docker-compose 対応

.github/workflows/deploy.yml

@@ -114,6 +114,9 @@ jobs:
           rm -rf $GITHUB_WORKSPACE/patches
           rm -rf $GITHUB_WORKSPACE/docs
           rm -rf $GITHUB_WORKSPACE/html/test
+          rm -rf $GITHUB_WORKSPACE/dockerbuild
+          rm -rf $GITHUB_WORKSPACE/Dockerfile
+          rm -rf $GITHUB_WORKSPACE/docker-compose*.yml
           find $GITHUB_WORKSPACE -name "dummy" -print0 | xargs -0 rm -rf
           find $GITHUB_WORKSPACE -name ".git*" -and ! -name ".gitkeep" -print0 | xargs -0 rm -rf
           find $GITHUB_WORKSPACE -name ".git*" -type d -print0 | xargs -0 rm -rf

Dockerfile

@@ -0,0 +1,35 @@
+FROM eccube2/php:7.4-apache
+
+ENV APACHE_DOCUMENT_ROOT /var/www/app/html
+ENV ECCUBE_PREFIX /var/www/app
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends -y \
+    ssl-cert \
+    mariadb-client postgresql-client \
+    && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir -p ${APACHE_DOCUMENT_ROOT} \
+  && sed -ri -e 's!/var/www/html!${APACHE_DOCUMENT_ROOT}!g' /etc/apache2/sites-available/*.conf \
+  && sed -ri -e 's!/var/www/!${APACHE_DOCUMENT_ROOT}!g' /etc/apache2/apache2.conf /etc/apache2/conf-available/*.conf \
+  ;
+
+## Enable SSL
+RUN a2enmod ssl rewrite headers
+RUN a2ensite default-ssl
+EXPOSE 443
+
+WORKDIR ${ECCUBE_PREFIX}
+
+COPY dockerbuild/wait-for-*.sh /
+RUN chmod +x /wait-for-*.sh
+
+COPY composer.json ${ECCUBE_PREFIX}/composer.json
+COPY composer.lock ${ECCUBE_PREFIX}/composer.lock
+
+RUN composer selfupdate
+RUN composer install --no-scripts --no-autoloader --no-dev -d ${ECCUBE_PREFIX}
+
+COPY . ${ECCUBE_PREFIX}
+RUN composer dumpautoload -o --apcu

docker-compose-owaspzap.yml

@@ -0,0 +1,19 @@
+version: "3"
+
+services:
+  zap:
+    build:
+      context: ./zap
+    command: bash -c "zap.sh -cmd -addonupdate -addoninstall help_ja_JP -addoninstall wappalyzer -addoninstall sequence -addonuninstall hud -configfile /zap/wrk/options.properties -certpubdump /zap/wrk/owasp_zap_root_ca.cer && zap-webswing.sh"
+    # 詳細スキャンしたい場合はこちらを使用する command: bash -c "zap.sh -cmd -addonupdate -addoninstall help_ja_JP -addoninstall wappalyzer -addoninstall ascanrulesAlpha -addoninstall ascanrulesBeta -addoninstall sqliplugin -addoninstall sequence -addonuninstall hud -configfile /zap/wrk/options.properties -certpubdump /zap/wrk/owasp_zap_root_ca.cer && zap-webswing.sh"
+    volumes:
+      - ./zap:/zap/wrk/
+    ports:
+      - "8081:8080"
+      - "8090:8090"
+    depends_on:
+      - ec-cube
+    networks:
+      - backend
+      - default
+    tty: true

docker-compose.dev.yml

@@ -0,0 +1,6 @@
+version: '3'
+
+services:
+  ec-cube:
+    volumes:
+      - ".:/var/www/app:delegated"

