ssl / ezXSS

ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.
https://ezxss.com
MIT License
1.9k stars 331 forks source link

Environment variables (Docker) #129

Closed ThomasOrlita closed 9 months ago

ThomasOrlita commented 1 year ago

Currently, using ezXSS with Docker requires building the image, including the .env file, which is not a good security practice and makes it harder to automate the build process.

If the .env file isn't built, ezXSS should attempt to load the environment variables from the process, instead of failing because the .env file doesn't exist.

ThomasOrlita commented 1 year ago

Also, it would be helpful if httpmode could be set via an environment variable:

- define('httpmode', false);
+ define(filter_var(getenv('httpmode'), FILTER_VALIDATE_BOOLEAN), false);
GlitchWitch commented 1 year ago

Can you elaborate on why the use of an .env file is not a good security practice?

The .env file is accessible through the mounted docker volume, a pretty common way of doing things. Any changes to this file in the ezXSS directory are reflected instantly without the need to rebuild.

Regarding the httpmode variable, I'd suggest creating a separate issue for that as it's unrelated to docker.

ThomasOrlita commented 1 year ago

I meant that building the image with the production env file (as recommended in the instructions) is not a good security practice as it means the secrets will be leaked if the build is shared publicly.

You're right about mounting! I completely forgot about the possibility of just mounting the env file as a volume (as I was used to just passing the environment variables through Docker). I think this should be the recommended approach in the docs instead. However, also updating the app to make it work with the env passed from Docker would make it more versatile and easier to use with tools such as Portainer.

ssl commented 1 year ago

Hi @ThomasOrlita,

The httpmode inside the env file might be a possibility, I will think about this.

The other issue, what would be correct way to implement this? @GlitchWitch what do you think about this?

ssl commented 9 months ago

As shown in the example env, you can now set debug, httpmode and signupenabled settings in the .env file.

ssl commented 9 months ago

Regarding your other issue, it seems to me that this approach is not the recommended way (anymore) to pass the variables.

Also, while trying to debug with passing the variables through docker, for example with --env-file, it works fine for the docker compose, but it doesn't get passed to PHP correctly. To correctly get these variables, i either need a file to read from (as how it works now), or pass it to Apache so i can read it.

If you believe I'm looking at this wrong and there is an other (better) way to do this, please elaborate. For now I will close this.

I've also made some changes to the Docker installation process and made the settings like httpmode editable via the env, as requested.