osm-static-maps icon indicating copy to clipboard operation
osm-static-maps copied to clipboard
verified publisher icon jperelli

Better docker image

Open chapa opened this issue 5 years ago • 2 comments

Hi,

I've been watching docker-related files to fix a problem I had (see https://github.com/jperelli/osm-static-maps/pull/19), and it doesn't seem to be "production-ready" IMO.

Here's some issues I see :

  • npm install is done when the container is started (instead of when the image is built)
  • the container runs nodemon instead of node
  • a volume map the entire root folder (to avoid npm install on each docker run I guess)

Also, resolving these issues would allow to push the image on the docker hub, which would come in handy !

If you're interested I can work on a PR to make things better.

chapa avatar May 12 '20 14:05 chapa

Cool yeah. I thought the docker image more for example and dev purposes.

The code of the server is also exploitable, it has multiple security flaws as it takes the url arg and puts it on the server as plain text (not escaped). Most arguments are just passed directly to the template. This works fine if you use the lib internally, but the way the args are exposed are a no-go to production. The sample server is 110% vulnerable to server side template injection.

We would need to sanitize all input variables in the server or the lib maybe to be able to call it production-ready

I would like to see and merge your improvements on the docker image but would just put a big notice that this software is vulnerable and "use at your own risk", until we fix these sanitization issues.

jperelli avatar May 13 '20 09:05 jperelli

Thanks for raising that up, I wasn't aware.

Ok I'll work on a PR for the docker image improvements when I have some time. So then it will be ready for production-ready :smile: waiting for sanitization

chapa avatar May 13 '20 10:05 chapa