From ffcd582f463d4f49ada34274e1461d1c7a65113a Mon Sep 17 00:00:00 2001 From: Eduard Tihomiorv Date: Fri, 21 Nov 2025 14:31:16 +0300 Subject: [PATCH 1/8] Update for next development version --- backend/pom.xml | 2 +- config-data-executor/pom.xml | 2 +- frontend/pom.xml | 2 +- pom.xml | 2 +- resources/pom.xml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/backend/pom.xml b/backend/pom.xml index 7fc7719..e20abc3 100644 --- a/backend/pom.xml +++ b/backend/pom.xml @@ -5,7 +5,7 @@ ru.micord.ervu eks - 1.1.4 + 1.2.0-SNAPSHOT ru.micord.ervu.eks backend diff --git a/config-data-executor/pom.xml b/config-data-executor/pom.xml index a82a7e7..21e3529 100644 --- a/config-data-executor/pom.xml +++ b/config-data-executor/pom.xml @@ -6,7 +6,7 @@ ru.micord.ervu eks - 1.1.4 + 1.2.0-SNAPSHOT ru.micord.ervu.eks config-data-executor diff --git a/frontend/pom.xml b/frontend/pom.xml index 456c755..e8d9367 100644 --- a/frontend/pom.xml +++ b/frontend/pom.xml @@ -4,7 +4,7 @@ ru.micord.ervu eks - 1.1.4 + 1.2.0-SNAPSHOT ru.micord.ervu.eks diff --git a/pom.xml b/pom.xml index bde114a..9e4483d 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ 4.0.0 ru.micord.ervu eks - 1.1.4 + 1.2.0-SNAPSHOT pom backend diff --git a/resources/pom.xml b/resources/pom.xml index 9a054e2..94ea280 100644 --- a/resources/pom.xml +++ b/resources/pom.xml @@ -4,7 +4,7 @@ ru.micord.ervu eks - 1.1.4 + 1.2.0-SNAPSHOT ru.micord.ervu.eks From 682d3b1bcc3cb8eb61d36eb6fa314b18987a8eb8 Mon Sep 17 00:00:00 2001 From: "adel.ka" Date: Fri, 21 Nov 2025 18:14:04 +0300 Subject: [PATCH 2/8] DocumentBuilderFactory DTD fix --- .../org/micord/service/RequestService.java | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/config-data-executor/src/main/java/org/micord/service/RequestService.java b/config-data-executor/src/main/java/org/micord/service/RequestService.java index ea810f9..73a73d0 100644 --- a/config-data-executor/src/main/java/org/micord/service/RequestService.java +++ b/config-data-executor/src/main/java/org/micord/service/RequestService.java @@ -23,6 +23,7 @@ import java.util.stream.IntStream; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; +import jakarta.annotation.PostConstruct; import org.micord.config.ArangoDBConnection; import org.micord.config.DatabaseConnection; import org.micord.config.S3HttpConnection; @@ -56,12 +57,18 @@ public class RequestService { private static final Logger logger = LoggerFactory.getLogger(RequestService.class); + private DocumentBuilderFactory secureDocumentFactory; @Autowired private HttpClient httpClient; @Autowired private ValidationService validationService; + @PostConstruct + public void init() { + secureDocumentFactory = createSecureDocumentBuilderFactory(); + } + private void processS3Request(S3Request request, RequestParameters parameters, Map validationResults) { logger.info("B. Starting processing of single S3 request"); try { @@ -219,8 +226,7 @@ public class RequestService { private void handleErrorResponse(HttpResponse response, String file) { try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - DocumentBuilder builder = factory.newDocumentBuilder(); + DocumentBuilder builder = secureDocumentFactory.newDocumentBuilder(); InputSource is = new InputSource(new StringReader(response.body())); Document doc = builder.parse(is); Element root = doc.getDocumentElement(); @@ -703,4 +709,14 @@ public class RequestService { } } + private DocumentBuilderFactory createSecureDocumentBuilderFactory() { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + try { + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + } + catch (Exception e) { + throw new RuntimeException("Failed to secure XML parser", e); + } + return factory; + } } From 6302e630ab4a008d1b6ceddf60fdb73772587cf9 Mon Sep 17 00:00:00 2001 From: "adel.ka" Date: Fri, 21 Nov 2025 18:15:39 +0300 Subject: [PATCH 3/8] Update for next development version --- backend/pom.xml | 2 +- config-data-executor/pom.xml | 2 +- frontend/pom.xml | 2 +- pom.xml | 2 +- resources/pom.xml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/backend/pom.xml b/backend/pom.xml index bef3c56..f3efba0 100644 --- a/backend/pom.xml +++ b/backend/pom.xml @@ -5,7 +5,7 @@ ru.micord.ervu eks - 1.1.5-SNAPSHOT + 1.1.5 ru.micord.ervu.eks backend diff --git a/config-data-executor/pom.xml b/config-data-executor/pom.xml index aae9d83..7a0c8bd 100644 --- a/config-data-executor/pom.xml +++ b/config-data-executor/pom.xml @@ -6,7 +6,7 @@ ru.micord.ervu eks - 1.1.5-SNAPSHOT + 1.1.5 ru.micord.ervu.eks config-data-executor diff --git a/frontend/pom.xml b/frontend/pom.xml index 1a83a07..961fece 100644 --- a/frontend/pom.xml +++ b/frontend/pom.xml @@ -4,7 +4,7 @@ ru.micord.ervu eks - 1.1.5-SNAPSHOT + 1.1.5 ru.micord.ervu.eks diff --git a/pom.xml b/pom.xml index 43573e4..b2c8af9 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ 4.0.0 ru.micord.ervu eks - 1.1.5-SNAPSHOT + 1.1.5 pom backend diff --git a/resources/pom.xml b/resources/pom.xml index 9cc037c..63f2172 100644 --- a/resources/pom.xml +++ b/resources/pom.xml @@ -4,7 +4,7 @@ ru.micord.ervu eks - 1.1.5-SNAPSHOT + 1.1.5 ru.micord.ervu.eks From 49c3b042f3811dde0e678dd3a2e3177f2f44363d Mon Sep 17 00:00:00 2001 From: "adel.ka" Date: Fri, 21 Nov 2025 18:31:02 +0300 Subject: [PATCH 4/8] Update for next development version --- backend/pom.xml | 2 +- config-data-executor/pom.xml | 2 +- frontend/pom.xml | 2 +- pom.xml | 2 +- resources/pom.xml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/backend/pom.xml b/backend/pom.xml index f3efba0..e20abc3 100644 --- a/backend/pom.xml +++ b/backend/pom.xml @@ -5,7 +5,7 @@ ru.micord.ervu eks - 1.1.5 + 1.2.0-SNAPSHOT ru.micord.ervu.eks backend diff --git a/config-data-executor/pom.xml b/config-data-executor/pom.xml index 7a0c8bd..21e3529 100644 --- a/config-data-executor/pom.xml +++ b/config-data-executor/pom.xml @@ -6,7 +6,7 @@ ru.micord.ervu eks - 1.1.5 + 1.2.0-SNAPSHOT ru.micord.ervu.eks config-data-executor diff --git a/frontend/pom.xml b/frontend/pom.xml index 961fece..e8d9367 100644 --- a/frontend/pom.xml +++ b/frontend/pom.xml @@ -4,7 +4,7 @@ ru.micord.ervu eks - 1.1.5 + 1.2.0-SNAPSHOT ru.micord.ervu.eks diff --git a/pom.xml b/pom.xml index b2c8af9..9e4483d 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ 4.0.0 ru.micord.ervu eks - 1.1.5 + 1.2.0-SNAPSHOT pom backend diff --git a/resources/pom.xml b/resources/pom.xml index 63f2172..94ea280 100644 --- a/resources/pom.xml +++ b/resources/pom.xml @@ -4,7 +4,7 @@ ru.micord.ervu eks - 1.1.5 + 1.2.0-SNAPSHOT ru.micord.ervu.eks From 40568eb4672f25ab0796ba96460102f5e6aea57c Mon Sep 17 00:00:00 2001 From: Pavel Zilke Date: Tue, 25 Nov 2025 21:00:15 +0300 Subject: [PATCH 5/8] update config/.env --- config/.