docker-compose.mysql.yml

@@ -0,0 +1,50 @@
+version: '3'
+
+volumes:
+  mysql-database:
+    driver: local
+
+services:
+  ec-cube:
+    command: apache2-foreground
+    entrypoint: /wait-for-mysql.sh
+    depends_on:
+      - mysql
+    environment:
+      TZ: Asia/Tokyo
+      PHP_POST_MAX_SIZE: 10M
+      PHP_UPLOAD_MAX_FILESIZE: 10M
+      PHP_LOG_ERRORS: "On"
+      PHP_ERROR_REPORTING: "E_ALL"
+      PHP_ERROR_LOG: "/proc/self/fd/2"
+      # EC-CUBE2 Config
+      HTTP_URL: https://localhost:4430/
+      HTTPS_URL: https://localhost:4430/
+      ROOT_URLPATH: /
+      DOMAIN_NAME: ~
+      DB_TYPE: mysql
+      DB_USER: eccube_db_user
+      DB_PASSWORD: password
+      DB_SERVER: mysql
+      DB_NAME: eccube_db
+      DB_PORT: ~
+      ADMIN_DIR: admin/
+      ADMIN_FORCE_SSL: 'false'
+      ADMIN_ALLOW_HOSTS: 'a:0:{}'
+      AUTH_MAGIC: ~
+      PASSWORD_HASH_ALGOS: sha256
+
+  mysql:
+    image: mysql:5.7
+    command: mysqld --character-set-server=utf8 --collation-server=utf8_general_ci
+    ports:
+      - '13306:3306'
+    volumes:
+      - mysql-database:/var/lib/mysql
+    environment:
+      MYSQL_ROOT_PASSWORD: password
+      MYSQL_DATABASE: eccube_db
+      MYSQL_USER: eccube_db_user
+      MYSQL_PASSWORD: password
+    networks:
+      - backend

docker-compose.owaspzap.yml

@@ -0,0 +1,19 @@
+version: "3"
+
+services:
+  zap:
+    build:
+      context: ./zap
+    command: bash -c "zap.sh -cmd -addonupdate -addoninstall help_ja_JP -addoninstall wappalyzer -addoninstall sequence -addonuninstall hud -configfile /zap/wrk/options.properties -certpubdump /zap/wrk/owasp_zap_root_ca.cer && zap-webswing.sh"
+    # 詳細スキャンしたい場合はこちらを使用する command: bash -c "zap.sh -cmd -addonupdate -addoninstall help_ja_JP -addoninstall wappalyzer -addoninstall ascanrulesAlpha -addoninstall ascanrulesBeta -addoninstall sqliplugin -addoninstall sequence -addonuninstall hud -configfile /zap/wrk/options.properties -certpubdump /zap/wrk/owasp_zap_root_ca.cer && zap-webswing.sh"
+    volumes:
+      - ./zap:/zap/wrk/
+    ports:
+      - "8081:8080"
+      - "8090:8090"
+    depends_on:
+      - ec-cube
+    networks:
+      - backend
+      - default
+    tty: true

docker-compose.pgsql.yml

@@ -0,0 +1,48 @@
+version: '3'
+
+volumes:
+  pg-database:
+    driver: local
+
+services:
+  ec-cube:
+    command: apache2-foreground
+    entrypoint: /wait-for-pgsql.sh
+    depends_on:
+      - postgres
+    environment:
+      TZ: Asia/Tokyo
+      PHP_POST_MAX_SIZE: 10M
+      PHP_UPLOAD_MAX_FILESIZE: 10M
+      PHP_LOG_ERRORS: "On"
+      PHP_ERROR_REPORTING: "E_ALL"
+      PHP_ERROR_LOG: "/proc/self/fd/2"
+      # EC-CUBE2 Config
+      HTTP_URL: https://localhost:4430/
+      HTTPS_URL: https://localhost:4430/
+      ROOT_URLPATH: /
+      DOMAIN_NAME: ~
+      DB_TYPE: pgsql
+      DB_USER: eccube_db_user
+      DB_PASSWORD: password
+      DB_SERVER: postgres
+      DB_NAME: eccube_db
+      DB_PORT: 5432
+      ADMIN_DIR: admin/
+      ADMIN_FORCE_SSL: 'false'
+      ADMIN_ALLOW_HOSTS: 'a:0:{}'
+      AUTH_MAGIC: ~
+      PASSWORD_HASH_ALGOS: sha256
+
+  postgres:
+    image: postgres
+    environment:
+      - POSTGRES_DB=eccube_db
+      - POSTGRES_USER=eccube_db_user
+      - POSTGRES_PASSWORD=password
+    ports:
+      - 15432:5432
+    volumes:
+      - pg-database:/var/lib/postgresql/data
+    networks:
+      - backend

