From 78459df96266f1041ccb6f7560c693f0d2a16cf3 Mon Sep 17 00:00:00 2001
From: Lebaud Antoine <lebaud.antoine131@gmail.com>
Date: Thu, 14 Mar 2024 16:29:09 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B(docker)=20build=20Docker=20images?=
 =?UTF-8?q?=20with=20an=20unprivileged=20user?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is a major issue. Docker Images were built and published with a
root user in the CI.

if a user manages to break out of the application running as root in the
container, he may gain root user access on host. In addition, configuring
container to user unprivileged is the best way yo prevent privilege
escalation attacks.

We mitigated this issue by creating a new environment variable DOCKER_USER.
DOCKER_USER is set with id -u and id -g outputs. Then, it is passed as a
build-args when running docker/build-push-action steps.
---
 .github/workflows/docker-hub.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml
index 72f4c1f..f4381cc 100644
--- a/.github/workflows/docker-hub.yml
+++ b/.github/workflows/docker-hub.yml
@@ -11,6 +11,9 @@ on:
     branches:
       - 'main'
 
+env:
+  DOCKER_USER: 1001:127
+
 jobs:
   build-and-push-backend:
     runs-on: ubuntu-latest
@@ -40,6 +43,7 @@ jobs:
         with:
           context: .
           target: production
+          build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
@@ -72,6 +76,7 @@ jobs:
         with:
           context: .
           target: frontend
+          build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}