How to prevent users from accessing the source code of my IDE running in a docker container?

Hello:
I’m running my ide in a docker container. I can use the terminal to access anything in this container. So, the source code of my IDE is accessable as well.

I tried the gitpod(online version) of gitlab. And I can access its source code too:

My point is that the frontend and backend of theia are not as separated as traditional web applications: people use http requests to get data from browser and can’t access backend source code.

Terminal is not the only way to access my source code in the container. Users can also use Open File to access the entire file system.

So, is there any way to prevent users from accessing the source code of my IDE such as using linux namespaces to limit the directories that users can access?

Really appreciate.

Hi @inlann!

Yes, the Theia frontend’s source code can be inspected and modified like in any other web application. However the Theia backend is running on the server and therefore can only be interacted with via it’s defined interfaces. The amount of effort needed to secure a Theia-based application depends on its use cases and who it’s made available to and how. When running a Theia application in a docker container all usual security considerations of running a Node backend in a cloud container apply, see for example this hardening guide for Kubernetes applications. Also, like you mentioned, you might want to restrict the capabilities of the Theia application, e.g.

  • only use authenticated communication (OAuth) between services
  • use a minimal image which only contains all required services
  • properly secure your container: avoid privileged containers and limit the resources available to them via appropriate user rights
  • evaluate the extensions that your application needs and remove unnecessary ones: e.g. disable the terminal access and task API if they are not needed or whitelist the commands that can be executed
  • disable the ability to install VS code extensions altogether or whitelist the extensions that should be possible to install
  • limit file system access to only expected directories

There are many more security considerations you’ll have to consider, I’m only scratching the surface here. However the fact that the client-side code of your application is visible is not considered a security flaw if the application itself is secure enough.

1 Like

Thank you very much for your reply and advice ! They are very helpful especially the limit file system access. I will try to implement them :grin:

Using Kubernetes to manage our Theia applications is also one of our future plans but as you say, there are still many security considerations.

We are going to make our Theia app more secure. And in this process, I will give feedback to the community in time if I have any good ideas. Thanks again!

2 Likes