vstockwell/wraith
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 67 Wiki Activity

fix(security): infrastructure hardening — guacd network isolation, drop DB port, helmet, non-root container

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Vantz Stockwell 2026-03-14 14:13:28 -04:00
parent b11efce6ed
commit a88c164ac4
4 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -24,5 +24,7 @@ COPY --from=backend /app/backend/package.json ./
COPY --from=backend /app/backend/prisma ./prisma COPY --from=backend /app/backend/prisma ./prisma
COPY --from=backend /app/backend/seed.js ./seed.js COPY --from=backend /app/backend/seed.js ./seed.js
COPY --from=frontend /app/frontend/.output/public ./public COPY --from=frontend /app/frontend/.output/public ./public
RUN addgroup -S wraith && adduser -S wraith -G wraith && chown -R wraith:wraith /app
USER wraith
EXPOSE 3000 EXPOSE 3000
CMD ["sh", "-c", "ls -la prisma/migrations/ && ls -la prisma/migrations/*/ && npx prisma migrate deploy --schema prisma/schema.prisma && node seed.js; node dist/src/main.js"] CMD ["sh", "-c", "ls -la prisma/migrations/ && ls -la prisma/migrations/*/ && npx prisma migrate deploy --schema prisma/schema.prisma && node seed.js; node dist/src/main.js"]

1
backend/package.json
View File

@ -24,6 +24,7 @@
"@nestjs/websockets": "^10.0.0", "@nestjs/websockets": "^10.0.0",
"@prisma/client": "^6.0.0", "@prisma/client": "^6.0.0",
"argon2": "^0.44.0", "argon2": "^0.44.0",
"helmet": "^8.0.0",
"bcrypt": "^5.1.0", "bcrypt": "^5.1.0",
"class-transformer": "^0.5.1", "class-transformer": "^0.5.1",
"class-validator": "^0.14.0", "class-validator": "^0.14.0",

2
backend/src/main.ts
View File

@ -1,3 +1,4 @@
import helmet from 'helmet';
import { NestFactory } from '@nestjs/core'; import { NestFactory } from '@nestjs/core';
import { ValidationPipe } from '@nestjs/common'; import { ValidationPipe } from '@nestjs/common';
import { WsAdapter } from '@nestjs/platform-ws'; import { WsAdapter } from '@nestjs/platform-ws';
@ -18,6 +19,7 @@ process.on('unhandledRejection', (reason: any) => {
async function bootstrap() { async function bootstrap() {
const app = await NestFactory.create(AppModule); const app = await NestFactory.create(AppModule);
app.use(helmet());
app.setGlobalPrefix('api'); app.setGlobalPrefix('api');
app.useGlobalPipes(new ValidationPipe({ whitelist: true, transform: true })); app.useGlobalPipes(new ValidationPipe({ whitelist: true, transform: true }));
app.useWebSocketAdapter(new WsAdapter(app)); app.useWebSocketAdapter(new WsAdapter(app));

7
docker-compose.yml
View File

@ -6,10 +6,8 @@ services:
DATABASE_URL: postgresql://wraith:${DB_PASSWORD}@postgres:5432/wraith DATABASE_URL: postgresql://wraith:${DB_PASSWORD}@postgres:5432/wraith
JWT_SECRET: ${JWT_SECRET} JWT_SECRET: ${JWT_SECRET}
ENCRYPTION_KEY: ${ENCRYPTION_KEY} ENCRYPTION_KEY: ${ENCRYPTION_KEY}
GUACD_HOST: host.docker.internal GUACD_HOST: guacd
GUACD_PORT: "4822" GUACD_PORT: "4822"
extra_hosts:
- "host.docker.internal:host-gateway"
depends_on: depends_on:
postgres: postgres:
condition: service_healthy condition: service_healthy
@ -19,13 +17,10 @@ services:
guacd: guacd:
image: guacamole/guacd image: guacamole/guacd
network_mode: host
entrypoint: ["/opt/guacamole/sbin/guacd", "-b", "0.0.0.0", "-L", "debug", "-f"]
restart: always restart: always
postgres: postgres:
image: postgres:16-alpine image: postgres:16-alpine
ports: ["4211:5432"]
volumes: [pgdata:/var/lib/postgresql/data] volumes: [pgdata:/var/lib/postgresql/data]
environment: environment:
POSTGRES_DB: wraith POSTGRES_DB: wraith