2023-10-19 01:28:16 +00:00
|
|
|
ARG BASE
|
|
|
|
|
FROM ${BASE}
|
2023-09-11 07:24:50 +00:00
|
|
|
|
chore: Disallow plugin requests to localhost (#34250)
The microservices that run inside the Appsmith container, trust each
other, and may expose sensitive API endpoints to other internal
microservices. These sensitive APIs aren't accessible by outside the
Appsmith container, protected by Caddy's routing.
This means that the backend server's ability to make user-configured
HTTP requests, can lead to SSRFs to such sensitive API calls, if it's
allowed to call APIs on localhost.
In other words, Caddy establishes a trust boundary that protects these
internal APIs from outside the container. But we lack such a trust
boundary for the backend's plugins (API plugin, Elasticsearch plugin,
etc.). This PR solves that.
In this PR, we block both IPv4 and IPv6 loopback addresses.
No additional changes needed on EE, no conflicts, and all unit and
Cypress tests pass.
**/test all**
<!-- This is an auto-generated comment: Cypress test results -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/9590358198>
> Commit: 5445c70aa873942c3edae9fbfcc57a6d2554b815
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=9590358198&attempt=2"
target="_blank">Cypress dashboard</a>.
> Tags: ``
<!-- end of auto-generated comment: Cypress test results -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Improved handling of disallowed hosts by dynamically computing based
on environment variables, offering more flexibility and control.
- **Refactor**
- Enhanced the `makeWebClient()` method to use a more efficient approach
for creating WebClient objects with custom configurations.
- **Chores**
- Added an `ENV` declaration for `IN_DOCKER` in the Dockerfile to better
manage Docker-specific configurations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2024-06-20 05:30:22 +00:00
|
|
|
ENV IN_DOCKER=1
|
|
|
|
|
|
2023-07-31 04:47:46 +00:00
|
|
|
ARG APPSMITH_CLOUD_SERVICES_BASE_URL
|
2023-07-31 11:25:46 +00:00
|
|
|
ENV APPSMITH_CLOUD_SERVICES_BASE_URL=${APPSMITH_CLOUD_SERVICES_BASE_URL}
|
2023-07-31 04:47:46 +00:00
|
|
|
|
2021-09-01 05:32:08 +00:00
|
|
|
ARG APPSMITH_SEGMENT_CE_KEY
|
|
|
|
|
ENV APPSMITH_SEGMENT_CE_KEY=${APPSMITH_SEGMENT_CE_KEY}
|
2023-09-11 03:13:09 +00:00
|
|
|
|
|
|
|
|
COPY deploy/docker/fs /
|
2021-09-01 05:32:08 +00:00
|
|
|
|
2024-05-28 08:57:02 +00:00
|
|
|
RUN <<END
|
2024-09-19 16:15:46 +00:00
|
|
|
if ! [ -f info.json ]; then
|
|
|
|
|
echo "Missing info.json" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ! [ -f server/mongo/server.jar && -f server/pg/server.jar ]; then
|
|
|
|
|
echo "Missing one or both server.jar files in the right place. Are you using the build script?" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
mkdir -p ./editor ./rts
|
2024-05-28 08:57:02 +00:00
|
|
|
|
|
|
|
|
# Ensure all *.sh scripts are executable.
|
|
|
|
|
find . -name node_modules -prune -or -type f -name '*.sh' -print -exec chmod +x '{}' ';'
|
2024-06-25 08:33:56 +00:00
|
|
|
|
|
|
|
|
# Ensure all custom command-scripts have executable permission
|
|
|
|
|
chmod +x /opt/bin/*
|
2024-05-28 08:57:02 +00:00
|
|
|
END
|
|
|
|
|
|
2021-09-01 05:32:08 +00:00
|
|
|
# Add client UI - Application Layer
|
|
|
|
|
COPY ./app/client/build editor/
|
|
|
|
|
|
|
|
|
|
# Add RTS - Application Layer
|
ci: Use esbuild to build RTS (#27310)
This fixes RTS build to use `esbuild`.
