mirror of
https://github.com/ONLYOFFICE/Docker-DocumentServer.git
synced 2026-02-10 20:45:40 +08:00
Fix bug 72341 - Injections with operating system commands (#15)
Co-authored-by: danilapog <danil.titarenko@onlyoffice.com> Co-committed-by: danilapog <danil.titarenko@onlyoffice.com>
This commit is contained in:
danilapog
committed by
Alexey Golubev
Alexey Golubev
parent
e9f55325d9
commit
4ed8027cbe
50
.github/workflows/4testing-build.yml
vendored
50
.github/workflows/4testing-build.yml
vendored
@ -47,25 +47,31 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- id: matrix
|
- id: matrix
|
||||||
|
env:
|
||||||
|
BRANCH_NAME: ${{ github.ref_name }}
|
||||||
|
AMD64: ${{ github.event.inputs.amd64 }}
|
||||||
|
ARM64: ${{ github.event.inputs.arm64 }}
|
||||||
|
COMMUNITY: ${{ github.event.inputs.community }}
|
||||||
|
ENTERPRISE: ${{ github.event.inputs.enterprise }}
|
||||||
|
DEVELOPER: ${{ github.event.inputs.developer }}
|
||||||
run: |
|
run: |
|
||||||
set -ex
|
set -ex
|
||||||
|
|
||||||
BRANCH_NAME=${GITHUB_REF#refs/heads/}
|
if ! [[ "$BRANCH_NAME" == develop || "$BRANCH_NAME" =~ hotfix || "$BRANCH_NAME" =~ release ]]; then
|
||||||
if ! [[ $BRANCH_NAME == develop || $BRANCH_NAME =~ hotfix || $BRANCH_NAME =~ release ]]; then
|
|
||||||
echo "Wrong branch."
|
echo "Wrong branch."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ ${{ github.event.inputs.amd64 }} = true ] && PLATFORMS+=("amd64")
|
[ "${AMD64}" = true ] && PLATFORMS+=("amd64")
|
||||||
[ ${{ github.event.inputs.arm64 }} = true ] && PLATFORMS+=("arm64")
|
[ "${ARM64}" = true ] && PLATFORMS+=("arm64")
|
||||||
if [ -z ${PLATFORMS} ]; then
|
if [ -z ${PLATFORMS} ]; then
|
||||||
echo "None of the platforms are selected."
|
echo "None of the platforms are selected."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ ${{ github.event.inputs.community }} = true ] && EDITIONS+=("community")
|
[ "${COMMUNITY}" = true ] && EDITIONS+=("community")
|
||||||
[ ${{ github.event.inputs.enterprise }} = true ] && EDITIONS+=("enterprise")
|
[ "${ENTERPRISE}" = true ] && EDITIONS+=("enterprise")
|
||||||
[ ${{ github.event.inputs.developer }} = true ] && EDITIONS+=("developer")
|
[ "${DEVELOPER}" = true ] && EDITIONS+=("developer")
|
||||||
if [ -z ${EDITIONS} ]; then
|
if [ -z ${EDITIONS} ]; then
|
||||||
echo "None of the editions are selected."
|
echo "None of the editions are selected."
|
||||||
exit 1
|
exit 1
|
||||||
@ -102,12 +108,20 @@ jobs:
|
|||||||
|
|
||||||
- name: Build 4testing
|
- name: Build 4testing
|
||||||
id: build-ds
|
id: build-ds
|
||||||
|
env:
|
||||||
|
BRANCH_NAME: ${{ github.ref_name }}
|
||||||
|
AMD64: ${{ github.event.inputs.amd64 }}
|
||||||
|
ARM64: ${{ github.event.inputs.arm64 }}
|
||||||
|
BUILD_NUMBER: ${{ github.event.inputs.build }}
|
||||||
|
EDITION: ${{ matrix.edition }}
|
||||||
|
IMAGE: ${{ matrix.image }}
|
||||||
|
PACKAGE_BASEURL: ${{ secrets.REPO_BASEURL }}
|
||||||
run: |
|
run: |
|
||||||
set -eux
|
set -eux
|
||||||
|
|
||||||
### ==>> At this step build variable declaration ###
|
### ==>> At this step build variable declaration ###
|
||||||
|
|
||||||
case ${{ matrix.edition }} in
|
case "${EDITION}" in
|
||||||
community)
|
community)
|
||||||
PRODUCT_EDITION=""
|
PRODUCT_EDITION=""
|
||||||
;;
|
;;
|
||||||
@ -119,23 +133,20 @@ jobs:
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
[ ${{ github.event.inputs.amd64 }} = true ] && PLATFORMS+=("amd64")
|
[ "${AMD64}" = true ] && PLATFORMS+=("amd64")
|
||||||
[ ${{ github.event.inputs.arm64 }} = true ] && PLATFORMS+=("arm64")
|
[ "${ARM64}" = true ] && PLATFORMS+=("arm64")
|
||||||
PLATFORM=$(echo ${PLATFORMS[*]/#/linux/} | tr ' ' ',')
|
PLATFORM=$(echo ${PLATFORMS[*]/#/linux/} | tr ' ' ',')
|
||||||
|
|
||||||
BRANCH_NAME=${GITHUB_REF#refs/heads/}
|
if [ "$BRANCH_NAME" = develop ]; then
|
||||||
if [ $BRANCH_NAME = develop ]; then
|
|
||||||
BUILD_CHANNEL=nightly
|
BUILD_CHANNEL=nightly
|
||||||
PRODUCT_VERSION=99.99.99
|
PRODUCT_VERSION=99.99.99
|
||||||
elif [[ $BRANCH_NAME =~ hotfix || $BRANCH_NAME =~ release ]]; then
|
elif [[ "$BRANCH_NAME" =~ hotfix || "$BRANCH_NAME" =~ release ]]; then
|
||||||
BUILD_CHANNEL=test
|
BUILD_CHANNEL=test
|
||||||
PRODUCT_VERSION=${BRANCH_NAME#*/v}
|
PRODUCT_VERSION=${BRANCH_NAME#*/v}
|
||||||
fi
|
fi
|
||||||
BUILD_NUMBER=${{ github.event.inputs.build }}
|
|
||||||
|
|
||||||
export PRODUCT_EDITION
|
export PRODUCT_EDITION
|
||||||
export PACKAGE_VERSION=${PRODUCT_VERSION}-${BUILD_NUMBER}
|
export PACKAGE_VERSION=${PRODUCT_VERSION}-${BUILD_NUMBER}
|
||||||
export PACKAGE_BASEURL=${{ secrets.REPO_BASEURL }}
|
|
||||||
export BUILD_CHANNEL
|
export BUILD_CHANNEL
|
||||||
export PLATFORM
|
export PLATFORM
|
||||||
export DOCKERFILE=Dockerfile
|
export DOCKERFILE=Dockerfile
|
||||||
@ -144,7 +155,7 @@ jobs:
|
|||||||
|
|
||||||
### ==>> Build and push images at this step ###
|
### ==>> Build and push images at this step ###
|
||||||
|
|
||||||
docker buildx bake -f docker-bake.hcl ${{ matrix.image }} --push
|
docker buildx bake -f docker-bake.hcl "${IMAGE}" --push
|
||||||
echo "DONE: Build success"
|
echo "DONE: Build success"
|
||||||
|
|
||||||
### Set output for Zap scanner
|
### Set output for Zap scanner
|
||||||
@ -165,10 +176,11 @@ jobs:
|
|||||||
VERSION: ${{ steps.build-ds.outputs.version }}
|
VERSION: ${{ steps.build-ds.outputs.version }}
|
||||||
BRANCH: ${{ steps.build-ds.outputs.branch }}
|
BRANCH: ${{ steps.build-ds.outputs.branch }}
|
||||||
GITHUB_TOKEN: ${{ secrets.TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.TOKEN }}
|
||||||
|
REPO: ${{ github.repository }}
|
||||||
run: |
|
run: |
|
||||||
gh workflow run zap-ds.yaml \
|
gh workflow run zap-ds.yaml \
|
||||||
--repo ${{ github.repository }} \
|
--repo "${REPO}" \
|
||||||
-f branch=${BRANCH} \
|
-f branch="${BRANCH}" \
|
||||||
-f version=${VERSION}
|
-f version="${VERSION}"
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
||||||
|
|||||||
27
.github/workflows/stable-build.yml
vendored
27
.github/workflows/stable-build.yml
vendored
@ -17,7 +17,9 @@ on:
|
|||||||
|
|
||||||
env:
|
env:
|
||||||
COMPANY_NAME: "onlyoffice"
|
COMPANY_NAME: "onlyoffice"
|
||||||
PRODUCT_NAME: "documentserver"
|
PRODUCT_NAME: "documentserver"
|
||||||
|
VERSION: ${{ github.event.inputs.tag }}
|
||||||
|
RELEASE_NUMBER: ${{ github.event.inputs.release_number }}
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
@ -45,18 +47,18 @@ jobs:
|
|||||||
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
|
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
|
||||||
|
|
||||||
- name: Build documentserver-release
|
- name: Build documentserver-release
|
||||||
|
env:
|
||||||
|
TARGET: ${{ matrix.images }}
|
||||||
|
PRODUCT_EDITION: ${{ matrix.edition }}
|
||||||
run: |
|
run: |
|
||||||
set -eux
|
set -eux
|
||||||
VERSION=${{ github.event.inputs.tag }}
|
|
||||||
RELEASE_NUMBER=${{ github.event.inputs.release_number }}
|
|
||||||
PRODUCT_EDITION=${{ matrix.edition }}
|
|
||||||
TESTING_IMAGE=${COMPANY_NAME}/4testing-${PRODUCT_NAME}${PRODUCT_EDITION}
|
TESTING_IMAGE=${COMPANY_NAME}/4testing-${PRODUCT_NAME}${PRODUCT_EDITION}
|
||||||
export PRODUCT_EDITION
|
export PRODUCT_EDITION
|
||||||
export PULL_TAG=${VERSION}
|
export PULL_TAG=${VERSION}
|
||||||
export TAG=${VERSION%.*}.${RELEASE_NUMBER}
|
export TAG=${VERSION%.*}.${RELEASE_NUMBER}
|
||||||
export SHORTER_TAG=${VERSION%.*}
|
export SHORTER_TAG=${VERSION%.*}
|
||||||
export SHORTEST_TAG=${VERSION%.*.*}
|
export SHORTEST_TAG=${VERSION%.*.*}
|
||||||
docker buildx bake -f docker-bake.hcl ${{ matrix.images }} --push
|
docker buildx bake -f docker-bake.hcl "${TARGET}" --push
|
||||||
echo "DONE: Build success >> exit with 0"
|
echo "DONE: Build success >> exit with 0"
|
||||||
exit 0
|
exit 0
|
||||||
shell: bash
|
shell: bash
|
||||||
@ -88,14 +90,14 @@ jobs:
|
|||||||
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
|
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
|
||||||
|
|
||||||
- name: build image
|
- name: build image
|
||||||
|
env:
|
||||||
|
TARGET: ${{ matrix.images }}
|
||||||
|
PRODUCT_EDITION: ${{ matrix.edition }}
|
||||||
run: |
|
run: |
|
||||||
set -eux
|
set -eux
|
||||||
VERSION=${{ github.event.inputs.tag }}
|
|
||||||
RELEASE_NUMBER=${{ github.event.inputs.release_number }}
|
|
||||||
export PULL_TAG=${VERSION%.*}.${RELEASE_NUMBER}
|
export PULL_TAG=${VERSION%.*}.${RELEASE_NUMBER}
|
||||||
export PRODUCT_EDITION=${{ matrix.edition }}
|
|
||||||
export TAG=${VERSION%.*}.${RELEASE_NUMBER}
|
export TAG=${VERSION%.*}.${RELEASE_NUMBER}
|
||||||
docker buildx bake -f docker-bake.hcl ${{ matrix.images }} --push
|
docker buildx bake -f docker-bake.hcl "${TARGET}" --push
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
||||||
build-ucs-ubuntu20:
|
build-ucs-ubuntu20:
|
||||||
@ -122,12 +124,11 @@ jobs:
|
|||||||
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
|
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
|
||||||
|
|
||||||
- name: build UCS
|
- name: build UCS
|
||||||
|
env:
|
||||||
|
PACKAGE_BASEURL: ${{ secrets.REPO_BASEURL }}
|
||||||
|
PRODUCT_EDITION: ${{ matrix.edition }}
|
||||||
run: |
|
run: |
|
||||||
set -eux
|
set -eux
|
||||||
VERSION=${{ github.event.inputs.tag }}
|
|
||||||
RELEASE_NUMBER=${{ github.event.inputs.release_number }}
|
|
||||||
export PRODUCT_EDITION=${{ matrix.edition }}
|
|
||||||
export PACKAGE_BASEURL=${{ secrets.REPO_BASEURL }}
|
|
||||||
export DOCKERFILE=Dockerfile
|
export DOCKERFILE=Dockerfile
|
||||||
export BASE_VERSION=20.04
|
export BASE_VERSION=20.04
|
||||||
export PG_VERSION=12
|
export PG_VERSION=12
|
||||||
|
|||||||
Reference in New Issue
Block a user