Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot find mutillidae.zip when building image #8

Open
deadline39 opened this issue Mar 1, 2022 · 5 comments
Open

Cannot find mutillidae.zip when building image #8

deadline39 opened this issue Mar 1, 2022 · 5 comments
Labels
question Further information is requested

Comments

@deadline39
Copy link

Following instructions and calling:

docker-compose -f docker-compose.acra-censor-demo.yml up

causes an error

acra-keymaker_server uses an image, skipping
acra-keymaker_connector uses an image, skipping
acra-server uses an image, skipping
acra-connector uses an image, skipping
Building edoz90_mutillidae
[+] Building 2.8s (18/27)
 => CACHED [internal] load git source https://github.com/storojs72/docker-mutillidae.git                                                           0.0s
 => [internal] load metadata for docker.io/library/alpine:latest                                                                                   2.4s
 => [ 1/25] FROM docker.io/library/alpine:latest@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300                           0.0s
 => CACHED [ 2/25] RUN sed -i -e 's/v[[:digit:]]\.[[:digit:]]\+/edge/g' /etc/apk/repositories                                                      0.0s
 => CACHED [ 3/25] RUN apk update && apk upgrade                                                                                                   0.0s
 => CACHED [ 4/25] RUN apk add logrotate rsyslog supervisor goaccess             nginx php mariadb mariadb-client pwgen php-fpm             vim b  0.0s
 => CACHED [ 5/25] RUN apk add php-mysqli php-mbstring php-session php-simplexml php-curl php-json                                                 0.0s
 => CACHED [ 6/25] RUN adduser -H -D -g http http                                                                                                  0.0s
 => CACHED [ 7/25] RUN mkdir -p /usr/share/nginx/html                                                                                              0.0s
 => CACHED [ 8/25] RUN mkdir -p /run/nginx                                                                                                         0.0s
 => CACHED [ 9/25] RUN chown -R http:http /usr/share/nginx/html                                                                                    0.0s
 => CACHED [10/25] RUN chown -R mysql:mysql /var/lib/mysql                                                                                         0.0s
 => CACHED [11/25] RUN mkdir -p /run/mysqld                                                                                                        0.0s
 => CACHED [12/25] RUN chown -R mysql:mysql /run/mysqld                                                                                            0.0s
 => CACHED [13/25] RUN chmod 777 /var/tmp/                                                                                                         0.0s
 => CACHED [14/25] ADD dist/install_db.sh /tmp/install_db.sh                                                                                       0.0s
 => CACHED [15/25] RUN wget -q https://sourceforge.net/projects/mutillidae/files/latest/download -O mutillidae.zip                                 0.0s
 => ERROR [16/25] RUN unzip -q mutillidae.zip -d /usr/share/nginx/html/                                                                            0.3s
------
 > [16/25] RUN unzip -q mutillidae.zip -d /usr/share/nginx/html/:
#18 0.283 [mutillidae.zip]
#18 0.283   End-of-central-directory signature not found.  Either this file is not
#18 0.283   a zipfile, or it constitutes one disk of a multi-part archive.  In the
#18 0.283   latter case the central directory and zipfile comment will be found on
#18 0.283   the last disk(s) of this archive.
#18 0.283 unzip:  cannot find zipfile directory in one of mutillidae.zip or
#18 0.283         mutillidae.zip.zip, and cannot find mutillidae.zip.ZIP, period.
------
executor failed running [/bin/sh -c unzip -q mutillidae.zip -d /usr/share/nginx/html/]: exit code: 9
ERROR: Service 'edoz90_mutillidae' failed to build : Build failed

The problem is due to an outdated url https://sourceforge.net/projects/mutillidae/files/latest/download in the Dockerfile in the project https://github.com/storojs72/docker-mutillidae.git which is given as the build context in docker-compose.acra-censor-demo.yml

I tried changing the context to a newer project: https://github.com/notdodo/docker-mutillidae which avoids the missing zip file error, but causes a new error:

