fix: improve security of the docker container (#648)

* fix: improve security of the docker container Co-authored-by: James Wilson <james@jsdw.me>
paritytech · Aug 26, 2021 · bca36aa · bca36aa
1 parent e6ebda7
commit bca36aa
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 3 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -36,5 +36,6 @@ COPY --from=builder /opt/builder /usr/src/app
 ENV SAS_EXPRESS_PORT=8080
 ENV SAS_EXPRESS_BIND_HOST=0.0.0.0
 
+USER node
 EXPOSE ${SAS_EXPRESS_PORT}
 CMD [ "node", "build/src/main.js" ]
diff --git a/README.md b/README.md
@@ -252,12 +252,14 @@ yarn build:docker
 
 ```bash
 # For default use run:
-docker run --rm -it -p 8080:8080 substrate-api-sidecar
+docker run --rm -it --read-only -p 8080:8080 substrate-api-sidecar
 
 # Or if you want to use environment variables set in `.env.docker`, run:
-docker run --rm -it --env-file .env.docker -p 8080:8080 substrate-api-sidecar
+docker run --rm -it --read-only --env-file .env.docker -p 8080:8080 substrate-api-sidecar
 ```
 
+**NOTE**: While you could omit the `--read-only` flag, it is **strongly recommended for containers used in production**.
+
 then you can test with:
 
 ```bash

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -7,11 +7,12 @@ services:
       - ~/polkadot-data:/data
     # ports:
     #   - "9944:9944"
-    command: 'polkadot --chain polkadot --unsafe-ws-external --rpc-cors=all'
+    command: '--chain polkadot --unsafe-ws-external --rpc-cors=all'
 
   sidecar:
     # build: .
     image: docker.io/parity/substrate-api-sidecar:latest
+    read_only: true
     ports:
       - "8080:8080"
     environment:

diff --git a/justfile b/justfile
@@ -0,0 +1,39 @@
+default_repo := 'parity'
+image := 'substrate-api-sidecar'
+
+# List available commands
+_default:
+    just --choose --chooser "fzf +s -x --tac --cycle"
+
+# Shows the list of commands
+help:
+    just --list
+
+# Build the docker image
+docker-build repo=default_repo:
+    #!/usr/bin/env bash
+    echo Building {{image}} and taggin as {{repo}}:{{image}}
+    docker build -t {{image}} .
+    docker tag {{image}} {{repo}}/{{image}}
+    docker images | grep {{image}}
+
+# Publish the image after building it
+docker-publish repo=default_repo: (docker-build repo)
+    #!/usr/bin/env bash
+    echo Publishing {{repo}}:{{image}}
+    docker push {{repo}}:{{image}}
+
+# A few simple security checks on the docker image
+docker-test repo=default_repo:
+    #!/usr/bin/env bash
+    docker run -it -d --read-only --name {{image}} {{image}}
+    sleep 1
+
+    docker exec -it {{image}} sh -c 'if [[ $(whoami) = 'root' ]]; then echo "❌ Red wins"; else echo "✅ Red lost"; fi'
+    docker exec -it {{image}} sh -c 'touch malicious 2>/dev/null; if test -f malicious; then echo "❌ Red wins"; else echo "✅ Red lost"; fi'
+    docker exec -it {{image}} sh -c 'touch /tmp/malicious 2>/dev/null; if test -f /tmp/malicious; then echo "❌ Red wins"; else echo "✅ Red lost"; fi'
+    docker exec -it {{image}} sh -c 'echo ";;" >> /usr/src/app/build/src/main.js 2>/dev/null; if [ $? -eq 0 ]; then echo "❌ Red wins"; else echo "✅ Red lost"; fi'
+    docker exec -it {{image}} sh -c 'echo "<h1>pawned</h1>" >> /usr/src/app/index.html 2>/dev/null; if [ $? -eq 0 ]; then echo "❌ Red wins"; else echo "✅ Red lost"; fi'
+    docker exec -it {{image}} sh -c 'if rm /bin/sh 2>/dev/null; then echo "❌ Red wins"; else echo "✅ Red lost"; fi'
+
+    docker rm -f {{image}}