docker-compose.yml

@@ -0,0 +1,57 @@
+version: '3'
+
+networks:
+  backend:
+    driver: bridge
+
+volumes:
+  mailcatcher-data:
+    driver: local
+
+  ### ignore folder volume #####
+  vendor:
+    driver: local
+
+services:
+  ec-cube:
+    build:
+      context: .
+    volumes:
+      ### 同期対象からコストの重いフォルダを除外 #####################
+      - "vendor:/var/www/app/data/vendor"
+    ports:
+      - 8080:80
+      - 4430:443
+    environment:
+      TZ: Asia/Tokyo
+      PHP_POST_MAX_SIZE: 10M
+      PHP_UPLOAD_MAX_FILESIZE: 10M
+      PHP_LOG_ERRORS: "On"
+      PHP_ERROR_REPORTING: "E_ALL"
+      PHP_ERROR_LOG: "/proc/self/fd/2"
+      # EC-CUBE2 Config
+      HTTP_URL: https://localhost:4430/
+      HTTPS_URL: https://localhost:4430/
+      ROOT_URLPATH: /
+      DOMAIN_NAME: ~
+      ADMIN_DIR: admin/
+      ADMIN_FORCE_SSL: 'false'
+      ADMIN_ALLOW_HOSTS: 'a:0:{}'
+      AUTH_MAGIC: ~
+      PASSWORD_HASH_ALGOS: sha256
+      MAIL_BACKEND: smtp
+      SMTP_HOST: 127.0.0.1
+      SMTP_PORT: 1025
+      SMTP_USER: ~
+      SMTP_PASSWORD: ~
+    networks:
+      - backend
+
+  ### Mailcatcher ##################################
+  mailcatcher:
+    image: schickling/mailcatcher
+    ports:
+      - "1080:1080"
+      - "1025:1025"
+    networks:
+      - backend

dockerbuild/.htaccess

@@ -0,0 +1,2 @@
+order allow,deny
+deny from all

dockerbuild/wait-for-mysql.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -e
+
+echo "Waiting for mysql"
+until mysql -h "${DB_SERVER}" --password="${DB_PASSWORD}" -uroot &> /dev/null
+do
+  printf "."
+  sleep 1
+done
+
+>&2 echo "MySQL Ready"
+
+if [ ! -f /var/www/app/data/config/config.php ]
+then
+    echo "Install to ec-cube"
+    DBUSER=$DB_USER DBPASS=$DB_PASSWORD DBNAME=$DB_NAME DBPORT=$DB_PORT DBSERVER=$DB_SERVER /var/www/app/eccube_install.sh mysql
+fi
+
+exec docker-php-entrypoint "$@"

dockerbuild/wait-for-pgsql.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+set -e
+
+export PGPASSWORD=$DB_PASSWORD
+until psql -h "${DB_SERVER}" -U "${DB_USER}" -d "template1" -c '\l'; do
+  >&2 echo "Postgres is unavailable - sleeping"
+  printf "."
+  sleep 1
+done
+
+>&2 echo "Postgres is up - executing command"
+
+if [ ! -f /var/www/app/data/config/config.php ]
+then
+    echo "Install to ec-cube"
+    DBUSER=$DB_USER DBPASS=$DB_PASSWORD DBNAME=$DB_NAME DBPORT=$DB_PORT DBSERVER=$DB_SERVER /var/www/app/eccube_install.sh pgsql
+fi
+
+exec docker-php-entrypoint "$@"

tests/class/SC_Date/SC_Date_getYearTest.php

@@ -84,6 +84,7 @@ public function testGetYear_最大値が3年後の配列を返す()
     public function testGetYear_最大値がメンバ変数の配列を返す()
     {
         $this->expected = '2020';
+        $this->objDate->setStartYear('2018');
         $this->objDate->setEndYear('2020');
         $this->actual = max($this->objDate->getYear());
 