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/.env b/config/.env index 5c4558f..714e737 100644 --- a/config/.env +++ b/config/.env @@ -1 +1 @@ -IMAGE=eks-app:latest +IMAGE=eks-app:1.1.5 From 47a3233265e9df58c1eec14be71d8280af4257c7 Mon Sep 17 00:00:00 2001 From: Pavel Zilke Date: Tue, 25 Nov 2025 22:38:55 +0300 Subject: [PATCH 6/8] fix --- Dockerfile | 24 ++++++++++++++++++------ config/docker-compose.yaml | 7 ++++++- config/nginx.conf | 9 +-------- 3 files changed, 25 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index f8d8572..37538f6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ -ARG BUILDER_IMAGE=nexus.ervu.rt-sk.ru/ervu-base/alpine:3.22.1 -ARG RUNTIME_IMAGE=nexus.ervu.rt-sk.ru/ervu-base/alpine:3.22.1 +ARG BUILDER_IMAGE=nexus.ervu.rt-sk.ru/ervu-base/alpine:3.22.2 +ARG RUNTIME_IMAGE=nexus.ervu.rt-sk.ru/ervu-base/alpine:3.22.2 FROM $BUILDER_IMAGE AS builder @@ -35,11 +35,23 @@ RUN rm -f /etc/apk/repositories \ ENV BACKEND_URL=http://localhost:8080 ENV CONFIG_DATA_EXECUTOR_URL=http://localhost:8080/api -COPY config/nginx.conf /etc/nginx/nginx.conf -COPY --from=builder /app/frontend/dist /usr/share/nginx/html -COPY --from=builder /app/backend/target/*.jar /home/app/backend.jar -COPY --from=builder /app/config-data-executor/target/*.jar /home/app/cde.jar EXPOSE 80 +RUN addgroup --system --gid 1002 app \ + && adduser -S appuser -u 1002 -G app \ + && adduser -S cdeuser -u 1003 -G app \ + && mkdir -p /home/app/transaction-logs && chown appuser:app /home/app \ + && mkdir -p /home/cde/transaction-logs && chown cdeuser:app /home/cde + +COPY config/nginx.conf /etc/nginx/nginx.conf +COPY --from=builder /app/frontend/dist /usr/share/nginx/html +COPY --from=builder /app/backend/target/*.jar /home/app/backend.jar +COPY --from=builder /app/config-data-executor/target/*.jar /home/cde/cde.jar + + +USER appuser + +WORKDIR /home/app + ENTRYPOINT ["java", "-jar", "/home/app/backend.jar"] diff --git a/config/docker-compose.yaml b/config/docker-compose.yaml index 4e02b55..420fa11 100644 --- a/config/docker-compose.yaml +++ b/config/docker-compose.yaml @@ -14,6 +14,8 @@ services: eks-backend: image: ${IMAGE:-eks-app:latest} + user: appuser + working_dir: /home/app depends_on: - db entrypoint: ["java", "-jar", "/home/app/backend.jar"] @@ -25,6 +27,7 @@ services: eks-frontend: image: ${IMAGE:-eks-app:latest} + user: "101:102" depends_on: - eks-backend ports: @@ -35,7 +38,9 @@ services: eks-cde: image: ${IMAGE:-eks-app:latest} - entrypoint: ["java", "-jar", "/home/app/cde.jar"] + user: cdeuser + working_dir: /home/cde + entrypoint: ["java", "-jar", "/home/cde/cde.jar"] volumes: - ./cde-xml:/cde-xml