Security Audit Report

Security Audit Report

Application: Container Monkey
Version: 0.4.0
Audit Date: 16/12/2025

Audit Type: Comprehensive Security Review

Executive Summary

This security audit was conducted to assess the overall security posture of the Container Monkey application. The audit examined authentication mechanisms, input validation, injection vulnerabilities, path traversal protection, XSS prevention, CSRF protection, information disclosure, and other security controls.

Overall Security Posture: STRONG ✅

  • Critical Issues: 0
  • High Priority Issues: 0
  • Medium Priority Issues: 0
  • Low Priority / Informational: 2

The application demonstrates robust security controls across all major vulnerability categories. All previously identified security issues have been addressed and resolved.

Critical Issues

None Found

No critical security vulnerabilities were identified during this audit.

High Priority Issues

None Found

No high-priority security vulnerabilities were identified during this audit.

Medium Priority Issues

None Found

No medium-priority security vulnerabilities were identified during this audit.

Low Priority / Informational

1. File Upload Size Limit

  • Location: /api/upload-backup (line 1243 in app.py)
  • Issue: No MAX_CONTENT_LENGTH configured for file uploads
  • Risk: Potential DoS via large file uploads
  • Recommendation: Consider setting app.config['MAX_CONTENT_LENGTH'] = 16 1024 1024 (16MB) or appropriate limit based on use case
  • Status: Informational (user requested to skip this)

2. SQL Query Construction (Informational)

  • Location: audit_log_manager.py (line 139), database_manager.py (line 119)
  • Issue: F-strings used in SQL query construction
  • Analysis:

- audit_log_manager: WHERE clauses are built from hardcoded strings with parameterized values - SAFE - database_manager: Uses predefined table/column names from a list - SAFE

  • Status: No action needed - implementation is secure

Security Strengths

1. Authentication and Authorization ✅

Status: Excellent

  • All API routes protected by require_login() middleware
  • Console routes (/console/) protected
  • @login_required decorator applied to sensitive endpoints
  • Session management with secure cookie settings:

- SESSION_COOKIE_HTTPONLY = True (XSS protection) - SESSION_COOKIE_SAMESITE = 'Lax' (CSRF protection) - SESSION_COOKIE_SECURE set dynamically based on HTTPS detection

  • Session lifetime: 1 day
  • Only the following routes are publicly accessible:

- /api/login (POST) - with rate limiting (5 requests/minute) - /api/logout (POST) - /api/auth-status (GET) - /api/backup-progress/ (GET) - for progress tracking - / (GET) - main page - /static/ - static assets

2. Input Validation ✅

Status: Comprehensive

All user inputs are validated before processing:

  • Container ID Validation:

- Validates hex ID format (1-64 chars) or container name pattern - Blocks dangerous characters (\x00, \r, \n, ;, &, |, ` `, $, (, ), <, >, spaces, tabs) - Prevents path traversal (..) - Applied to all container operation routes

  • Volume Name Validation:

- Validates Docker name pattern: [a-zA-Z0-9][a-zA-Z0-9_.-] - Blocks dangerous characters and path traversal - Applied to all volume operation routes

  • Network ID Validation:

- Validates hex ID or network name format - Blocks dangerous characters and path traversal - Applied to network management routes

  • Image ID Validation:

- Validates hex ID (with optional sha256: prefix) or image name - Supports registry/repo:tag format - Blocks dangerous characters and path traversal - Applied to image deletion route

  • Stack Name Validation:

- Validates Docker name pattern - Blocks dangerous characters and path traversal - Applied to stack deletion route

  • Progress/Session ID Validation:

- Validates UUID-like format (alphanumeric with hyphens) - Blocks dangerous characters - Applied to backup progress and download-all routes

  • Query Parameter Validation:

- limit, offset, tail, since, until validated with type checking and bounds - Prevents injection via query parameters - Applied to logs, events, and audit-logs routes

  • Filename Validation:

- Uses secure_filename() and explicit checks - Blocks path traversal (.., /, \) - Applied to all backup file operations

  • Working Directory Validation:

- Comprehensive path validation for container exec operations - Detects URL-encoded path traversal patterns - Ensures absolute paths only - Applied to container exec route

  • UI Setting Key Validation:

- Validates setting key format: [a-zA-Z0-9_.-]+ - Blocks dangerous characters - Applied to UI settings routes

  • Container ID List Validation:

- Validates all container IDs in scheduler configuration - Applied to scheduler config route

3. Path Traversal Protection ✅

Status: Excellent

  • Volume Path Validation:

- Comprehensive _validate_volume_path() function - Detects encoded attack patterns (%2e%2e, ..%2f, etc.) - URL decoding before validation - Path normalization with boundary checks - Applied to explore_volume, get_volume_file, download_volume_file

  • File Download Security:

- Uses secure_filename() for initial sanitization - Explicit checks for path traversal patterns - os.path.realpath() checks to ensure files stay within allowed directories - Validates against both backup_dir and temp_dir

  • Working Directory Security:

- Validates working directory paths before passing to Docker - Prevents escaping container filesystem boundaries - URL encoding detection

4. XSS (Cross-Site Scripting) Protection ✅

Status: Excellent

  • Template Escaping:

- {{ container_name|e }} - HTML escaping in console.html - {{ container_id|tojson }} - Safe JSON embedding in JavaScript contexts - All user-controlled data properly escaped

  • CSRF Protection:

- Flask-WTF CSRF protection enabled - CSRF tokens included in frontend requests - Login endpoint exempted (creates new session)

