From 0e04bea39e60a2efc5200a79833fd145899916b9 Mon Sep 17 00:00:00 2001 From: Dmitry Galenko Date: Sun, 20 Nov 2022 12:57:55 +0100 Subject: [PATCH 1/5] Fix for Dockerfile-related security defects and rewrite to follow best practices --- Dockerfile | 50 ++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 38 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0ce4e332..8e3cd215 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,41 @@ FROM debian:bullseye-slim AS builder -RUN apt-get update -RUN DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install wget python3 g++ zip python3-venv git vim -RUN wget https://raw.githubusercontent.com/platformio/platformio-core-installer/master/get-platformio.py -O get-platformio.py; chmod +x get-platformio.py -RUN python3 get-platformio.py -RUN git clone https://github.com/meshtastic/firmware --recurse-submodules -RUN cd firmware -RUN chmod +x ./firmware/bin/build-native.sh -RUN . ~/.platformio/penv/bin/activate; cd firmware; sh ./bin/build-native.sh + +ENV DEBIAN_FRONTEND=noninteractive +ENV TZ=Etc/UTC + +# http://bugs.python.org/issue19846 +# > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. +ENV LANG C.UTF-8 + +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + +# Install build deps +USER root +RUN apt-get update && \ + apt-get -y install wget python3 g++ zip python3-venv git vim ca-certificates + +# create a non-priveleged user & group +RUN groupadd -g 1000 mesh && useradd -ml -u 1000 -g 1000 mesh + +USER mesh +RUN wget https://raw.githubusercontent.com/platformio/platformio-core-installer/master/get-platformio.py -qO /tmp/get-platformio.py && \ + chmod +x /tmp/get-platformio.py && \ + python3 /tmp/get-platformio.py && \ + git clone https://github.com/meshtastic/firmware --recurse-submodules /tmp/firmware && \ + cd /tmp/firmware && \ + chmod +x /tmp/firmware/bin/build-native.sh && \ + source ~/.platformio/penv/bin/activate && \ + ./bin/build-native.sh FROM frolvlad/alpine-glibc -WORKDIR /root/ -COPY --from=builder /firmware/release/meshtasticd_linux_amd64 ./ -RUN apk --update add --no-cache g++ -CMD sh -cx "./meshtasticd_linux_amd64 --hwid '$RANDOM'" \ No newline at end of file + +RUN apk --update add --no-cache g++ shadow && \ + groupadd -g 1000 mesh && useradd -ml -u 1000 -g 1000 mesh + +COPY --from=builder /tmp/firmware/release/meshtasticd_linux_amd64 /home/mesh/ + +USER mesh +WORKDIR /home/mesh +CMD sh -cx "./meshtasticd_linux_amd64 --hwid '$RANDOM'" + +HEALTHCHECK NONE From f4704181e90a65ed9ca5ca00cce09784fe71f060 Mon Sep 17 00:00:00 2001 From: Dmitry Galenko Date: Sun, 20 Nov 2022 13:12:51 +0100 Subject: [PATCH 2/5] Fix potential buffer clean issue --- src/mesh/compression/unishox2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mesh/compression/unishox2.c b/src/mesh/compression/unishox2.c index e1f32ae0..2a8d3535 100644 --- a/src/mesh/compression/unishox2.c +++ b/src/mesh/compression/unishox2.c @@ -125,7 +125,7 @@ byte is_inited = 0; void init_coder() { if (is_inited) return; - memset(usx_code_94, '\0', sizeof(usx_code_94)); + memset_s(usx_code_94, '\0', sizeof(usx_code_94)); for (int i = 0; i < 3; i++) { for (int j = 0; j < 28; j++) { byte c = usx_sets[i][j]; From 4ec3b025f0875aac4a01dfd3090932165e6eb7d8 Mon Sep 17 00:00:00 2001 From: Dmitry Galenko Date: Sun, 20 Nov 2022 13:19:47 +0100 Subject: [PATCH 3/5] look like https://sg.run/jkdn not hit us --- .semgrepignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .semgrepignore diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 00000000..6ae867e8 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1 @@ +.github/workflows/main_matrix.yml From 4392df06765524246dcae1d71aef7fd05455524d Mon Sep 17 00:00:00 2001 From: Dmitry Galenko Date: Sun, 20 Nov 2022 13:27:55 +0100 Subject: [PATCH 4/5] Missed STDC_LIB_EXT1 --- src/mesh/compression/unishox2.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/mesh/compression/unishox2.c b/src/mesh/compression/unishox2.c index 2a8d3535..0700c1b3 100644 --- a/src/mesh/compression/unishox2.c +++ b/src/mesh/compression/unishox2.c @@ -25,6 +25,7 @@ * defined in unishox2.h */ +#define __STDC_WANT_LIB_EXT1__ 1 #include #include #include From 3187b5abda379c162e6507a41bdaa7838274d018 Mon Sep 17 00:00:00 2001 From: Dmitry Galenko Date: Sun, 20 Nov 2022 14:29:05 +0100 Subject: [PATCH 5/5] Revert "Missed STDC_LIB_EXT1" This reverts commit 4392df06765524246dcae1d71aef7fd05455524d. --- src/mesh/compression/unishox2.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/mesh/compression/unishox2.c b/src/mesh/compression/unishox2.c index 0700c1b3..e1f32ae0 100644 --- a/src/mesh/compression/unishox2.c +++ b/src/mesh/compression/unishox2.c @@ -25,7 +25,6 @@ * defined in unishox2.h */ -#define __STDC_WANT_LIB_EXT1__ 1 #include #include #include @@ -126,7 +125,7 @@ byte is_inited = 0; void init_coder() { if (is_inited) return; - memset_s(usx_code_94, '\0', sizeof(usx_code_94)); + memset(usx_code_94, '\0', sizeof(usx_code_94)); for (int i = 0; i < 3; i++) { for (int j = 0; j < 28; j++) { byte c = usx_sets[i][j];