Sqlite Database in dockerhub container image containes development database?

[carroarmato0]

I don't think this is supposed to be in the upstream container on docker hub?

[jabelone]

Hi there, I've removed the docker image pending a further investigation. Thanks for letting me know. I'm not sure how an old copy of my development database ended up there, but it looks like that's what happened. In future, it's more appropriate to responsibly disclose security issues like this via a private contact method as explained in our SECURITY.MD file (https://github.com/membermatters/MemberMatters/blob/main/SECURITY.md)

Cheers.

[carroarmato0]

@jabelone Thanks. I'm not a security researcher who's sensitive to reading security notices. Was contemplating indeed if I should have maybe looked into contacting privately.

[jabelone]

No problem, I appreciate the notification in any case. Security related disclosure is always a tricky thing.

[jabelone]

It looks like there was a syntax error in the .dockerignore file that allowed an older copy of my development database (which contained a small amount of production data). In any case, moving forward, I have fixed that syntax error and will add a note to the readme about refraining from using any production data inside the folders included in the docker build context to prevent a similar bug in the future from happening. We already have an environment variable feature to allow specifying the location of the database to be used for development, so we can make use of this.