Possible Injection-attack Vulnerability

[LockedThread]

Someone might be able to do a command line injection attack against your system here:

lootcode/src/server/api/routers/docker.ts

Line 21 in 4b49b2d

await $`docker run --network none --name ${ctx.userId}${input.name} --rm -i -d -v ${codePathFolder}:/app/ -v ${problemPathInput}:/app/inputs/:ro code-runner`;

. I suggest validating the input.name field as you can send plaintext for that. I am not sure if zx stops inline bash commands.

[LockedThread]

I found this project recently, might be useful to you guys.

[MelonFruit7]

Input.name represents the problem name of the problem the user is working on, it's not something they can alter. Thanks for the project suggestion, we'll take a look at it :)

[LockedThread]

Go check your logs for a container that just started called user_2h7ABRtX6KI9hRvLTJktTbyTQfXtraversal_i_joemama.

[MelonFruit7]

Doesn't seem like that exists

[MelonFruit7]

Nvm they're still running on the server, that's why they aren't in logs 😟