# DO NOT USE IN ANY OTHER CONTEXT
# This Dockerfile builds a version of ImageMagick that is VULNERABLE as described
# in this CVE: https://www.cvedetails.com/cve/CVE-2016-3714/ to the vulnerability
# called ImageTragick, from around 2016.

# Original Dockerfile taken from
# https://github.com/dooman87/imagemagick-docker/blob/master/Dockerfile.buster.
# * download and compile a vulnerable ImageMagick version (lower than 6.9.3-10)
# * add installing Python 3, pip, etc. for our PDFMagick script
# * set the entrypoint to our PDFMagick service
# * separate build stage and runtime stage (Redhpm, 2023-05-30).


# ----- BUILD STAGE -----
# You don't have anything to do here.
#
# This Dockerfile uses a build stage, to build ImageMagick and its dependencies
# from source.
# See : https://docs.docker.com/build/building/multi-stage/.
# All changes made in layers of this stage will no appear in the next stage,
# unless files are explicitly copied over.
# This allows for cleaner and lighter images with a simpler Dockerfile.

FROM debian:buster-slim AS build

# Versions of ImageMagick and its dependencies, set as arguments of the build
# process of the Docker image.
ARG IM_VERSION=6.9.2-0
ARG LIB_HEIF_VERSION=1.12.0
ARG LIB_AOM_VERSION=3.1.0
ARG LIB_WEBP_VERSION=1.2.0

# Most often, the first RUN instruction is to update and upgrade the system image,
# before installing build and runtime dependencies.
RUN apt-get -y update && \
    apt-get -y upgrade && \
    apt-get install -y git make gcc pkg-config autoconf curl g++ yasm cmake libtool \
        libde265-0 libde265-dev libjpeg62-turbo libjpeg62-turbo-dev x265 \
            libx265-dev libpng16-16 libpng-dev libjpeg62-turbo libjpeg62-turbo-dev \
            libgomp1 ghostscript libxml2-dev libxml2-utils libtiff-dev libfreetype6-dev

# To build ImageMagick and its dependencies, each RUN instruction follows
# roughly the same steps:
# * fetch the source
# * prepare the source
# * configure the build process
# * build and install

# libwebp
RUN git clone https://chromium.googlesource.com/webm/libwebp && \
    cd libwebp && git checkout v${LIB_WEBP_VERSION} && \
    ./autogen.sh && ./configure --enable-shared --enable-libwebpdecoder \
            --enable-libwebpdemux --enable-libwebpmux --enable-static=no && \
    make && make install && \
    ldconfig /usr/local/lib

# libaom
RUN git clone https://aomedia.googlesource.com/aom && \
    cd aom && git checkout v${LIB_AOM_VERSION} && cd .. && \
    mkdir build_aom && cd build_aom && \
    cmake ../aom/ -DENABLE_TESTS=0 -DBUILD_SHARED_LIBS=1 && \
    make && make install && \
    ldconfig /usr/local/lib

# libheif
RUN curl -L https://github.com/strukturag/libheif/releases/download/v${LIB_HEIF_VERSION}/libheif-${LIB_HEIF_VERSION}.tar.gz -o libheif.tar.gz && \
    tar -xzvf libheif.tar.gz && cd libheif-${LIB_HEIF_VERSION}/ && \
    ./autogen.sh && ./configure && \
    make && make install && \
    ldconfig /usr/local/lib

# ImageMagick
# Specifically fetch an OUTDATED, VULNERABLE version
# Originally downloaded from
# https://mirror.dogado.de/imagemagick/releases/ImageMagick-${IM_VERSION}.tar.xz
RUN curl -L https://www-inf.telecom-sudparis.eu/COURS/CSC5004/practicals/secure-dockerfile/ImageMagick-${IM_VERSION}.tar.xz -o ImageMagick.tar.xz &&\
    tar -xJvf ImageMagick.tar.xz && cd ImageMagick-${IM_VERSION} && \
    ./configure --without-magick-plus-plus --disable-docs --disable-static --with-libtiff --with-freetype=yes && \
    make && make install && \
    ldconfig /usr/local/lib


# ----- RUNTIME STAGE -----

FROM debian:buster-slim

# Copy build files needed at runtime
COPY --from=build /usr/local/bin/convert /usr/local/bin
COPY --from=build /usr/local/lib/libMagick* /usr/local/lib/
COPY --from=build /usr/local/lib/libwebp.so.7 /usr/local/lib/

# Install runtime libs
RUN apt-get update && \
    apt-get install -y libtiff5 libpng16-16 libjpeg62-turbo libfreetype6 ghostscript && \
    rm -rf /var/lib/apt/lists/*

##########
# STUDENT CODE GOES HERE
# so that above layers remain in cache
#
# Instructions:
# * in this Debian distribution, you want the packages python3 and python3-pip
#   to install Python 3 and pip for this version of Python
# * then, you want to install the dependency web.py using pip
##########
RUN apt-get update && \
    apt-get install -y python3 python3-pip && \
    rm -rf /var/lib/apt/lists/* && \
    pip3 install web.py
##########

##########
# STUDENT CODE GOES HERE
#
# Instructions:
# * add the Python script to the image
##########
COPY [ "pdfmagick.py", "/" ]
RUN chmod 444 "/pdfmagick.py"
##########

##########
# STUDENT CODE GOES HERE
#
# Instructions:
# * indicate that the image exposes port 8080
# * set the entrypoint to run pdfmagick.py using python3
##########
EXPOSE 8080

USER nobody

ENTRYPOINT [ "python3", "/pdfmagick.py" ]
##########