From f789f9e2a10c1a54cfd5bdb070a9259c17422c53 Mon Sep 17 00:00:00 2001
From: Vincent Massol <vincent@massol.net>
Date: Mon, 3 Aug 2020 11:42:25 +0200
Subject: [PATCH] XDOCKER-143: Switch to MySQL JDBC driver 8.x * Verify the
 MySQL driver download to avoid man in the middle attacks

---
 11/mysql-tomcat/Dockerfile | 4 +++-
 12/mysql-tomcat/Dockerfile | 4 +++-
 template/Dockerfile        | 4 +++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/11/mysql-tomcat/Dockerfile b/11/mysql-tomcat/Dockerfile
index 46b8dd8..8abf454 100644
--- a/11/mysql-tomcat/Dockerfile
+++ b/11/mysql-tomcat/Dockerfile
@@ -58,10 +58,12 @@ RUN rm -rf /usr/local/tomcat/webapps/* && \
 # For MYSQL, download the MySQL driver version from the Maven Central repository since there's no up to 
 # date Debian repository for it anymore.
 ENV MYSQL_JDBC_VERSION="8.0.20"
+ENV MYSQL_JDBC_SHA256="56a42553b516660ae0bcd08f7f4f5f375294afbd62200d6c0c88a8c61c668ede"
 ENV MYSQL_JDBC_PREFIX="https://repo1.maven.org/maven2/mysql/mysql-connector-java/${MYSQL_JDBC_VERSION}"
 ENV MYSQL_JDBC_ARTIFACT="mysql-connector-java-${MYSQL_JDBC_VERSION}.jar"
 ENV MYSQL_JDBC_TARGET="/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/${MYSQL_JDBC_ARTIFACT}"
-RUN curl -fSL "${MYSQL_JDBC_PREFIX}/${MYSQL_JDBC_ARTIFACT}" -o $MYSQL_JDBC_TARGET
+RUN curl -fSL "${MYSQL_JDBC_PREFIX}/${MYSQL_JDBC_ARTIFACT}" -o $MYSQL_JDBC_TARGET && \
+  echo "$MYSQL_JDBC_SHA256 $MYSQL_JDBC_TARGET" | sha256sum -c -
 
 # Configure Tomcat. For example set the memory for the Tomcat JVM since the default value is too small for XWiki
 COPY tomcat/setenv.sh /usr/local/tomcat/bin/
diff --git a/12/mysql-tomcat/Dockerfile b/12/mysql-tomcat/Dockerfile
index 7374786..bf0b148 100644
--- a/12/mysql-tomcat/Dockerfile
+++ b/12/mysql-tomcat/Dockerfile
@@ -58,10 +58,12 @@ RUN rm -rf /usr/local/tomcat/webapps/* && \
 # For MYSQL, download the MySQL driver version from the Maven Central repository since there's no up to 
 # date Debian repository for it anymore.
 ENV MYSQL_JDBC_VERSION="8.0.20"
+ENV MYSQL_JDBC_SHA256="56a42553b516660ae0bcd08f7f4f5f375294afbd62200d6c0c88a8c61c668ede"
 ENV MYSQL_JDBC_PREFIX="https://repo1.maven.org/maven2/mysql/mysql-connector-java/${MYSQL_JDBC_VERSION}"
 ENV MYSQL_JDBC_ARTIFACT="mysql-connector-java-${MYSQL_JDBC_VERSION}.jar"
 ENV MYSQL_JDBC_TARGET="/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/${MYSQL_JDBC_ARTIFACT}"
-RUN curl -fSL "${MYSQL_JDBC_PREFIX}/${MYSQL_JDBC_ARTIFACT}" -o $MYSQL_JDBC_TARGET
+RUN curl -fSL "${MYSQL_JDBC_PREFIX}/${MYSQL_JDBC_ARTIFACT}" -o $MYSQL_JDBC_TARGET && \
+  echo "$MYSQL_JDBC_SHA256 $MYSQL_JDBC_TARGET" | sha256sum -c -
 
 # Configure Tomcat. For example set the memory for the Tomcat JVM since the default value is too small for XWiki
 COPY tomcat/setenv.sh /usr/local/tomcat/bin/
diff --git a/template/Dockerfile b/template/Dockerfile
index 48808c8..173da68 100644
--- a/template/Dockerfile
+++ b/template/Dockerfile
@@ -63,10 +63,12 @@ RUN rm -rf /usr/local/tomcat/webapps/* && \\
   println "# For MYSQL, download the MySQL driver version from the Maven Central repository since there's no up to "
   println "# date Debian repository for it anymore."
   println "ENV MYSQL_JDBC_VERSION=\"8.0.20\""
+  println "ENV MYSQL_JDBC_SHA256=\"56a42553b516660ae0bcd08f7f4f5f375294afbd62200d6c0c88a8c61c668ede\""
   println "ENV MYSQL_JDBC_PREFIX=\"https://repo1.maven.org/maven2/mysql/mysql-connector-java/\${MYSQL_JDBC_VERSION}\""
   println "ENV MYSQL_JDBC_ARTIFACT=\"mysql-connector-java-\${MYSQL_JDBC_VERSION}.jar\""
   println "ENV MYSQL_JDBC_TARGET=\"/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/\${MYSQL_JDBC_ARTIFACT}\""
-  print "RUN curl -fSL \"\${MYSQL_JDBC_PREFIX}/\${MYSQL_JDBC_ARTIFACT}\" -o \$MYSQL_JDBC_TARGET"
+  println "RUN curl -fSL \"\${MYSQL_JDBC_PREFIX}/\${MYSQL_JDBC_ARTIFACT}\" -o \$MYSQL_JDBC_TARGET && \\"
+  print "  echo \"\$MYSQL_JDBC_SHA256 \$MYSQL_JDBC_TARGET\" | sha256sum -c -"
 } else if (db == 'postgres') {
   print 'RUN cp /usr/share/java/postgresql-jdbc4.jar /usr/local/tomcat/webapps/ROOT/WEB-INF/lib/'
 } %>
-- 
GitLab