fix(container): prevent user from editing the portainer container it self EE-917 (#6093)

* fix(container): prevent from editing portainer container * fix(container): prevent from editing portainer container * Missing kill operation * fix(container): enhance creating stack from template * fix(docker): prevent user from editing the portainer container itself EE-917 * fix(docker): enhance code style * fix(container): fix issues from code review * fix(container): enhance creating stack from template * fix(container): some code review issues * fix(container): disable leave network when the container is portainer * fix(container): disable leave network when the container is portainer
2025-07-19 13:29:41 +02:00 · 2021-12-02 08:41:05 +08:00 · 2021-12-02 08:41:05 +08:00 · 42e782452c
commit 42e782452c
parent d2fe76368a
9 changed files with 74 additions and 13 deletions
--- a/api/http/handler/endpointproxy/proxy_docker.go
+++ b/api/http/handler/endpointproxy/proxy_docker.go
@ -52,9 +52,9 @@ func (handler *Handler) proxyRequestsToDockerAPI(w http.ResponseWriter, r *http.

 	id := strconv.Itoa(endpointID)

-	prefix := "/" + id + "/agent/docker";
+	prefix := "/" + id + "/agent/docker"
 	if !strings.HasPrefix(r.URL.Path, prefix) {
-		prefix = "/" + id + "/docker";
+		prefix = "/" + id + "/docker"
 	}

 	http.StripPrefix(prefix, proxy).ServeHTTP(w, r)
--- a/api/http/proxy/factory/docker/containers.go
+++ b/api/http/proxy/factory/docker/containers.go
@ -69,6 +69,11 @@ func (transport *Transport) containerListOperation(response *http.Response, exec
 		}
 	}

+	responseArray, err = transport.applyPortainerContainers(responseArray)
+	if err != nil {
+		return err
+	}
+
 	return utils.RewriteResponse(response, responseArray, http.StatusOK)
 }

@ -88,6 +93,8 @@ func (transport *Transport) containerInspectOperation(response *http.Response, e
 		labelsObjectSelector:        selectorContainerLabelsFromContainerInspectOperation,
 	}

+	responseObject, _ = transport.applyPortainerContainer(responseObject)
+
 	return transport.applyAccessControlOnResource(resourceOperationParameters, responseObject, response, executor)
 }

--- a/api/http/proxy/factory/docker/portainer.go
+++ b/api/http/proxy/factory/docker/portainer.go
@ -0,0 +1,42 @@
+package docker
+
+import (
+	"os"
+)
+
+var portainerContainerId string
+
+func init() {
+	// use hostname as the current  portainer id
+	// Reference issue: JIRA EE-917
+	// https://social.msdn.microsoft.com/Forums/en-US/5e5bff27-7511-4fb2-9ffa-207520d0ffb8/how-to-gain-windows-container-id-in-windows-container?forum=windowscontainers
+	// Because Windows container cannot obtain container ID from /proc/self/cgroups like linux container,
+	// as a workaround, we currently use hostname as container ID.
+	portainerContainerId, _ = os.Hostname()
+}
+
+func (transport *Transport) applyPortainerContainers(resources []interface{}) ([]interface{}, error) {
+	decoratedResourceData := make([]interface{}, 0)
+	for _, resource := range resources {
+		responseObject, ok := resource.(map[string]interface{})
+		if !ok {
+			decoratedResourceData = append(decoratedResourceData, resource)
+			continue
+		}
+		responseObject, _ = transport.applyPortainerContainer(responseObject)
+
+		decoratedResourceData = append(decoratedResourceData, responseObject)
+	}
+	return decoratedResourceData, nil
+}
+
+func (transport *Transport) applyPortainerContainer(resourceObject map[string]interface{}) (map[string]interface{}, error) {
+	resourceId, ok := resourceObject["Id"].(string)
+	if !ok {
+		return resourceObject, nil
+	}
+	if len(resourceId) >= 12 && resourceId[0:12] == portainerContainerId {
+		resourceObject["IsPortainer"] = true
+	}
+	return resourceObject, nil
+}