senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/veza-stream-server/Dockerfile
senke 9cd0da0046 fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files 
CRITICAL fixes:
- Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002)
- IDOR on analytics endpoint — ownership check enforced (CRITICAL-003)
- CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004)
- Mass assignment on user self-update — strip privileged fields (CRITICAL-005)

HIGH fixes:
- Path traversal in marketplace upload — UUID filenames (HIGH-001)
- IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002)
- Popularity metrics (followers, likes) set to json:"-" (HIGH-003)
- bcrypt cost hardened to 12 everywhere (HIGH-004)
- Refresh token lock made mandatory (HIGH-005)
- Stream token replay prevention with access_count (HIGH-006)
- Subscription trial race condition fixed (HIGH-007)
- License download expiration check (HIGH-008)
- Webhook amount validation (HIGH-009)
- pprof endpoint removed from production (HIGH-010)

MEDIUM fixes:
- WebSocket message size limit 64KB (MEDIUM-010)
- HSTS header in nginx production (MEDIUM-001)
- CORS origin restricted in nginx-rtmp (MEDIUM-002)
- Docker alpine pinned to 3.21 (MEDIUM-003/004)
- Redis authentication enforced (MEDIUM-005)
- GDPR account deletion expanded (MEDIUM-006)
- .gitignore hardened (MEDIUM-007)

LOW/INFO fixes:
- GitHub Actions SHA pinning on all workflows (LOW-001)
- .env.example security documentation (INFO-001)
- Production CORS set to HTTPS (LOW-002)

All tests pass. Go and Rust compile clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-14 00:44:46 +01:00

62 lines
1.9 KiB
Docker
Raw Blame History

# Build stage - context: repo root (for veza-common path dep)
FROM rust:alpine AS builder
WORKDIR /build
# Copy veza-common (path dependency) and stream-server
COPY veza-common ./veza-common
COPY veza-stream-server/Cargo.toml veza-stream-server/Cargo.lock ./veza-stream-server/
COPY veza-stream-server/benches ./veza-stream-server/benches
# Install build dependencies
RUN apk add --no-cache musl-dev ca-certificates perl make pkgconfig openssl-dev protobuf-dev openssl-libs-static
WORKDIR /build/veza-stream-server
# Fetch dependencies (this layer will be cached if Cargo.toml/Cargo.lock don't change)
RUN cargo fetch --locked
# Copy source code
COPY veza-stream-server/src ./src
COPY veza-stream-server/migrations ./migrations
COPY veza-stream-server/proto ./proto
COPY veza-stream-server/build.rs ./
# Build the application (runtime queries only, no SQLX_OFFLINE needed)
RUN cargo build --release --locked --target x86_64-unknown-linux-musl
# Runtime stage
FROM alpine:3.21
# Install runtime dependencies
RUN apk --no-cache add ca-certificates tzdata && \
# Add wget for health checks
apk --no-cache add wget && \
# Clean up apk cache
rm -rf /var/cache/apk/*
# Create non-root user for security
RUN addgroup -g 1001 -S app && \
adduser -S app -u 1001 -G app -h /app -s /bin/sh
# Set working directory
WORKDIR /app
# Copy binary from builder
COPY --from=builder --chown=app:app /build/veza-stream-server/target/x86_64-unknown-linux-musl/release/stream_server /app/stream_server
# Copy migrations if they exist (Removed as directory does not exist)
# COPY --from=builder --chown=app:app /app/migrations ./migrations
# Switch to app user
USER app
# Expose port
EXPOSE 8082
# Health check
HEALTHCHECK --interval=30s --timeout=15s --start-period=60s --retries=5 \
CMD wget --no-verbose --tries=1 --spider http://localhost:8082/health || exit 1
# Run the application
CMD ["./stream_server"]
Reference in a new issue View git blame Copy permalink