Skip to content
Snippets Groups Projects

Draft: Feature/glibc updates fix for fcrepo

Closed Draft: Feature/glibc updates fix for fcrepo
feature/glibc_updates_fix_for_fcrepo into develop
2 unresolved threads
Closed Anusha Ranganathan requested to merge feature/glibc_updates_fix_for_fcrepo into develop
2 unresolved threads

Merge request reports

Pipeline #7922 failed

Stage: build
Stage: test
Stage: deploy

Pipeline failed for 69242ddf on feature/glibc_updates_fix_for_fcrepo

Approval is optional

Closed by Anusha RanganathanAnusha Ranganathan 7 months ago (Aug 22, 2024 10:02am UTC)

Merge details

  • The changes were not merged into develop.

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
fcrepo/Dockerfile 0 → 100644
1 FROM tomcat:8.5
2
3 ENV FCREPO_VERSION 4.7.3
  • Pascal Ernster
    Pascal Ernster @ernstprr started a thread on the diff
    • docker-compose.yml
    22 24 networks:
    23 25 internal:
    24 26 environment:
    25 - CATALINA_OPTS=-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server -Xms512m -Xmx1024m -XX:NewSize=256m -XX:MaxNewSize=256m -XX:PermSize=256m -XX:MaxPermSize=256m -XX:+DisableExplicitGC -Dfcrepo.home=/data -Dfcrepo.object.directory=/data/objects -Dfcrepo.binary.directory=/data/binaries -Dfcrepo.postgresql.username=$POSTGRES_USER -Dfcrepo.postgresql.password=$POSTGRES_PASSWORD -Dfcrepo.postgresql.host=$POSTGRES_HOST_FCREPO -Dfcrepo.postgresql.port=$POSTGRES_PORT -Dfcrepo.modeshape.configuration=classpath:/config/jdbc-postgresql/repository.json
    27 - CATALINA_OPTS=-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server -Xms512m -Xmx1024m -XX:NewSize=256m -XX:MaxNewSize=256m -XX:+DisableExplicitGC -Dfcrepo.home=/data -Dfcrepo.object.directory=/data/objects -Dfcrepo.binary.directory=/data/binaries -Dfcrepo.postgresql.username=$POSTGRES_USER -Dfcrepo.postgresql.password=$POSTGRES_PASSWORD -Dfcrepo.postgresql.host=$POSTGRES_HOST_FCREPO -Dfcrepo.postgresql.port=$POSTGRES_PORT -Dfcrepo.modeshape.configuration=classpath:/config/jdbc-postgresql/repository.json
    • Pascal Ernster
      Pascal Ernster @ernstprr
      Owner

      Caution, passing credentials/secrets in this way (e.g. as command line parameters) results in all of these parameters (including the contents of all variables used, like for example $POSTGRES_PASSWORD) being readable for all (even unprivileged) users in both the fcrepo container and on the host system. See CWE-214 for more details.

      There are two to three possible ways to avoid this:

      1. Pass the secret via a configuration file (this obviously requires the command/program to support such a configuration file in the first place).
      2. Pass the secret through stdin (this is obviously only possible for a single value per command/program, and it requires said program to be aware of the meaning of that stdin stream, and of course that configuration file should have restrictive access permissions in the file system).
      3. Pass the secret through an environment variable (this obviously also requires the invoked command/program to be aware of that specific variable and the meaning of its contents). Please note that depending on the specific use case, this method may also consitute a potential security issue. See CWE-526 for more details. Also, logs, stack traces and other error or debugging output will oftentimes list the whole environment, e.g. all available environment variables, which would then also include the above mentioned secrets. There, try to avoid this third method if possible, and only use it as a last resort.
      Edited by Pascal Ernster
    • Please register or sign in to reply
  • Anusha Ranganathan added parked label

    added parked label

  • Anusha Ranganathan added 144 commits

    added 144 commits

    Compare with previous version

  • Anusha Ranganathan closed

    closed

    • Please register or sign in to reply