secure env

2 months ago · d1768be636
parent b2cd7c82a7
commit d1768be636
2 changed files with 37 additions and 0 deletions
--- a/5
+++ b/5
@ -53,6 +53,8 @@ WORKDIR /app
 RUN apk add --no-cache sqlite-dev libpq-dev mariadb-dev vips-dev yaml-dev redis libheif vips-heif gcompat ttf-freefont && mkdir /fonts && rm /usr/share/fonts/freefont/FreeSans.otf
 RUN addgroup -g 2000 docuseal && adduser -u 2000 -G docuseal -s /bin/sh -D -h /home/docuseal docuseal
 RUN echo $'.include = /etc/ssl/openssl.cnf\n\
 \n\
 [provider_sect]\n\
@ -92,7 +94,10 @@ COPY --from=webpack /app/public/packs ./public/packs
 RUN ln -s /fonts /app/public/fonts
 RUN bundle exec bootsnap precompile -j 1 --gemfile app/ lib/
 RUN chown -R docuseal:docuseal /app
 WORKDIR /data/docuseal
 ENV HOME=/home/docuseal
 ENV WORKDIR=/data/docuseal
 EXPOSE 3000
--- a/config/dotenv.rb
+++ b/config/dotenv.rb
@ -1,6 +1,20 @@
 # frozen_string_literal: true
 if ENV['RAILS_ENV'] == 'production'
  if Process.uid.zero?
    begin
      workdir = ENV.fetch('WORKDIR', '.')
      if File.exist?(workdir) && File.stat(workdir).uid != 2000
        puts 'Changing the owner of the docuseal directory...' unless Dir.empty?(workdir)
        FileUtils.chown_R(2000, 2000, workdir)
      end
    rescue StandardError
      puts 'Unable to change docuseal directory owner'
    end
  end
  if !ENV['AWS_SECRET_MANAGER_ID'].to_s.empty?
    require 'aws-sdk-secretsmanager'
@ -30,12 +44,30 @@ if ENV['RAILS_ENV'] == 'production'
      File.write(dotenv_path, default_env)
    end
    if Process.uid.zero?
      begin
        File.chown(0, 0, dotenv_path)
        File.chmod(0o600, dotenv_path)
      rescue StandardError
        puts 'Unable to set dotenv mod'
      end
    end
    database_url = ENV.fetch('DATABASE_URL', nil)
    Dotenv.load(dotenv_path)
    ENV['DATABASE_URL'] = ENV['DATABASE_URL'].to_s.empty? ? database_url : ENV.fetch('DATABASE_URL', nil)
  end
  unless Process.uid == 2000
    begin
      Process::Sys.setgid(2000)
      Process::Sys.setuid(2000)
    rescue StandardError
      puts 'Unable to run as 2000:2000'
    end
  end
 end
 if ENV['DATABASE_URL'].to_s.split('@').last.to_s.split('/').first.to_s.include?('_')