rob/octoplex
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

security(mediaserver): stop leaking credentials to Docker events log

Browse Source
This commit is contained in:
Rob Watson 2025-04-01 17:48:34 +02:00
parent e4438baa65
commit 5bf19f92b0
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
internal/mediaserver/actor.go
View File

@ -170,7 +170,8 @@ func StartActor(ctx context.Context, params StartActorParams) (_ *Actor, err err
"--fail", "--fail",
"--silent", "--silent",
"--cacert", "/etc/tls.crt", "--cacert", "/etc/tls.crt",
actor.pathsURL(), "--config", "/etc/healthcheckopts.txt",
actor.healthCheckURL(),
}, },
Interval: time.Second * 10, Interval: time.Second * 10,
StartPeriod: time.Second * 2, StartPeriod: time.Second * 2,
@ -200,6 +201,11 @@ func StartActor(ctx context.Context, params StartActorParams) (_ *Actor, err err
Payload: bytes.NewReader(tlsKey), Payload: bytes.NewReader(tlsKey),
Mode: 0600, Mode: 0600,
}, },
{
Path: "/etc/healthcheckopts.txt",
Payload: bytes.NewReader([]byte(fmt.Sprintf("--user api:%s", actor.pass))),
Mode: 0600,
},
}, },
}, },
) )
@ -368,6 +374,13 @@ func (s *Actor) pathsURL() string {
return fmt.Sprintf("https://api:%s@localhost:%d/v3/paths/list", s.pass, s.apiPort) return fmt.Sprintf("https://api:%s@localhost:%d/v3/paths/list", s.pass, s.apiPort)
} }
// healthCheckURL returns the URL for the health check, accessible from the
// container. It is logged to Docker's events log so must not include
// credentials.
func (s *Actor) healthCheckURL() string {
return fmt.Sprintf("https://localhost:%d/v3/paths/list", s.apiPort)
}
// shortID returns the first 12 characters of the given container ID. // shortID returns the first 12 characters of the given container ID.
func shortID(id string) string { func shortID(id string) string {
if len(id) < 12 { if len(id) < 12 {