From a1e5e6234fcfebd41498d92897af07d1c261af6d Mon Sep 17 00:00:00 2001 From: Liam Stanley Date: Tue, 7 May 2019 15:07:59 -0400 Subject: [PATCH 1/2] set better security defaults in docker-compose.yml Without `APP_DEBUG=false` or `APP_ENV=production`, this may lead to unwanted exposure of environment variables when a user hits an exception (or even a 404). With docker specifically, these environment variables also include the database credentials. This change will ensure this debugging functionality is not enabled by default. --- docker-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 2703373a..9bef4b09 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -28,6 +28,8 @@ services: - DB_PREFIX=chq_ - APP_KEY=${APP_KEY:-null} - APP_LOG=errorlog + - APP_ENV=production + - APP_DEBUG=false - DEBUG=false depends_on: - postgres From 600f51d6b5ebab06230e39cccc9b7c64e4c40744 Mon Sep 17 00:00:00 2001 From: Ryan Trauntvein Date: Wed, 29 Jan 2020 21:43:21 -0800 Subject: [PATCH 2/2] Default to production, allow override for tests --- docker-compose.yml | 2 +- test/test.full.bats | 2 -- test/test.mysql.bats | 2 -- test/test.sqlite.bats | 2 -- test/test_helpers.bash | 4 ++++ 5 files changed, 5 insertions(+), 7 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 9bef4b09..97776a9d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -28,7 +28,7 @@ services: - DB_PREFIX=chq_ - APP_KEY=${APP_KEY:-null} - APP_LOG=errorlog - - APP_ENV=production + - APP_ENV=${APP_ENV:-production} - APP_DEBUG=false - DEBUG=false depends_on: diff --git a/test/test.full.bats b/test/test.full.bats index c234996b..40d1fd8d 100755 --- a/test/test.full.bats +++ b/test/test.full.bats @@ -4,8 +4,6 @@ load docker_helpers load "lib/batslib" load "lib/output" -export APP_KEY="base64:v2LwHrdgnE+RavEXdnF8LgWIibjvEcFkU2qaX5Ji708=" - @test "[$TEST_FILE] testing Cachet Docker image build" { command docker-compose build --no-cache cachet } diff --git a/test/test.mysql.bats b/test/test.mysql.bats index 0cb6bd0b..293a3888 100755 --- a/test/test.mysql.bats +++ b/test/test.mysql.bats @@ -4,8 +4,6 @@ load docker_helpers load "lib/batslib" load "lib/output" -export APP_KEY="base64:v2LwHrdgnE+RavEXdnF8LgWIibjvEcFkU2qaX5Ji708=" - @test "[$TEST_FILE] docker-compose up" { command docker-compose -f test/docker-compose-mysql.yml up -d } diff --git a/test/test.sqlite.bats b/test/test.sqlite.bats index f0e83aa7..f20153d2 100755 --- a/test/test.sqlite.bats +++ b/test/test.sqlite.bats @@ -4,8 +4,6 @@ load docker_helpers load "lib/batslib" load "lib/output" -export APP_KEY="base64:v2LwHrdgnE+RavEXdnF8LgWIibjvEcFkU2qaX5Ji708=" - @test "[$TEST_FILE] docker-compose up" { command docker-compose -f test/docker-compose-sqlite.yml up -d } diff --git a/test/test_helpers.bash b/test/test_helpers.bash index 6cdffe7c..d12bb010 100644 --- a/test/test_helpers.bash +++ b/test/test_helpers.bash @@ -3,6 +3,10 @@ type docker &>/dev/null || ( echo "docker is not available"; exit 1 ) )>&2 +# ENV vars for tests +export APP_ENV=development +export APP_KEY="base64:v2LwHrdgnE+RavEXdnF8LgWIibjvEcFkU2qaX5Ji708=" + TEST_FILE=$(basename $BATS_TEST_FILENAME .bats) # stop all containers with the "bats-type" label (matching the optionally supplied value)