tests/class/SC_Date/SC_Date_getZeroYearTest.php

@@ -82,6 +82,7 @@ public function testGetZeroYear_最大値が3年後の2桁表記の配列を返
     public function testGetZeroYear_最大値がメンバ変数の2桁表記の配列を返す()
     {
         $this->expected = '20';
+        $this->objDate->setStartYear('2018');
         $this->objDate->setEndYear('2020');
         $this->actual = max($this->objDate->getZeroYear());
 

zap/.gitignore

@@ -0,0 +1,2 @@
+/owasp_zap_root_ca.cer
+/sessions

zap/.htaccess

@@ -0,0 +1,2 @@
+order allow,deny
+deny from all

zap/Dockerfile

@@ -0,0 +1,8 @@
+FROM owasp/zap2docker-stable
+
+USER root
+RUN apt-get update \
+  && apt-get install --no-install-recommends -y \
+  fonts-noto-cjk
+
+USER zap

zap/README.md

@@ -0,0 +1,6 @@
+# EC-CUBE Penetration Testing with OWASP ZAP
+
+このツールは、サイトを実際に攻撃し、脆弱性が無いかを確認するツールです。
+必ずローカル環境の Docker でのみ使用し、稼動中のサイトには決して使用しないでください。
+意図せずデータが更新されたり、削除される場合があります。
+テストは自己責任で実施し、株式会社イーシーキューブ及び、関連する開発コミュニティは一切の責任を負いかねますのであらかじめご了承ください。

zap/options.properties

@@ -0,0 +1,45 @@
+view.locale=ja_JP
+api.disablekey=true
+fuzz.defaultCategoryName=dirbuster
+anticsrf.tokens.token\(0\).name=_csrf_token
+anticsrf.tokens.token\(0\).enabled=true
+anticsrf.tokens.token\(1\).name=_csrf
+anticsrf.tokens.token\(1\).enabled=true
+anticsrf.tokens.token\(2\).name=_token
+anticsrf.tokens.token\(2\).enabled=true
+anticsrf.tokens.token\(3\).name=_shopping_order[_token]
+anticsrf.tokens.token\(3\).enabled=true
+anticsrf.tokens.token\(4\).name=form[_token]
+anticsrf.tokens.token\(4\).enabled=true
+anticsrf.tokens.token\(5\).name=shopping_shipping[_token]
+anticsrf.tokens.token\(5\).enabled=true
+httpsessions.tokens.token\(0\).name=eccube
+httpsessions.tokens.token\(0\).enabled=true
+httpsessions.tokens.token\(1\).name=ecsessid
+httpsessions.tokens.token\(1\).enabled=true
+httpsessions.tokens.token\(2\).name=phpsessid
+httpsessions.tokens.token\(2\).enabled=true
+## Filtering out false positives in PATH Traversal
+globalalertfilter.filters.filter\(0\).ruleid=6
+globalalertfilter.filters.filter\(0\).newrisk=-1
+globalalertfilter.filters.filter\(0\).url=https://ec-cube/products/add_cart/[0-9]+
+globalalertfilter.filters.filter\(0\).urlregex=true
+globalalertfilter.filters.filter\(0\).param=
+globalalertfilter.filters.filter\(0\).paramregex=false
+globalalertfilter.filters.filter\(0\).attack=
+globalalertfilter.filters.filter\(0\).attackregex=false
+globalalertfilter.filters.filter\(0\).evidence=
+globalalertfilter.filters.filter\(0\).evidenceregex=false
+globalalertfilter.filters.filter\(0\).enabled=true
+## Filtering out false positives in SQL Injection
+globalalertfilter.filters.filter\(1\).ruleid=40018
+globalalertfilter.filters.filter\(1\).newrisk=-1
+globalalertfilter.filters.filter\(1\).url=https://ec-cube/entry
+globalalertfilter.filters.filter\(1\).urlregex=false
+globalalertfilter.filters.filter\(1\).param=mode
+globalalertfilter.filters.filter\(1\).paramregex=false
+globalalertfilter.filters.filter\(1\).attack=confirm OR 1=1 --
+globalalertfilter.filters.filter\(1\).attackregex=false
+globalalertfilter.filters.filter\(1\).evidence=
+globalalertfilter.filters.filter\(1\).evidenceregex=false
+globalalertfilter.filters.filter\(1\).enabled=true