tanmng / docker-chevereto-free

Dockerfiles for various release of Chevereto Free
38 stars 26 forks source link

security: downloading remote file without checking its content is unsafe #14

Closed sneak closed 4 years ago

sneak commented 4 years ago

https://github.com/tanmng/docker-chevereto/blob/39be2f7c5140ea4cab6e75a19bb871ccc675cd65/Dockerfile-installer#L8

The normal practice for something like this is to put the Dockerfile into the repository of the app being dockerized. Because you're not doing that, you need some cryptography linking the first project's repository/code into this one, so that a given git commit in this dockerfile-containing repo means a specific set of application source files.

This can be achieved most simply by doing a git clone of the upstream repo followed by a git checkout $SHAHASH. Downloading the installer (which could serve different content on different days of the week, or to different client IPs) and simply running the contents is not safe.

Imagine for example the scenario where the hosting server for that domain is compromised, and serves malware at that url - but only to the IP/user who does the builds that get pushed to dockerhub, not to browsers or other IPs. You'd never detect it without examining the docker image.

The real longer-term solution is to simply get the dockerfile committed to the upstream repo.

tanmng commented 4 years ago

Hello @sneak

Thank you very much for the input. Yes, that would make great sense to have the image pushed into upstream repo. I'll try to open a PR in Chevereto free repo to get this started.

As a temporary solution I'll change the Dockerfile to actually download the installer from official release on github.com at - https://github.com/Chevereto/installer. Comparing to chevereto.com, I would say github.com is under less danger of being compromised, don't you think?