1. This means the whole `node_modules` won't need to be copied over to
the Docker image. There's unused insignifant _test_ files in there, that
don't add any value, but are causing irrelevant CVEs to be reported on
our Docker image. See example at
https://github.com/appsmithorg/appsmith-ee/pull/2349.
2. Much faster. Not that RTS build is our slow point, but still. Perhaps
we can move client to `esbuild` too. 🙂
## Why are we doing this?
The current method of loading RTS into the Docker image means that _all_
contents of _all_ dependencies are copied over. The whole
`node_modules`. But several of these packages include _test_ files too,
that aren't needed at runtime at all. One of such test files is creating
a false alert for a CVE on our Docker image. Has absolutely no relevance
and impact, but it's there.
To fix that, I [had to `rm -rf /opt/appsmith/rts/node_modules/*/test` in
the Docker
image](https://github.com/appsmithorg/appsmith-ee/pull/2349/files). This
felt very hacky, and very dirty. It felt like we're introducing more
debt and more duct tape around the current build process.
So, `esbuild`.
## Where is `esbuild` coming from?
We're using `esbuild` v0.18.20 only, while the latest is v0.19.3. We
need to update `design-system`'s storybook dependency, I think, to get a
more recent version of `esbuild`. I'm yet to figure this out and can use
some help. 🙂
2023-10-03 01:30:40 +00:00
|
|
|
COPY ./app/client/packages/rts/dist rts/
|
2021-09-01 05:32:08 +00:00
|
|
|
|
2024-06-10 03:53:43 +00:00
|
|
|
ENV PATH /opt/bin:/opt/appsmith/utils/node_modules/.bin:/opt/java/bin:/opt/node/bin:$PATH
|
2023-10-11 09:42:32 +00:00
|
|
|
|
2023-09-11 03:13:09 +00:00
|
|
|
RUN cd ./utils && npm install --only=prod && npm install --only=prod -g . && cd - \
|
2024-06-10 03:53:43 +00:00
|
|
|
&& chmod +x /opt/bin/* *.sh /watchtower-hooks/*.sh \
|
2023-09-11 03:13:09 +00:00
|
|
|
# Disable setuid/setgid bits for the files inside container.
|
2023-09-27 08:08:47 +00:00
|
|
|
&& find / \( -path /proc -prune \) -o \( \( -perm -2000 -o -perm -4000 \) -print -exec chmod -s '{}' + \) || true \
|
2023-11-15 05:58:25 +00:00
|
|
|
&& mkdir -p /.mongodb/mongosh /appsmith-stacks \
|
|
|
|
|
&& chmod ugo+w /etc /appsmith-stacks \
|
2023-12-29 05:03:23 +00:00
|
|
|
&& chmod -R ugo+w /var/run /.mongodb /etc/ssl /usr/local/share
|
2022-04-27 07:27:57 +00:00
|
|
|
|
2022-07-28 12:15:28 +00:00
|
|
|
LABEL com.centurylinklabs.watchtower.lifecycle.pre-check=/watchtower-hooks/pre-check.sh
|
|
|
|
|
LABEL com.centurylinklabs.watchtower.lifecycle.pre-update=/watchtower-hooks/pre-update.sh
|
2021-09-01 05:32:08 +00:00
|
|
|
|
|
|
|
|
EXPOSE 80
|
|
|
|
|
EXPOSE 443
|
|
|
|
|
ENTRYPOINT [ "/opt/appsmith/entrypoint.sh" ]
|
2022-05-06 06:15:56 +00:00
|
|
|
HEALTHCHECK --interval=15s --timeout=15s --start-period=45s CMD "/opt/appsmith/healthcheck.sh"
|
2021-09-14 13:31:06 +00:00
|
|
|
CMD ["/usr/bin/supervisord", "-n"]
|