-
Notifications
You must be signed in to change notification settings - Fork 0
Security
romwil edited this page May 13, 2026
·
2 revisions
For the canonical security document in the main repo, see
docs/SECURITY.md. This wiki page summarizes the same ideas in prose.
Anyone who can use the Unraid web UI with permission to manage Docker can perform the actions exposed in UndockerUI. There is no separate UndockerUI password.
Treat UndockerUI + Unraid GraphQL + compose_api.php as full admin capability over:
- Container lifecycle and images.
- Files under allowed compose paths (read/write +
docker compose up -doutput as theemhttpuser).
-
GraphQL requests send
x-csrf-token(read from query, cookie patterns, or global as implemented in the SPA). -
compose_api.phpcompares the submitted token tocsrf_tokenin/var/local/emhttp/var.iniusinghash_equals.
- POST only, JSON body.
-
Path allowlist +
realpath()to prevent symlink escapes outside/mnt/user,/mnt/cache,/boot/config,/mnt/diskN. -
execonly fordocker compose -f <file> up -dwithescapeshellargon directory and filename.
-
Links (
href) and iconsrcare sanitized to blockjavascript:,data:, and protocol-relative//abuse from malicious template metadata. - Template edit URLs only allow plausible Unraid filesystem prefixes.
-
postMessagehandlers validateevent.originagainstwindow.location.origin.
undockerui.php embeds the CSRF token in the iframe query string so the SPA can read it when cookies are HttpOnly. That pattern can leak the token via Referer on navigations to third-party sites. Mitigations: HTTPS, strict Referrer-Policy on your reverse proxy, and avoiding external links from inside the SPA where possible.
Use GitHub Security Advisories for sensitive reports.