From bca36aa482b6f62d49696f8fcb88bc46ed81d343 Mon Sep 17 00:00:00 2001 From: Chevdor Date: Thu, 26 Aug 2021 14:19:07 +0200 Subject: [PATCH] fix: improve security of the docker container (#648) * fix: improve security of the docker container Co-authored-by: James Wilson --- Dockerfile | 1 + README.md | 6 ++++-- docker-compose.yml | 3 ++- justfile | 39 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 46 insertions(+), 3 deletions(-) create mode 100644 justfile diff --git a/Dockerfile b/Dockerfile index c58a2b3b0..ca24bab4d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,5 +36,6 @@ COPY --from=builder /opt/builder /usr/src/app ENV SAS_EXPRESS_PORT=8080 ENV SAS_EXPRESS_BIND_HOST=0.0.0.0 +USER node EXPOSE ${SAS_EXPRESS_PORT} CMD [ "node", "build/src/main.js" ] diff --git a/README.md b/README.md index 52d7580e6..fcff97fc2 100644 --- a/README.md +++ b/README.md @@ -252,12 +252,14 @@ yarn build:docker ```bash # For default use run: -docker run --rm -it -p 8080:8080 substrate-api-sidecar +docker run --rm -it --read-only -p 8080:8080 substrate-api-sidecar # Or if you want to use environment variables set in `.env.docker`, run: -docker run --rm -it --env-file .env.docker -p 8080:8080 substrate-api-sidecar +docker run --rm -it --read-only --env-file .env.docker -p 8080:8080 substrate-api-sidecar ``` +**NOTE**: While you could omit the `--read-only` flag, it is **strongly recommended for containers used in production**. + then you can test with: ```bash diff --git a/docker-compose.yml b/docker-compose.yml index d6ce6b507..beca92b0d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,11 +7,12 @@ services: - ~/polkadot-data:/data # ports: # - "9944:9944" - command: 'polkadot --chain polkadot --unsafe-ws-external --rpc-cors=all' + command: '--chain polkadot --unsafe-ws-external --rpc-cors=all' sidecar: # build: . image: docker.io/parity/substrate-api-sidecar:latest + read_only: true ports: - "8080:8080" environment: diff --git a/justfile b/justfile new file mode 100644 index 000000000..c82a9043f --- /dev/null +++ b/justfile @@ -0,0 +1,39 @@ +default_repo := 'parity' +image := 'substrate-api-sidecar' + +# List available commands +_default: + just --choose --chooser "fzf +s -x --tac --cycle" + +# Shows the list of commands +help: + just --list + +# Build the docker image +docker-build repo=default_repo: + #!/usr/bin/env bash + echo Building {{image}} and taggin as {{repo}}:{{image}} + docker build -t {{image}} . + docker tag {{image}} {{repo}}/{{image}} + docker images | grep {{image}} + +# Publish the image after building it +docker-publish repo=default_repo: (docker-build repo) + #!/usr/bin/env bash + echo Publishing {{repo}}:{{image}} + docker push {{repo}}:{{image}} + +# A few simple security checks on the docker image +docker-test repo=default_repo: + #!/usr/bin/env bash + docker run -it -d --read-only --name {{image}} {{image}} + sleep 1 + + docker exec -it {{image}} sh -c 'if [[ $(whoami) = 'root' ]]; then echo "❌ Red wins"; else echo "✅ Red lost"; fi' + docker exec -it {{image}} sh -c 'touch malicious 2>/dev/null; if test -f malicious; then echo "❌ Red wins"; else echo "✅ Red lost"; fi' + docker exec -it {{image}} sh -c 'touch /tmp/malicious 2>/dev/null; if test -f /tmp/malicious; then echo "❌ Red wins"; else echo "✅ Red lost"; fi' + docker exec -it {{image}} sh -c 'echo ";;" >> /usr/src/app/build/src/main.js 2>/dev/null; if [ $? -eq 0 ]; then echo "❌ Red wins"; else echo "✅ Red lost"; fi' + docker exec -it {{image}} sh -c 'echo "

pawned

" >> /usr/src/app/index.html 2>/dev/null; if [ $? -eq 0 ]; then echo "❌ Red wins"; else echo "✅ Red lost"; fi' + docker exec -it {{image}} sh -c 'if rm /bin/sh 2>/dev/null; then echo "❌ Red wins"; else echo "✅ Red lost"; fi' + + docker rm -f {{image}}