From 95f3e912eed9c91818d0ee24c3038ca8eaa94095 Mon Sep 17 00:00:00 2001
From: XeR <XeR@users.noreply.github.com>
Date: Sun, 29 May 2022 12:47:01 -0100
Subject: [PATCH 1/2] Containers: pin containers to a specific hash

There has been a bunch of supply chain attacks in the last few months.

This commit pins every containers to a specific hash (the most recent at the
time) to reduce the risk of CTFNote users pulling a compromised container.
---
 api/Dockerfile         | 6 +++---
 db/Dockerfile          | 2 +-
 docker-compose.dev.yml | 2 +-
 docker-compose.yml     | 2 +-
 front/Dockerfile       | 4 ++--
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/api/Dockerfile b/api/Dockerfile
index fce34c103..75e1ef5ae 100644
--- a/api/Dockerfile
+++ b/api/Dockerfile
@@ -6,7 +6,7 @@ ARG NODE_ENV="production"
 ################################################################################
 # Build stage 1 - `yarn build`
 
-FROM node:16-alpine as builder
+FROM node@sha256:1a9a71ea86aad332aa7740316d4111ee1bd4e890df47d3b5eff3e5bded3b3d10 as builder
 # Import our shared args
 ARG NODE_ENV
 
@@ -24,7 +24,7 @@ RUN yarn run build
 ################################################################################
 # Build stage 2 - COPY the relevant things (multiple steps)
 
-FROM node:16-alpine as clean
+FROM node@sha256:1a9a71ea86aad332aa7740316d4111ee1bd4e890df47d3b5eff3e5bded3b3d10 as clean
 # Import our shared args
 ARG NODE_ENV
 
@@ -36,7 +36,7 @@ COPY --from=builder /app/migrations/ /app/migrations/
 ################################################################################
 # Build stage FINAL - COPY everything, once, and then do a clean `yarn install`
 
-FROM node:16-alpine
+FROM node@sha256:1a9a71ea86aad332aa7740316d4111ee1bd4e890df47d3b5eff3e5bded3b3d10
 # Import our shared args
 ARG NODE_ENV
 
diff --git a/db/Dockerfile b/db/Dockerfile
index acfc87a72..0ffb95ee0 100644
--- a/db/Dockerfile
+++ b/db/Dockerfile
@@ -1,3 +1,3 @@
-FROM postgres:14
+FROM postgres@sha256:596e4c843a9db32269a3757624d8a6a6f633e01895acb83fe0842497fd897eb7
 
 COPY create-multiple-postgresql-databases.sh /docker-entrypoint-initdb.d/create-multiple-postgresql-databases.sh
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index e669aac29..af8afffbb 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -15,7 +15,7 @@ services:
     ports:
       - '5432:5432'
   hedgedoc:
-    image: quay.io/hedgedoc/hedgedoc:1.9.3-alpine
+    image: quay.io/hedgedoc/hedgedoc@sha256:766663fea4e3f55cd5c1cfd12c71d5ccb258809b2b74eedd035efe0883bf0970
     environment:
       CMD_DB_URL: 'postgres://ctfnote:ctfnote@db:5432/hedgedoc'
       CMD_URL_PATH: 'pad'
diff --git a/docker-compose.yml b/docker-compose.yml
index fc5dfab76..5e1eb9509 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -42,7 +42,7 @@ services:
     ports:
       - 8080:80
   hedgedoc:
-    image: quay.io/hedgedoc/hedgedoc:1.9.3-alpine
+    image: quay.io/hedgedoc/hedgedoc@sha256:766663fea4e3f55cd5c1cfd12c71d5ccb258809b2b74eedd035efe0883bf0970
     environment:
       - CMD_DB_URL=postgres://ctfnote:ctfnote@db:5432/hedgedoc
       - CMD_URL_PATH=pad
diff --git a/front/Dockerfile b/front/Dockerfile
index 897b1f83c..f7baf02d8 100644
--- a/front/Dockerfile
+++ b/front/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:16-alpine AS build-deps
+FROM node@sha256:1a9a71ea86aad332aa7740316d4111ee1bd4e890df47d3b5eff3e5bded3b3d10 AS build-deps
 
 RUN mkdir -p /usr/src/app
 COPY package.json quasar.conf.js .eslintrc.js .eslintignore tsconfig.json .postcssrc.js yarn.lock babel.config.js quasar.extensions.json /usr/src/app/
@@ -12,7 +12,7 @@ WORKDIR /usr/src/app
 RUN yarn build
 
 # _--------_
-FROM nginx:1.22.0-alpine
+FROM nginx@sha256:f335d7436887b39393409261603fb248e0c385ec18997d866dd44f7e9b621096
 
 RUN mkdir -p /logs
 

From 2bcafbd529f6aad3ee1e6bef13de0edab1a5de8d Mon Sep 17 00:00:00 2001
From: XeR <XeR@users.noreply.github.com>
Date: Sun, 29 May 2022 13:04:36 -0100
Subject: [PATCH 2/2] API: use a variable for container version

API uses the same container 3 times.
This commit specifies the version of the container in a variable that gets
reused in the Dockerfile. This makes sure we don't forget to update any of the
containers.
---
 api/Dockerfile | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/api/Dockerfile b/api/Dockerfile
index 75e1ef5ae..96372734f 100644
--- a/api/Dockerfile
+++ b/api/Dockerfile
@@ -2,11 +2,12 @@
 
 # Global args, set before the first FROM, shared by all stages
 ARG NODE_ENV="production"
+ARG NODE_DIGEST="sha256:1a9a71ea86aad332aa7740316d4111ee1bd4e890df47d3b5eff3e5bded3b3d10"
 
 ################################################################################
 # Build stage 1 - `yarn build`
 
-FROM node@sha256:1a9a71ea86aad332aa7740316d4111ee1bd4e890df47d3b5eff3e5bded3b3d10 as builder
+FROM node@${NODE_DIGEST} as builder
 # Import our shared args
 ARG NODE_ENV
 
@@ -24,7 +25,7 @@ RUN yarn run build
 ################################################################################
 # Build stage 2 - COPY the relevant things (multiple steps)
 
-FROM node@sha256:1a9a71ea86aad332aa7740316d4111ee1bd4e890df47d3b5eff3e5bded3b3d10 as clean
+FROM node@${NODE_DIGEST} as clean
 # Import our shared args
 ARG NODE_ENV
 
@@ -36,7 +37,7 @@ COPY --from=builder /app/migrations/ /app/migrations/
 ################################################################################
 # Build stage FINAL - COPY everything, once, and then do a clean `yarn install`
 
-FROM node@sha256:1a9a71ea86aad332aa7740316d4111ee1bd4e890df47d3b5eff3e5bded3b3d10
+FROM node@${NODE_DIGEST}
 # Import our shared args
 ARG NODE_ENV