[+] Building 0.4s (7/8)
 => [internal] load build definition from Dockerfile                                                                                               0.0s
 => => transferring dockerfile: 32B                                                                                                                0.0s
 => [internal] load .dockerignore                                                                                                                  0.0s
 => => transferring context: 2B                                                                                                                    0.0s
 => [internal] load metadata for docker.io/storojs72/edoz90_mutillidae:latest                                                                      0.0s
 => [1/4] FROM docker.io/storojs72/edoz90_mutillidae:latest                                                                                        0.0s
 => [internal] load build context                                                                                                                  0.0s
 => => transferring context: 37B                                                                                                                   0.0s
 => CACHED [2/4] ADD ./configure_db.sh /tmp/configure_db.sh                                                                                        0.0s
 => ERROR [3/4] RUN /bin/bash /tmp/configure_db.sh                                                                                                 0.3s
------
 > [3/4] RUN /bin/bash /tmp/configure_db.sh:
#7 0.305 /bin/sh: /bin/bash: not found
------
executor failed running [/bin/sh -c /bin/bash /tmp/configure_db.sh]: exit code: 127
ERROR: Service 'mutillidae' failed to build : Build failed

related to https://github.com/cossacklabs/acra-censor-demo/blob/master/mutillidae/Dockerfile file, but I don't know how to solve it, or if changing the context is a good solution in the first place.

I would like to use the demo from this repository, so if you can, fix the bugs to make the instruction executable, please.

@vixentael vixentael added the question Further information is requested label Mar 1, 2022
@vixentael
Copy link
Contributor

hi @deadline39 thank you for letting us know!

we haven't touched this example in a while, and mutillidae project has been also significantly updated since then.

could you please clarify your requirements: what exactly are you trying to achieve?

@deadline39
Copy link
Author

hi @vixentael thank you for the quick reply

I wanted an easy way to test the AcraCensor module as protection against SLQ Injection in firewall mode. I wanted to run a working application and test it using SQLmap to see what fraction of attacks would be blocked.

I can use other examples or guidelines, if they allow me to achieve a similar result.

@vixentael
Copy link
Contributor

@deadline39

I suggest you doing the following:

  1. Run this example
    https://github.com/cossacklabs/acra-engineering-demo/#example-1-transparent-encryption-django-postgresql

It's transparent encryption example (Acra, PostgreSQL, django app). Acra will encrypt / decrypt data before putting it to DB.

Try to read / write data to the database, all queries should work.

  1. Enable SQL firewall on AcraServer (add this line to docker-compose)
    https://github.com/cossacklabs/acra-censor-demo/blob/master/docker-compose.acra-censor-demo.yml#L71

add default config
https://github.com/cossacklabs/acra-censor-demo/blob/master/.acraconfigs/acra-server/acra-censor.norules.yaml

Try to read / write data to the database, all queries should work.

  1. Put config that denies all queries
    https://github.com/cossacklabs/acra-censor-demo/blob/master/.acraconfigs/acra-server/acra-censor.ruleset03.yaml

Try to read / write data to the database, all queries should be stopped by AcraCensor.

  1. Experiment with config, leaving only queries you need, like https://github.com/cossacklabs/acra-censor-demo/blob/master/.acraconfigs/acra-server/acra-censor.ruleset01.yaml

Please refer to https://docs.cossacklabs.com/acra/security-controls/sql-firewall/

If you are looking for commercial license, please ping us, we do have ready-to-use playgrounds for customers interested in Acra Enterprise Edition. It will require signing the NDA.

@deadline39
Copy link
Author

I'm following instructiuons in Example 1 but after "2.2 Add a new post" the data is not displayed correctly on page

http://www.djangoproject.example:8000/admin/blog/entry/
image
nor on http://www.djangoproject.example:8000/weblog/ :
image

I suspect that the data is not decrypted when retrieved from the database, but I don't know how to fix this problem.

At the same time executing another similar Example 5. Client-side encryption works fine, but in either case I don't know how to test SLQ Injection if the web application is not set up for it (has a prepared "unsecured" endpoint), like Mutillidae for example. Therefore, is it possible to connect to AcraServer directly, without connecting to Django, so that it looks like a database to an external application (SQLmap)?

@Lagovas
Copy link

Lagovas commented Mar 10, 2022

Yeah, we know about that problem and it will be fixed soon in #45 where added extra wrapper for models' fields due to storing binary data from postgresql as memoryview objects instead of bytes/bytestring. You can wait when it will be merged after review or cherry-pick fixes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

3 participants