remote Server?

The applications are being deployed on the same server where Dokploy is installed.

Additional Context

For additional context, please refer to the following GitHub issue: https://github.com/user-attachments/assets/0a5c8905-fb15-4e86-91e9-e8b800c0a538

Will You Send a PR to Fix It?

Yes, we will send a PR to fix this issue, but we need help to resolve it.

Conclusion

Introduction

In our previous article, we discussed the security issue with service access across organization users in Dokploy. This issue has raised concerns about the security and integrity of services in Dokploy. In this article, we will provide a Q&A section to address some of the frequently asked questions about this issue.

Q: What is the security issue with service access across organization users in Dokploy?

A: The security issue with service access across organization users in Dokploy is that users within the same organization can access services that they should not have access to, even if they do not have explicit permission.

Q: How can I reproduce this issue?

A: You can reproduce this issue using two different methods:

  1. Method 1: Accessing an Inaccessible Service
    • Create a project in Dokploy.
    • Add a service to the project.
    • Grant access to another user for your project (but not the service).
    • Log in to Dokploy using the newly granted user account.
    • Navigate to the assigned project.
    • Refresh the page multiple times.
    • Observe that the user now has access to a service that should have been inaccessible for a quick period of time.
  2. Method 2: Direct URL Access
    • Copy the URL of an existing service.
    • Open this URL while logged into another account within the same organization.
    • Notice that the service is accessible despite the account not having explicit permission.
    • Use the navigation path to return to the project.
    • Observe that all other services within the project become visible and accessible.

Q: What is the expected behavior versus the current behavior?

A: The expected behavior is that users within the same organization should not be able to access services that they do not have explicit permission to access. However, the current behavior is that users can access these services, even if they do not have permission.

Q: Which areas are affected by this issue?

A: The areas affected by this issue are:

  • Application
  • Databases
  • Docker Compose
  • Cloud Version

Q: Are you deploying the applications where Dokploy is installed or on a remote server?

A: The applications are being deployed on the same server where Dokploy is installed.

Q: What is the environment information for this issue?

A: The environment information for this issue is as follows:

  • Dokploy version: 0.21.8

Q: Will you send a PR to fix this issue?

A: Yes, we will send a PR to fix this issue, but we need help to resolve it.

Q: What is the additional context for this issue?

A: For additional context, please refer to the following GitHub issue: https://github.com/user-attachments/assets/0a5c8905-fb15-4e86-91e9-e8b800c0a538

Conclusion

In conclusion, the security issue with service access across organization users in Dokploy is a critical concern that needs to be. We hope that this Q&A article has provided valuable insights into this security issue and has helped to raise awareness about the importance of security in Dokploy. We look forward to working with the Dokploy community to resolve this issue and ensure the security and integrity of services in Dokploy.