test: limit system resources to comply with OWASP rule #7 (#94)

Djaytan · web-flow · commit 581d4fb6dcce · 2025-05-04T17:14:30.000+02:00
See https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-7-limit-resources-memory-cpu-file-descriptors-processes-restarts.
diff --git a/localdev.sh b/localdev.sh
@@ -1,10 +1,7 @@
 #!/usr/bin/env sh
-# TODO: OWASP RULE#7 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-7-limit-resources-memory-cpu-file-descriptors-processes-restarts
-# TODO: Same OWASP rules in test.sh file
 # TODO: document security recommendations adapted to this project
 # TODO: document requirements for OWASP RULE#8 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-7-limit-resources-memory-cpu-file-descriptors-processes-restarts
 # TODO: try OWASP RULE#8 here
-# TODO: move at root of the project
 
 set -eu
 
@@ -19,9 +16,24 @@ echo '✅  Image built successfully.'
 
 echo '▶️ Starting the localdev PaperMC server...'
 
+# Apply security best practices based on OWASP recommendations:
+# https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
+#
+# Simulate a production-like environment by enforcing strict security policies:
+# - Drop all Linux capabilities (PaperMC does not require any).
+# - Disable privilege escalation within the container.
+# - Set ulimits:
+#     - `nofile` (open files): 16384 — sufficient for typical Java-based Minecraft servers.
+#     - `nproc` (processes): 4096 — a safe and generous limit for JVM workloads.
+#     - `core`: 0 — disables core dumps to preserve disk space and avoid leaking sensitive information.
 docker run --rm -it \
   --cap-drop all \
   --security-opt no-new-privileges \
+  --ulimit nofile=16384 \
+  --ulimit nproc=4096 \
+  --ulimit core=0 \
+  --cpus=4 \
+  --memory=8GB \
   -p 25565:25565/tcp -p 25565:25565/udp \
   -e EULA=true \
   'djaytan/papermc-server:dev'
diff --git a/src/main/docker/runtime/start.sh b/src/main/docker/runtime/start.sh
@@ -70,4 +70,5 @@ echo 'File eula.txt processed'
 
 echo 'PaperMC server ready to start!'
 
+# TODO: ensure that the server replace PID 1 instead of spawning a child process (exec command)
 java $JVM_ARGUMENTS -jar "${SCRIPT_DIR}"/papermc-server-*.jar $SERVER_ARGS
diff --git a/src/test/docker/test.sh b/src/test/docker/test.sh
@@ -9,9 +9,24 @@ echo '📋 Testing the Docker PaperMC server image...'
 
 echo '▶️ Starting the PaperMC server in background...'
 
+# Apply security best practices based on OWASP recommendations:
+# https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
+#
+# Simulate a production-like environment by enforcing strict security policies:
+# - Drop all Linux capabilities (PaperMC does not require any).
+# - Disable privilege escalation within the container.
+# - Set ulimits:
+#     - `nofile` (open files): 16384 — sufficient for typical Java-based Minecraft servers.
+#     - `nproc` (processes): 4096 — a safe and generous limit for JVM workloads.
+#     - `core`: 0 — disables core dumps to preserve disk space and avoid leaking sensitive information.
 docker run --rm -d --name "$CONTAINER_NAME" \
   --cap-drop all \
   --security-opt no-new-privileges \
+  --ulimit nofile=16384 \
+  --ulimit nproc=4096 \
+  --ulimit core=0 \
+  --cpus=4 \
+  --memory=8GB \
   -p 25565:25565/tcp -p 25565:25565/udp \
   -e EULA=true \
   'djaytan/papermc-server:dev'

Original file line number	Diff line number	Diff line change
`@@ -70,4 +70,5 @@ echo 'File eula.txt processed'`
`70`	`70`
`71`	`71`	`echo 'PaperMC server ready to start!'`
`72`	`72`
	`73`	`+# TODO: ensure that the server replace PID 1 instead of spawning a child process (exec command)`
`73`	`74`	`java $JVM_ARGUMENTS -jar "${SCRIPT_DIR}"/papermc-server-*.jar $SERVER_ARGS`