Headline
CVE-2021-34079: docker-tester
OS Command injection vulnerability in Mintzo Docker-Tester through 1.2.1 allows attackers to execute arbitrary commands via shell metacharacters in the ‘ports’ entry of a crafted docker-compose.yml file.
docker-tester
Set up a testing environment with a docker-compose file and verify its up before running tests
Install
npm i docker-tester --save-dev
- docker and docker-compose are required to be installed and acsecible from the terminal, you can get it here
Example****running tests in mocha
const TestingEnvironment = require(‘docker-tester’);
const testingEnvironment = new TestingEnvironment({
dockerComposeFileLocation: __dirname,
dockerFileName: 'test.docker-compose.yml’,
verifications: {
httpServer: {
verificationFunction: async (service) \=> {
}, promiseRetryOptions: { retries: 4 } }
} });
before(async function () {
this.timeout(0);
await testingEnvironment.start();
});
after(async function () {
this.timeout(0);
await testingEnvironment.stop();
});
describe('Simple Usage’, () => {
it('some tests’, () => {
const service \= testingEnvironment.getActiveService('example-node-server')
});
});
docker-compose file
version: ‘3.1’
services:
example-node-server:
image: node
ports:
\- 7000:80
environment:
verificationType: httpServer
example-mongo:
image: mongo
ports:
\- 80
environment:
verificationType: mongodb
Full code for this and more examples available here
Usage
create a new TestingEnvironment instance, .start() and .stop() async function, use docker-compose up and docker-compose down
.stop() resolves when all containers have stopped.
.start() resolves when all containers are up and ready.
in the docker-compose file, services requiring verification that they are ready will be verified according to there defined verification type, found under environment -> verificationType
TestingEnvironment instance will match verifications key to verificationType in the docker-compose file.
Documentation****TestingEnvironment() Constructor
the testing environment can be configured by passing in an object with the fallowing properties
required parameters:
- dockerComposeFileLocation - the folder path where the docker-compose file is found
- dockerFileName - the docker-compose full file name
optional:
- verifications - verifications by type that check when services are ready
- verificationFunction - required - an async function or a function that returns a promise to verify the service, receives the service information when called
- promiseRetryOptions - (optional) - promise retry settings, same as promise-retry
- retries - number of retries , default 5
- disableLogs - disables logs docker-tester actions, when set to true
example options object:
new TestingEnvironment({
dockerComposeFileLocation: __dirname,
dockerFileName: 'test.docker-compose.yml’,
verifications = {
verificationType: {
verificationFunction,
promiseRetryOptions
}
}
.start({ stopIfUp, verifyUp })
starts all services found in the docker-compose file (docker-compose up -d), verifies they are ready and then resolves, rejects if there was a problem or if verify promises are rejected
optional settings:
- stopIfUp - (default: true) - runs .stop() before starting services
- verifyUp - (default: true) - runs .verifyAllServices() after starting services
example code:
const testingEnvironment = new TestingEnvironment({
});
await testingEnvironment.start();
.stop()
stops all services running services (docker-compose down) then resolves,rejects if there was a problem or if verify promises are rejected.
example code:
const testingEnvironment = new TestingEnvironment({
});
await testingEnvironment.start();
await testingEnvironment.stop();
.verifyAllServices()
verifies all services are ready using the service verificationType then resolves,rejects if there was a problem or if verify promises are rejected.
example code:
const testingEnvironment = new TestingEnvironment({
});
await testingEnvironment.start({ verifyUp: false });
await testingEnvironment.verifyAllServices();
.getActiveService(serviceName)
returns an active service configuration by specified service name in the docker-compose file.
can be used to retrieve external exposed ip, not defining an exposed ip can enable running tests in parallel.
example-service:
environment:
verificationType: httpServer
ports:
\- '3001:80'
example-service:
environment:
verificationType: httpServer
ports:
\- 80
example code:
const testingEnvironment = new TestingEnvironment({
});
await testingEnvironment.start();
await testingEnvironment.getActiveService(‘example-service’);
{
image: 'node’,
working_dir: '/service’,
volumes: [ ‘…/:/service’ ],
ports: [ { external: "7000", internal: “3000” } ],
command: 'npm start’,
environment: { verificationType: ‘httpServer’ }
}
Related news
OS Command injection vulnerability in Mintzo Docker-Tester through 1.2.1 allows attackers to execute arbitrary commands via shell metacharacters in the 'ports' entry of a crafted docker-compose.yml file.