5. Command Injection Prevention ✅

Status: Excellent

  • Container Exec Security:

- Commands sanitized using shlex.quote() before execution - Prevents shell injection attacks - Commands with shell operators (&&, |, ;) are safely escaped - Container ID validated before execution - Working directory uses Docker's native -w flag (no shell-based cd)

  • Subprocess Security:

- All subprocess calls use shell=False - No unsafe shell=True fallbacks - Command structure validation before execution - Timeout limits on subprocess operations

6. SQL Injection Prevention ✅

Status: Excellent

  • Parameterized Queries:

- All database queries use parameterized statements with ? placeholders - No string concatenation in SQL queries - User input never directly interpolated into SQL

  • Query Construction:

- F-strings only used for safe query construction (hardcoded strings) - WHERE clauses built from hardcoded strings with parameterized values - Table/column names from predefined lists

Examples:

# ✅ SAFE - Parameterized query

cursor.execute('SELECT password_hash FROM users WHERE username = ?', (username,))


✅ SAFE - Hardcoded WHERE clause construction


where_clauses.append("operation_type = ?") params.append(operation_type) where_clause = " WHERE " + " AND ".join(where_clauses)

7. Information Disclosure Prevention ✅

Status: Excellent

  • Error Handling:

- safe_log_error() function used throughout codebase - Full stack traces only shown in debug mode - Generic error messages returned to users in production - Prevents exposure of file paths, code structure, and internal system details

  • S3 Credentials Security:

- S3 secret keys never returned in API responses - Masked with placeholder when retrieved - Secret keys only transmitted when explicitly changed by user

  • Error Messages:

- Generic error messages prevent information disclosure - No sensitive system information exposed in error responses

8. CSRF (Cross-Site Request Forgery) Protection ✅

Status: Excellent
  • Flask-WTF CSRF protection enabled globally
  • CSRF tokens included in frontend JavaScript
  • All POST/PUT/DELETE requests require valid CSRF token
  • Login endpoint exempted (creates new session)
  • Session cookies use SameSite=Lax for additional protection

9. Rate Limiting ✅

Status: Good
  • Login Endpoint:

- Rate limited to 5 requests per minute - Prevents brute force attacks

  • Other Endpoints:

- Default rate limiting applied - Stats endpoints exempted for functionality (frequently polled)

10. Session Security ✅

Status: Excellent
  • Cookie Security:

- SESSION_COOKIE_HTTPONLY = True - Prevents JavaScript access (XSS protection) - SESSION_COOKIE_SAMESITE = 'Lax' - CSRF protection - SESSION_COOKIE_SECURE set dynamically based on HTTPS detection - Works with both HTTP and HTTPS deployments

  • Session Management:

- Session lifetime: 1 day - Secure session key generation: secrets.token_hex(32) - Session cleared on logout

Security Controls Summary

| Control Category | Status | Notes | |-----------------|--------|-------| | Authentication | ✅ Excellent | All routes protected, secure session management | | Authorization | ✅ Excellent | Proper access controls in place | | Input Validation | ✅ Comprehensive | All inputs validated with appropriate checks | | Path Traversal | ✅ Excellent | Comprehensive validation with encoded pattern detection | | XSS Protection | ✅ Excellent | Template escaping and safe JSON embedding | | Command Injection | ✅ Excellent | shlex.quote() and secure subprocess calls | | SQL Injection | ✅ Excellent | Parameterized queries throughout | | CSRF Protection | ✅ Excellent | Flask-WTF CSRF enabled | | Information Disclosure | ✅ Excellent | Safe error handling, no sensitive data exposure | | Rate Limiting | ✅ Good | Login endpoint protected, others have defaults | | Session Security | ✅ Excellent | Secure cookies with dynamic HTTPS detection |

Recommendations

Immediate Actions

None Required - All critical and high-priority issues have been addressed.

Optional Enhancements

  1. File Upload Size Limit (Optional):

- Consider adding app.config['MAX_CONTENT_LENGTH'] = 16 1024 * 1024` (16MB) or appropriate limit - Only needed if large file uploads are a concern for your deployment

  1. Ongoing Security:

- Continue monitoring for new vulnerabilities as the codebase evolves - Consider periodic security audits when adding new features - Keep dependencies up to date

Conclusion

The Container Monkey application (version 0.4.0) demonstrates strong security controls across all major vulnerability categories. All previously identified security issues have been addressed and resolved. The application implements:

  • Comprehensive input validation
  • Strong authentication and authorization
  • Effective protection against common web vulnerabilities (XSS, CSRF, SQL injection, command injection, path traversal)
  • Secure error handling to prevent information disclosure
  • Proper session management

The application is secure and ready for production use.

Audit Methodology

This audit examined:

  1. Authentication & Authorization: Route protection, session management, access controls
  2. Input Validation: All route parameters, query strings, and request bodies
  3. Injection Vulnerabilities: SQL injection, command injection, path traversal
  4. XSS Protection: Template escaping, safe JavaScript embedding
  5. CSRF Protection: Token validation, SameSite cookies
  6. Information Disclosure: Error messages, sensitive data exposure
  7. File Upload Security: Validation, sanitization, path checks
  8. Rate Limiting: Brute force protection
  9. Session Security: Cookie settings, secure flag, HttpOnly, SameSite

All findings were verified through code review and analysis of the application's security controls.

Report Generated: 16/12/2025

Version Audited: 0.4.0
Next Review: Recommended when major features are added or security concerns arise