Skip to content

[minor] Add allowInsecureArgs to scyllaridae.yml#490

Merged
aOelschlager merged 8 commits into
mainfrom
insecure-args
Nov 26, 2025
Merged

[minor] Add allowInsecureArgs to scyllaridae.yml#490
aOelschlager merged 8 commits into
mainfrom
insecure-args

Conversation

@joecorall

@joecorall joecorall commented Nov 12, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

This PR does two things:

  1. Restructures the scyllaridae Dockerfile to build the go binary in a multi-stage build. This is to allow testing PRs on https://github.com/Islandora/scyllaridae easier (e.g. [minor] Add allowInsecureArgs to yaml spec Islandora/scyllaridae#164)
  2. Adds allowInsecureArgs as an environment variable microservices can set to allow dangerous bash characters in X-Islandora-Args HTTP headers.

How to test

Update your houdini service to use this PR's houdini image

services:
  houdini:
    image: islandora/houdini:insecure-args

Restart your service

docker compose up -d

Request a PNG from the service

docker compose exec -it houdini curl -sf \
  -H "Apix-Ldp-Resource: https://preserve.lehigh.edu/themes/custom/lehigh/assets/img/favicon76.png" \
  -H "X-Islandora-Args: -resize 10000x10000>" \
  -H "Accept: image/png" http://localhost:8080/ > image.png || echo "file not created"

file not created should print since there is an insecure bash argument in X-Islandora-Args (i.e. >)

Update your houdini service to allow insecure args

services:
  houdini:
    image: islandora/houdini:insecure-args
     environment:
      SCYLLARIDAE_ALLOW_INSECURE_ARGS: "true"

Restart your service

docker compose up -d

Request a PNG from the service

docker compose exec -it houdini curl -sf \
  -H "Apix-Ldp-Resource: https://preserve.lehigh.edu/themes/custom/lehigh/assets/img/favicon76.png" \
  -H "X-Islandora-Args: -resize 10000x10000>" \
  -H "Accept: image/png" http://localhost:8080/ > image.png && echo "file created"

file created should print even though there is an insecure bash argument in X-Islandora-Args (i.e. >).

There should be a file on your system that's a 76x76 PNG

$ file image.png
image.png: PNG image data, 76 x 76, 8-bit/color RGBA, non-interlaced

@joecorall joecorall force-pushed the insecure-args branch 5 times, most recently from e8c9bf6 to 99da5ca Compare November 13, 2025 14:28
@joecorall joecorall mentioned this pull request Nov 13, 2025
Merged
@joecorall joecorall marked this pull request as ready for review November 13, 2025 16:49
joecorall
joecorall commented Nov 13, 2025
View reviewed changes
Comment thread scyllaridae/Dockerfile Outdated
joecorall
joecorall commented Nov 13, 2025
View reviewed changes
Comment thread scyllaridae/Dockerfile Outdated
joecorall
joecorall commented Nov 13, 2025
View reviewed changes
Comment thread scyllaridae/Dockerfile Outdated
@joecorall joecorall marked this pull request as draft November 13, 2025 22:42
nigelgbanks
nigelgbanks approved these changes Nov 16, 2025
View reviewed changes

@nigelgbanks nigelgbanks left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@t4k

t4k commented Nov 19, 2025

Copy link
Copy Markdown
Contributor

I haven't had a chance to test this myself, but what I can see here looks good. Unfortunately, I won't be able to make the Tech Call today.

@t4k

t4k commented Nov 25, 2025

Copy link
Copy Markdown
Contributor

I've now tested this and it works great for my use case! ✅

@joecorall joecorall marked this pull request as ready for review November 26, 2025 18:51
@aOelschlager aOelschlager enabled auto-merge (squash) November 26, 2025 18:53
@aOelschlager aOelschlager merged commit 8b67f87 into main Nov 26, 2025
129 of 131 checks passed
@aOelschlager aOelschlager deleted the insecure-args branch November 26, 2025 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nigelgbanks nigelgbanks nigelgbanks approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@joecorall @t4k @nigelgbanks @aOelschlager