[Colima] 3-part port binding for docker run or docker-compose is not respected, so services can be exposed on network

[rfay]

Description

macOS 12.2 arm64, colima 0.3.2, limactl version 0.8.2, docker back-end

docker/docker-compose support a 3-part port-binding technique where the interface to bind to can be chosen explicitly. For example:

docker run -p 127.0.0.1:8080:80 --name nginx -d nginx

Given that example, you should be able to curl localhost:8080 on the system where you ran it, but you should not be able to connect from another interface. For example, if 10.211.55.2 is another interface, curl 10.211.55.2:8080 should fail.

This has very serious security implications for applications that are not supposed to bind to all interfaces, see

• colima integration: Ports are exposed to the host for world-wide exposure ddev/ddev#3560

When you bind to all interfaces (the default, 0.0.0.0) it typically means that any user on the local network can access any service running under lima.

To demonstrate this,

1. run the example nginx container: docker run -p 127.0.0.1:8080:80 --name nginx -d nginx
2. Connect from localhost, curl localhost:8080 - you'll see the default nginx output
3. Connect to another interface on your machine, curl 10.211.55.2:8080 for example, and it will also show the default nginx output. It should not.

You can repeat the same with any version of docker and you won't see this exposed behavior.

[AkihiroSuda]

Lima does not listen on 0.0.0.0 by default, but Colima does: https://github.com/abiosoft/colima/blob/ac876a5d9e4eda7d1d015896ebfbe1dd16b8c203/environment/vm/lima/yaml.go#L54-L63

Please report the issue to Colima.