environment: diff --git a/config/nginx.conf b/config/nginx.conf index 76c1450..ec0a5c1 100644 --- a/config/nginx.conf +++ b/config/nginx.conf @@ -19,16 +19,10 @@ http { gzip on; gzip_types text/plain text/css text/xml application/x-javascript application/atom+xml; - log_format nginx_main - '$remote_addr - $remote_user [$time_local] $request ' - '"$status" $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for" ' - '"$request_filename" "$gzip_ratio" $upstream_response_time server: $host : $document_root $fastcgi_script_name '; - server { listen 80 default; - access_log /var/log/nginx/access.log nginx_main; + access_log /var/log/nginx/access.log combined; error_log /var/log/nginx/error.log error; root /usr/share/nginx/html; @@ -74,7 +68,6 @@ http { proxy_pass http://eks-backend:8080/ervu-eks/; proxy_set_header Accept application/json; add_header Content-Type application/json; - proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } From b5d1982b63da1718067c562b0036a10300b37737 Mon Sep 17 00:00:00 2001 From: Pavel Zilke Date: Tue, 25 Nov 2025 23:15:20 +0300 Subject: [PATCH 7/8] fix --- Dockerfile | 9 +++------ config/docker-compose.yaml | 4 ++-- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 37538f6..f874355 100644 --- a/Dockerfile +++ b/Dockerfile @@ -39,18 +39,15 @@ ENV CONFIG_DATA_EXECUTOR_URL=http://localhost:8080/api EXPOSE 80 RUN addgroup --system --gid 1002 app \ - && adduser -S appuser -u 1002 -G app \ - && adduser -S cdeuser -u 1003 -G app \ - && mkdir -p /home/app/transaction-logs && chown appuser:app /home/app \ - && mkdir -p /home/cde/transaction-logs && chown cdeuser:app /home/cde + && adduser -S app -u 1002 -G app \ + && adduser -S cde -u 1003 -G app COPY config/nginx.conf /etc/nginx/nginx.conf COPY --from=builder /app/frontend/dist /usr/share/nginx/html COPY --from=builder /app/backend/target/*.jar /home/app/backend.jar COPY --from=builder /app/config-data-executor/target/*.jar /home/cde/cde.jar - -USER appuser +USER app WORKDIR /home/app diff --git a/config/docker-compose.yaml b/config/docker-compose.yaml index 420fa11..f609344 100644 --- a/config/docker-compose.yaml +++ b/config/docker-compose.yaml @@ -14,7 +14,7 @@ services: eks-backend: image: ${IMAGE:-eks-app:latest} - user: appuser + user: app working_dir: /home/app depends_on: - db @@ -38,7 +38,7 @@ services: eks-cde: image: ${IMAGE:-eks-app:latest} - user: cdeuser + user: cde working_dir: /home/cde entrypoint: ["java", "-jar", "/home/cde/cde.jar"] volumes: From 809df2b6bc5aa059b868a5475c30b759a84f2197 Mon Sep 17 00:00:00 2001 From: Pavel Zilke Date: Tue, 25 Nov 2025 23:44:49 +0300 Subject: [PATCH 8/8] delete old cde Dockerfile --- config-data-executor/Dockerfile | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 config-data-executor/Dockerfile diff --git a/config-data-executor/Dockerfile b/config-data-executor/Dockerfile deleted file mode 100644 index 0aaea2c..0000000 --- a/config-data-executor/Dockerfile +++ /dev/null @@ -1,4 +0,0 @@ -FROM bellsoft/liberica-openjdk-alpine:17-cds -COPY target/*.jar app.jar - -CMD ["java", "-jar", "app.jar"] \ No newline at end of file