Merge pull request #27 from nextcloud/fix/ban-word-privileged

oleksandr-nc · web-flow · commit f0dd732a0c15 · 2025-03-21T10:58:44.000+03:00
temporary workaround: ban Privileged word for container creation
diff --git a/haproxy.cfg.template b/haproxy.cfg.template
@@ -127,8 +127,8 @@ backend docker_engine_backend
     acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
     http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST
 
-    # ACL to restrict container creation, that it has HostConfig.Privileged not set
-    acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\""
+    # ACL to restrict container creation, that it has HostConfig.Privileged(by searching for "Privileged" word in all payload) not set
+    acl no_privileged_flag req.body -m reg -i "\"Privileged\""
     # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
     acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST
