From 2e4c0e7ebc254997d8b9ecf6becc50601c0b267d Mon Sep 17 00:00:00 2001 From: Nasrullo Nurullaev Date: Mon, 16 Dec 2024 07:38:40 +0000 Subject: [PATCH 1/6] Update base image to 24.04 (#13) Reviewed-on: https://git.onlyoffice.com/ONLYOFFICE/Docker-DocumentServer/pulls/13 Reviewed-by: Alexey Golubev Co-authored-by: Nasrullo Nurullaev Co-committed-by: Nasrullo Nurullaev --- .github/workflows/stable-build.yml | 1 + Dockerfile | 13 ++++++++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/stable-build.yml b/.github/workflows/stable-build.yml index ab5813c..fea89d2 100644 --- a/.github/workflows/stable-build.yml +++ b/.github/workflows/stable-build.yml @@ -131,6 +131,7 @@ jobs: export DOCKERFILE=Dockerfile export BASE_VERSION=20.04 export PG_VERSION=12 + export PACKAGE_SUFFIX= export TAG=${VERSION%.*}.${RELEASE_NUMBER} export PACKAGE_VERSION=$( echo ${VERSION} | sed -E 's/(.*)\./\1-/') docker buildx bake -f docker-bake.hcl documentserver-ucs --push diff --git a/Dockerfile b/Dockerfile index f8d28f3..b3df91e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_VERSION=22.04 +ARG BASE_VERSION=24.04 ARG BASE_IMAGE=ubuntu:$BASE_VERSION @@ -6,7 +6,8 @@ FROM ${BASE_IMAGE} AS documentserver LABEL maintainer Ascensio System SIA ARG BASE_VERSION -ARG PG_VERSION=14 +ARG PG_VERSION=16 +ARG PACKAGE_SUFFIX=t64 ENV OC_RELEASE_NUM=21 ENV OC_RU_VER=12 @@ -26,7 +27,9 @@ RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \ apt-get -y update && \ apt-get -yq install wget apt-transport-https gnupg locales lsb-release && \ wget -q -O /etc/apt/sources.list.d/mssql-release.list https://packages.microsoft.com/config/ubuntu/$BASE_VERSION/prod.list && \ - wget -q -O - https://packages.microsoft.com/keys/microsoft.asc | apt-key add - && \ + wget -q -O /tmp/microsoft.asc https://packages.microsoft.com/keys/microsoft.asc && \ + apt-key add /tmp/microsoft.asc && \ + gpg --dearmor -o /usr/share/keyrings/microsoft-prod.gpg < /tmp/microsoft.asc && \ apt-get -y update && \ locale-gen en_US.UTF-8 && \ echo ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula select true | debconf-set-selections && \ @@ -38,8 +41,8 @@ RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \ cron \ curl \ htop \ - libaio1 \ - libasound2 \ + libaio1${PACKAGE_SUFFIX} \ + libasound2${PACKAGE_SUFFIX} \ libboost-regex-dev \ libcairo2 \ libcurl3-gnutls \ From 9b55149e51054dc538defd0e4d8b47fde6c4da98 Mon Sep 17 00:00:00 2001 From: Nasrullo Nurullaev Date: Fri, 20 Dec 2024 09:47:22 +0500 Subject: [PATCH 2/6] Fix issue with building Dockerfile for arm64 arch --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b3df91e..05895bc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -72,7 +72,8 @@ RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \ unzip \ xvfb \ xxd \ - zlib1g && \ + zlib1g || dpkg --configure -a && \ + # Added dpkg --configure -a to handle installation issues with rabbitmq-server on arm64 architecture if [ $(ls -l /usr/share/fonts/truetype/msttcorefonts | wc -l) -ne 61 ]; \ then echo 'msttcorefonts failed to download'; exit 1; fi && \ echo "SERVER_ADDITIONAL_ERL_ARGS=\"+S 1:1\"" | tee -a /etc/rabbitmq/rabbitmq-env.conf && \ From e9f55325d9957d0494878dff1dd682a23f6408af Mon Sep 17 00:00:00 2001 From: Alexey Golubev Date: Sat, 28 Dec 2024 08:44:33 +0000 Subject: [PATCH 3/6] Fixbug #72289 --- cluster.yml | 108 ---------------------------------------------------- 1 file changed, 108 deletions(-) delete mode 100644 cluster.yml diff --git a/cluster.yml b/cluster.yml deleted file mode 100644 index 0cb07c1..0000000 --- a/cluster.yml +++ /dev/null @@ -1,108 +0,0 @@ -version: '2.1' - -x-ds-image: - &ds-image - ${COMPANY_NAME:-onlyoffice}/${PRODUCT_NAME:-documentserver-de}:${PRODUCT_VERSION:-latest} - -services: - onlyoffice-documentserver-data: - container_name: onlyoffice-documentserver-data - image: *ds-image - environment: - - ONLYOFFICE_DATA_CONTAINER=true - - DB_HOST=onlyoffice-postgresql - - DB_PORT=5432 - - DB_NAME=onlyoffice - - DB_USER=onlyoffice - - AMQP_URI=amqp://guest:guest@onlyoffice-rabbitmq - - REDIS_SERVER_HOST=onlyoffice-redis - - REDIS_SERVER_PORT=6379 - # Uncomment strings below to enable the JSON Web Token validation. - #- JWT_ENABLED=true - #- JWT_SECRET=secret - #- JWT_HEADER=Authorization - #- JWT_IN_BODY=true - stdin_open: true - restart: always - volumes: - - /etc/onlyoffice - - /var/www/onlyoffice/Data - - /var/log/onlyoffice - - /var/lib/onlyoffice/documentserver/App_Data/cache/files - - /var/www/onlyoffice/documentserver-example/public/files - - /usr/share/fonts - - onlyoffice-documentserver: - image: *ds-image - depends_on: - - onlyoffice-documentserver-data - - onlyoffice-postgresql - - onlyoffice-redis - - onlyoffice-rabbitmq - environment: - - ONLYOFFICE_DATA_CONTAINER_HOST=onlyoffice-documentserver-data - - BALANCE=uri depth 3 - - EXCLUDE_PORTS=443 - - HTTP_CHECK=GET /healthcheck - - EXTRA_SETTINGS=http-check expect string true - # Uncomment the string below to redirect HTTP request to HTTPS request. - #- FORCE_SSL=true - stdin_open: true - restart: always - expose: - - '80' - volumes_from: - - onlyoffice-documentserver-data - - onlyoffice-haproxy: - container_name: onlyoffice-haproxy - image: dockercloud/haproxy:1.5.1 - depends_on: - - onlyoffice-documentserver - environment: - - MODE=http - # Uncomment the string below to specify the path of ssl certificates - #- CERT_FOLDER=/certs/ - stdin_open: true - links: - - onlyoffice-documentserver - volumes: - - /var/run/docker.sock:/var/run/docker.sock - # Uncomment the string below to map a ssl certificate from host - # to the proxy container - #- /app/onlyoffice/DocumentServer/data/certs/onlyoffice.pem:/certs/cert1.pem - restart: always - ports: - - '80:80' - - '443:443' - - '1936:1936' - - onlyoffice-redis: - container_name: onlyoffice-redis - image: redis - restart: always - expose: - - '6379' - - onlyoffice-rabbitmq: - container_name: onlyoffice-rabbitmq - image: rabbitmq - restart: always - expose: - - '5672' - - onlyoffice-postgresql: - container_name: onlyoffice-postgresql - image: postgres:9.5 - environment: - - POSTGRES_DB=onlyoffice - - POSTGRES_USER=onlyoffice - - POSTGRES_HOST_AUTH_METHOD=trust - restart: always - expose: - - '5432' - volumes: - - postgresql_data:/var/lib/postgresql - -volumes: - postgresql_data: From 4ed8027cbedf8834bb7c63a20aaeedbb15b098d0 Mon Sep 17 00:00:00 2001 From: danilapog Date: Thu, 9 Jan 2025 14:34:43 +0000 Subject: [PATCH 4/6] Fix bug 72341 - Injections with operating system commands (#15) Co-authored-by: danilapog Co-committed-by: danilapog --- .github/workflows/4testing-build.yml | 50 +++++++++++++++++----------- .github/workflows/stable-build.yml | 27 +++++++-------- 2 files changed, 45 insertions(+), 32 deletions(-) diff --git a/.github/workflows/4testing-build.yml b/.github/workflows/4testing-build.yml index 138cd30..5b6deb1 100644 --- a/.github/workflows/4testing-build.yml +++ b/.github/workflows/4testing-build.yml @@ -47,25 +47,31 @@ jobs: runs-on: ubuntu-latest steps: - id: matrix + env: + BRANCH_NAME: ${{ github.ref_name }} + AMD64: ${{ github.event.inputs.amd64 }} + ARM64: ${{ github.event.inputs.arm64 }} + COMMUNITY: ${{ github.event.inputs.community }} + ENTERPRISE: ${{ github.event.inputs.enterprise }} + DEVELOPER: ${{ github.event.inputs.developer }} run: | set -ex - BRANCH_NAME=${GITHUB_REF#refs/heads/} - if ! [[ $BRANCH_NAME == develop || $BRANCH_NAME =~ hotfix || $BRANCH_NAME =~ release ]]; then + if ! [[ "$BRANCH_NAME" == develop || "$BRANCH_NAME" =~ hotfix || "$BRANCH_NAME" =~ release ]]; then echo "Wrong branch." exit 1 fi - [ ${{ github.event.inputs.amd64 }} = true ] && PLATFORMS+=("amd64") - [ ${{ github.event.inputs.arm64 }} = true ] && PLATFORMS+=("arm64") + [ "${AMD64}" = true ] && PLATFORMS+=("amd64") + [ "${ARM64}" = true ] && PLATFORMS+=("arm64") if [ -z ${PLATFORMS} ]; then echo "None of the platforms are selected." exit 1 fi - [ ${{ github.event.inputs.community }} = true ] && EDITIONS+=("community") - [ ${{ github.event.inputs.enterprise }} = true ] && EDITIONS+=("enterprise") - [ ${{ github.event.inputs.developer }} = true ] && EDITIONS+=("developer") + [ "${COMMUNITY}" = true ] && EDITIONS+=("community") + [ "${ENTERPRISE}" = true ] && EDITIONS+=("enterprise") + [ "${DEVELOPER}" = true ] && EDITIONS+=("developer") if [ -z ${EDITIONS} ]; then echo "None of the editions are selected." exit 1 @@ -102,12 +108,20 @@ jobs: - name: Build 4testing id: build-ds + env: + BRANCH_NAME: ${{ github.ref_name }} + AMD64: ${{ github.event.inputs.amd64 }} + ARM64: ${{ github.event.inputs.arm64 }} + BUILD_NUMBER: ${{ github.event.inputs.build }} + EDITION: ${{ matrix.edition }} + IMAGE: ${{ matrix.image }} + PACKAGE_BASEURL: ${{ secrets.REPO_BASEURL }} run: | set -eux ### ==>> At this step build variable declaration ### - case ${{ matrix.edition }} in + case "${EDITION}" in community) PRODUCT_EDITION="" ;; @@ -119,23 +133,20 @@ jobs: ;; esac - [ ${{ github.event.inputs.amd64 }} = true ] && PLATFORMS+=("amd64") - [ ${{ github.event.inputs.arm64 }} = true ] && PLATFORMS+=("arm64") + [ "${AMD64}" = true ] && PLATFORMS+=("amd64") + [ "${ARM64}" = true ] && PLATFORMS+=("arm64") PLATFORM=$(echo ${PLATFORMS[*]/#/linux/} | tr ' ' ',') - BRANCH_NAME=${GITHUB_REF#refs/heads/} - if [ $BRANCH_NAME = develop ]; then + if [ "$BRANCH_NAME" = develop ]; then BUILD_CHANNEL=nightly PRODUCT_VERSION=99.99.99 - elif [[ $BRANCH_NAME =~ hotfix || $BRANCH_NAME =~ release ]]; then + elif [[ "$BRANCH_NAME" =~ hotfix || "$BRANCH_NAME" =~ release ]]; then BUILD_CHANNEL=test PRODUCT_VERSION=${BRANCH_NAME#*/v} fi - BUILD_NUMBER=${{ github.event.inputs.build }} export PRODUCT_EDITION export PACKAGE_VERSION=${PRODUCT_VERSION}-${BUILD_NUMBER} - export PACKAGE_BASEURL=${{ secrets.REPO_BASEURL }} export BUILD_CHANNEL export PLATFORM export DOCKERFILE=Dockerfile @@ -144,7 +155,7 @@ jobs: ### ==>> Build and push images at this step ### - docker buildx bake -f docker-bake.hcl ${{ matrix.image }} --push + docker buildx bake -f docker-bake.hcl "${IMAGE}" --push echo "DONE: Build success" ### Set output for Zap scanner @@ -165,10 +176,11 @@ jobs: VERSION: ${{ steps.build-ds.outputs.version }} BRANCH: ${{ steps.build-ds.outputs.branch }} GITHUB_TOKEN: ${{ secrets.TOKEN }} + REPO: ${{ github.repository }} run: | gh workflow run zap-ds.yaml \ - --repo ${{ github.repository }} \ - -f branch=${BRANCH} \ - -f version=${VERSION} + --repo "${REPO}" \ + -f branch="${BRANCH}" \ + -f version="${VERSION}" shell: bash diff --git a/.github/workflows/stable-build.yml b/.github/workflows/stable-build.yml index fea89d2..01e80f7 100644 --- a/.github/workflows/stable-build.yml +++ b/.github/workflows/stable-build.yml @@ -17,7 +17,9 @@ on: env: COMPANY_NAME: "onlyoffice" - PRODUCT_NAME: "documentserver" + PRODUCT_NAME: "documentserver" + VERSION: ${{ github.event.inputs.tag }} + RELEASE_NUMBER: ${{ github.event.inputs.release_number }} jobs: build: @@ -45,18 +47,18 @@ jobs: password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: Build documentserver-release + env: + TARGET: ${{ matrix.images }} + PRODUCT_EDITION: ${{ matrix.edition }} run: | set -eux - VERSION=${{ github.event.inputs.tag }} - RELEASE_NUMBER=${{ github.event.inputs.release_number }} - PRODUCT_EDITION=${{ matrix.edition }} TESTING_IMAGE=${COMPANY_NAME}/4testing-${PRODUCT_NAME}${PRODUCT_EDITION} export PRODUCT_EDITION export PULL_TAG=${VERSION} export TAG=${VERSION%.*}.${RELEASE_NUMBER} export SHORTER_TAG=${VERSION%.*} export SHORTEST_TAG=${VERSION%.*.*} - docker buildx bake -f docker-bake.hcl ${{ matrix.images }} --push + docker buildx bake -f docker-bake.hcl "${TARGET}" --push echo "DONE: Build success >> exit with 0" exit 0 shell: bash @@ -88,14 +90,14 @@ jobs: password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: build image + env: + TARGET: ${{ matrix.images }} + PRODUCT_EDITION: ${{ matrix.edition }} run: | set -eux - VERSION=${{ github.event.inputs.tag }} - RELEASE_NUMBER=${{ github.event.inputs.release_number }} export PULL_TAG=${VERSION%.*}.${RELEASE_NUMBER} - export PRODUCT_EDITION=${{ matrix.edition }} export TAG=${VERSION%.*}.${RELEASE_NUMBER} - docker buildx bake -f docker-bake.hcl ${{ matrix.images }} --push + docker buildx bake -f docker-bake.hcl "${TARGET}" --push shell: bash build-ucs-ubuntu20: @@ -122,12 +124,11 @@ jobs: password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: build UCS + env: + PACKAGE_BASEURL: ${{ secrets.REPO_BASEURL }} + PRODUCT_EDITION: ${{ matrix.edition }} run: | set -eux - VERSION=${{ github.event.inputs.tag }} - RELEASE_NUMBER=${{ github.event.inputs.release_number }} - export PRODUCT_EDITION=${{ matrix.edition }} - export PACKAGE_BASEURL=${{ secrets.REPO_BASEURL }} export DOCKERFILE=Dockerfile export BASE_VERSION=20.04 export PG_VERSION=12 From a349692e609e2f9b53e4367a67345849cd14ebda Mon Sep 17 00:00:00 2001 From: Alexey Golubev Date: Fri, 10 Jan 2025 13:35:29 +0000 Subject: [PATCH 5/6] Add folder description (#16) --- tests/README.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 tests/README.md diff --git a/tests/README.md b/tests/README.md new file mode 100644 index 0000000..c17b546 --- /dev/null +++ b/tests/README.md @@ -0,0 +1,3 @@ +The files in this folder are intended for use in integration auto-tests. + +All credentials are strictly for testing purposes only. \ No newline at end of file From a8b1256d87058ff5a50daa33236058fc22171e6c Mon Sep 17 00:00:00 2001 From: Nasrullo Nurullaev Date: Mon, 13 Jan 2025 15:34:29 +0500 Subject: [PATCH 6/6] fix Bug 72356 - Fix security issue with shell variables --- Dockerfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 05895bc..63f140c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,7 +26,7 @@ ARG ONLYOFFICE_VALUE=onlyoffice RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \ apt-get -y update && \ apt-get -yq install wget apt-transport-https gnupg locales lsb-release && \ - wget -q -O /etc/apt/sources.list.d/mssql-release.list https://packages.microsoft.com/config/ubuntu/$BASE_VERSION/prod.list && \ + wget -q -O /etc/apt/sources.list.d/mssql-release.list "https://packages.microsoft.com/config/ubuntu/$BASE_VERSION/prod.list" && \ wget -q -O /tmp/microsoft.asc https://packages.microsoft.com/keys/microsoft.asc && \ apt-key add /tmp/microsoft.asc && \ gpg --dearmor -o /usr/share/keyrings/microsoft-prod.gpg < /tmp/microsoft.asc && \ @@ -125,10 +125,10 @@ RUN PACKAGE_FILE="${COMPANY_NAME}-${PRODUCT_NAME}${PRODUCT_EDITION}${PACKAGE_VER sed "s/COMPANY_NAME/${COMPANY_NAME}/g" -i /etc/supervisor/conf.d/*.conf && \ service supervisor stop && \ chmod 755 /app/ds/*.sh && \ - printf "\nGO" >> /var/www/$COMPANY_NAME/documentserver/server/schema/mssql/createdb.sql && \ - printf "\nGO" >> /var/www/$COMPANY_NAME/documentserver/server/schema/mssql/removetbl.sql && \ - printf "\nexit" >> /var/www/$COMPANY_NAME/documentserver/server/schema/oracle/createdb.sql && \ - printf "\nexit" >> /var/www/$COMPANY_NAME/documentserver/server/schema/oracle/removetbl.sql && \ + printf "\nGO" >> "/var/www/$COMPANY_NAME/documentserver/server/schema/mssql/createdb.sql" && \ + printf "\nGO" >> "/var/www/$COMPANY_NAME/documentserver/server/schema/mssql/removetbl.sql" && \ + printf "\nexit" >> "/var/www/$COMPANY_NAME/documentserver/server/schema/oracle/createdb.sql" && \ + printf "\nexit" >> "/var/www/$COMPANY_NAME/documentserver/server/schema/oracle/removetbl.sql" && \ rm -f /tmp/$PACKAGE_FILE && \ rm -rf /var/log/$COMPANY_NAME && \ rm -rf /var/lib/apt/lists/*