Introduced DELETE=1 with granular per-endpoint delete controls #161
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@josep-tecnativa , @pedrobaeza - Can anyone of you please review or suggest changes for the approach for this PR, once you get some time? Many thanks! |
|
@josep-tecnativa - Did you get a chance to look at this PR? |
|
Sorry for the late review, and thanks for this improvement — the change makes sense and looks good to me. From our side, we don’t need to adjust anything to keep our current setup working as usual. It would just be nice to update the README to reflect the new DELETE behavior. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What and Why?
Previously, enabling
POST=1allowed all write operations, not just literal HTTP POST calls.This meant that destructive operations like
DELETEwere implicitly permitted wheneverPOST=1was set — which was dangerous, since any malicious container/service could trigger deletes.This change introduces:
A new global flag
DELETE=1to explicitly control delete operations.Granular per-endpoint delete toggles:
ALLOW_IMAGES_DELETEALLOW_NETWORKS_DELETEALLOW_CONTAINERS_DELETENow, a delete request is only allowed if:
DELETE=1is set, andthe relevant per-endpoint delete flag is also enabled.
This ensures
DELETEaccess cannot be accidentally granted byPOST=1anymore, closing the privilege escalation gap.Next steps
If approved, this design will be extended to other sensitive endpoints (e.g. secrets, configs, etc.) to provide consistent, fine-grained access control.