Merge pull request #12 from mocdaniel/hardened-image

Remove all CVEs from Showoff image by updating Dockerfile
NETWAYS · Jun 29, 2023 · 96a71a1 · 96a71a1
2 parents 7c95f09 + 39ccd34
commit 96a71a1
Show file tree

Hide file tree

Showing 8 changed files with 28 additions and 21 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1 @@
+*.deb filter=lfs diff=lfs merge=lfs -text
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,6 @@
 .*
+!.gitignore
+!.gitattributes
 static
 stats
 trainer

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.io/ubuntu:focal
+FROM docker.io/ubuntu:lunar
 LABEL maintainer="[email protected]"
 
 WORKDIR /training
@@ -17,8 +17,7 @@ RUN set -ex; \
       xz-utils \
       zlib1g \
       zlib1g-dev \
-      libssl1.1 \
-      libssl-dev \
+      libssl3 \
       libxrender-dev \
       libx11-dev \
       libxext-dev \
@@ -32,19 +31,19 @@ RUN set -ex; \
   && rm -r /var/lib/apt/lists/*
 
 # wkhtmltopdf needs a patched QT version
-ADD vendor/wkhtmltox_0.12.5-1.focal_amd64.deb /tmp/wkhtmltox_0.12.5-1.focal_amd64.deb
+ADD vendor/wkhtmltox_0.12.6.1-2.jammy_amd64.deb /tmp/wkhtmltox.deb
 RUN set -ex; \
-    dpkg -i /tmp/wkhtmltox_0.12.5-1.focal_amd64.deb \
-    && rm -f /tmp/wkhtmltox_0.12.5-1.focal_amd64.deb
+    dpkg -i /tmp/wkhtmltox.deb \
+    && rm -f /tmp/wkhtmltox.deb
 
 # Install showoff Gem
-ARG showoff_version=0.20.3
-RUN gem install showoff --version="$showoff_version"
-
-ADD extras/showoff.patch /tmp/showoff.patch
-
-RUN cd /var/lib/gems/*/gems/showoff-*/lib \
-	&& patch -p1 < /tmp/showoff.patch
+ARG showoff_version=0.20.4
+RUN set -ex; \
+    gem install showoff --version="$showoff_version" \
+    # uri v0.11.0 (installed as dependency for showoff) contains CVE-2023-28755
+    # so we upgrade and delete the default manually. This might be removed in the future
+    # Note that the Ruby 3.1.0 path might change when updating the distro
+    && GEM_HOME=/usr/lib/ruby/gems/3.1.0/ gem install --default uri; rm -f /usr/lib/ruby/gems/3.1.0/specifications/default/uri-0.11*;
 
 EXPOSE 9090
 

diff --git a/Makefile b/Makefile
@@ -1,5 +1,5 @@
 RUNTIME?=docker
-VERSION?=0.20.3
+VERSION?=0.20.4
 
 image:
 	$(RUNTIME) build --pull -t docker.io/netways/showoff:$(VERSION) .
diff --git a/README.md b/README.md
@@ -5,6 +5,8 @@ resides here.
 
 ## How to use
 
+Install and initialize `git-lfs` on your system.
+
 ### 1. Add global resource directory to your project
 
 The global resource dir is introduced by using git subtree mechanism. This keeps the training repository clear from
@@ -118,21 +120,21 @@ make image RUNTIME=podman
 ### Run showoff
 
 ```bash
-docker run -it --rm -v "$PWD:/training" -p "9090:9090" netways/showoff:0.20.3
+docker run -it --rm -v "$PWD:/training" -p "9090:9090" netways/showoff:0.20.4
 ```
 
 ### Build static html files
 
 ```bash
-docker run -it --rm -v "$PWD:/training" netways/showoff:0.20.3 \
+docker run -it --rm -v "$PWD:/training" netways/showoff:0.20.4 \
   showoff static print
 ```
 
 ### Create PDF from static html files
 
 ```bash
 docker run -it --rm -v "$PWD:/training" \
-  netways/showoff:0.20.3 \
+  netways/showoff:0.20.4 \
   wkhtmltopdf -s A5 --print-media-type \
   --footer-left \[page\] --footer-right '© NETWAYS' \
   static/index.html test.pdf

diff --git a/vendor/wkhtmltox_0.12.5-1.focal_amd64.deb b/vendor/wkhtmltox_0.12.5-1.focal_amd64.deb
diff --git a/vendor/wkhtmltox_0.12.6.1-2.jammy_amd64.deb b/vendor/wkhtmltox_0.12.6.1-2.jammy_amd64.deb
diff --git a/wizard.sh b/wizard.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 DIR=$(pwd)
 CLANG=${CLANG:-C.UTF-8}
-IMAGE=${IMAGE:-netways/showoff:0.20.3}
+IMAGE=${IMAGE:-netways/showoff:0.20.4}
 CNAME=${CNAME:-showoff}
 TRAINING=${TRAINING:-$(basename "$DIR")}
 RUNTIME=${RUNTIME:-$(command -v docker)}
@@ -33,21 +33,21 @@ printhandouts () {
   echo -e "\n--- RUN SHOWOFF STATIC FOR HANDOUTS ---"
   execdocker "showoff static print"
   echo -e "\n--- RUN WKHTMLTOPDF FOR HANDOUTS ---"
-  execdocker "wkhtmltopdf --load-error-handling ignore -s A5 --print-media-type --footer-left [page] --footer-right ©NETWAYS static/index.html ${TRAINING}_${1}-handouts.pdf"
+  execdocker "wkhtmltopdf --enable-local-file-access --load-error-handling ignore -s A5 --print-media-type --footer-left [page] --footer-right ©NETWAYS static/index.html ${TRAINING}_${1}-handouts.pdf"
 }
 
 printexercises () {
   echo -e "\n--- RUN SHOWOFF STATIC FOR EXERCISES ---"
   execdocker "showoff static supplemental exercises"
   echo -e "\n--- RUN WKHTMLTOPDF FOR EXERCISES ---"
-  execdocker "wkhtmltopdf --load-error-handling ignore -s A5 --print-media-type --footer-left [page] --footer-right ©NETWAYS static/index.html ${TRAINING}_${1}-exercises.pdf"
+  execdocker "wkhtmltopdf --enable-local-file-access --load-error-handling ignore -s A5 --print-media-type --footer-left [page] --footer-right ©NETWAYS static/index.html ${TRAINING}_${1}-exercises.pdf"
 }
 
 printsolutions () {
   echo -e "\n--- RUN SHOWOFF STATIC FOR SOLUTIONS ---"
   execdocker "showoff static supplemental solutions"
   echo -e "\n--- RUN WKHTMLTOPDF FOR SOLUTIONS ---"
-  execdocker "wkhtmltopdf --load-error-handling ignore -s A5 --print-media-type --footer-left [page] --footer-right ©NETWAYS static/index.html ${TRAINING}_${1}-solutions.pdf"
+  execdocker "wkhtmltopdf --enable-local-file-access --load-error-handling ignore -s A5 --print-media-type --footer-left [page] --footer-right ©NETWAYS static/index.html ${TRAINING}_${1}-solutions.pdf"
 }
 
 setlayout () {