Remediate security issues

trottomv · trottomv · commit 76fb0a0fe443 · 2025-09-04T17:19:47.000+02:00
- Upgrade to jinja2~=3.1.0
- Remove hardcoded secrets using os.getenv
- Add timeout handler to requests
- Security hardening of Dockerfile
- Fix SSTI vulnerability on jinja2 template rendering
- Turn on coraza waf
diff --git a/.env_temp b/.env_temp
@@ -1,4 +1,4 @@
-APP_IMAGE=python-insecure-app:latest
+APP_IMAGE=python-insecure-app:wolfi-distroless
 COMPOSE_FILE=docker-compose.yaml
 DEBUG=True
 LETSENCRYPT_EMAIL=info@example.com
diff --git a/Dockerfile.alpine b/Dockerfile.alpine
@@ -16,10 +16,10 @@ COPY --chown=$NONROOT ./requirements/base.txt requirements/base.txt
 COPY --chown=$NONROOT ./requirements/common.txt requirements/common.txt
 RUN addgroup -S $NONROOT \
 	&& adduser -S $NONROOT -G $NONROOT \
-	# && apk update \
-	# && apk upgrade \
-	#     sqlite-libs \
-	# && rm -rf /var/cache/apk \
+	&& apk update \
+	&& apk upgrade \
+	    sqlite-libs \
+	&& rm -rf /var/cache/apk \
 	&& chown $NONROOT:$NONROOT $WORKDIR \
 	&& python3 -m venv $VIRTUAL_ENV \
 	&& chown -R $NONROOT:$NONROOT $VIRTUAL_ENV \
diff --git a/app/config.py b/app/config.py
@@ -10,6 +10,6 @@
 
 PUBLIC_IP_SERVICE_URL = os.getenv("PUBLIC_IP_SERVICE_URL")
 
-SUPER_SECRET_NAME = "John Ripper"
+SUPER_SECRET_NAME = os.getenv("SUPER_SECRET_NAME")
 
-SUPER_SECRET_TOKEN = "5u93R53Cr3tT0k3n"
+SUPER_SECRET_TOKEN = os.getenv("SUPER_SECRET_TOKEN")
diff --git a/app/main.py b/app/main.py
@@ -28,13 +28,13 @@ async def try_hack_me(name: str = config.SUPER_SECRET_NAME):
     """
     try:
         # Get the public IP address from an external service
-        public_ip_response = requests.get(config.PUBLIC_IP_SERVICE_URL)
+        public_ip_response = requests.get(config.PUBLIC_IP_SERVICE_URL, timeout=5)
         public_ip_response.raise_for_status()
     except (requests.HTTPError, requests.exceptions.InvalidSchema):
         public_ip = "Unknown"
     else:
         public_ip = public_ip_response.text
     name = name or config.SUPER_SECRET_NAME
-    content = f"<h1>Hello, {name}!</h1><h2>Public IP: <code>{public_ip}</code></h2>"
+    content = "<h1>Hello, {{name}}!</h1><h2>Public IP: <code>{{public_ip}}</code></h2>"
     # FIXME: https://fastapi.tiangolo.com/advanced/custom-response/#return-a-response
-    return Template(content).render()
+    return Template(content).render(name=name, public_ip=public_ip)
diff --git a/caddy/Caddyfile b/caddy/Caddyfile
@@ -10,7 +10,7 @@
 (waf_rules) {
     coraza_waf {
         directives `
-            SecRuleEngine Off
+            SecRuleEngine On
             SecRequestBodyAccess On
             SecRequestBodyLimitAction Reject
             SecDebugLogLevel 9
diff --git a/requirements/common.in b/requirements/common.in
@@ -1,4 +1,4 @@
 -r base.in
-fastapi[standard]~=0.115.0
-jinja2~=3.0.0
+fastapi[standard]~=0.116.0
+jinja2~=3.1.0
 requests~=2.32.0
diff --git a/tests/test_main.py b/tests/test_main.py
@@ -35,3 +35,7 @@ def test_root(requests_mock):
         response.content.decode()
         == "<h1>Hello, Bob!</h1><h2>Public IP: <code>123.45.67.89</code></h2>"
     )
+    response = client.get("/?name={{7*6}}")
+    assert response.status_code == 200
+    assert "42" not in response.content.decode()
+    assert "{{7*6}}" in response.content.decode()

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-APP_IMAGE=python-insecure-app:latest`
	`1`	`+APP_IMAGE=python-insecure-app:wolfi-distroless`
`2`	`2`	`COMPOSE_FILE=docker-compose.yaml`
`3`	`3`	`DEBUG=True`
`4`	`4`	`[email protected]`
Original file line number	Diff line number	Diff line change
`@@ -35,3 +35,7 @@ def test_root(requests_mock):`
`35`	`35`	`response.content.decode()`
`36`	`36`	`== "<h1>Hello, Bob!</h1><h2>Public IP: <code>123.45.67.89</code></h2>"`
`37`	`37`	`)`
	`38`	`+ response = client.get("/?name={{7*6}}")`
	`39`	`+ assert response.status_code == 200`
	`40`	`+ assert "42" not in response.content.decode()`
	`41`	`+ assert "{{7*6}}" in response.content.decode()`