merge default-server-cert job

.github/workflows/dev.yml

@@ -47,7 +47,7 @@ jobs:
           exit-code: 1
           ignore-unfixed: false
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          trivyignores: .trivyignore
+          # trivyignores: .trivyignore
 
   # BW scheduler tests
   scheduler:
@@ -91,7 +91,7 @@ jobs:
           exit-code: 1
           ignore-unfixed: false
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          trivyignores: .trivyignore
+          # trivyignores: .trivyignore
 
   # BW autoconf tests
   autoconf:
@@ -135,7 +135,7 @@ jobs:
           exit-code: 1
           ignore-unfixed: false
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          trivyignores: .trivyignore
+          # trivyignores: .trivyignore
 
   # BW UI tests
   ui:
@@ -180,7 +180,7 @@ jobs:
           exit-code: 1
           ignore-unfixed: false
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          trivyignores: .trivyignore
+          # trivyignores: .trivyignore
 
   # Python code security
   code-security:

.trivyignore

@@ -1,4 +0,0 @@
-# libcurl 7.87.0-r2 and curl 7.87.0-r2 are not yet available in python:3.11-alpine
-CVE-2023-23916
-CVE-2023-23914
-CVE-2023-23915

src/autoconf/Dockerfile

@@ -54,7 +54,7 @@ RUN apk add --no-cache bash && \
     chmod 770 /var/log/letsencrypt /var/lib/letsencrypt
 
 # Fix CVEs
-RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0"
+RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2"
 
 VOLUME /data /etc/nginx
 

src/common/core/blacklist/jobs/blacklist-download.py

@@ -2,7 +2,7 @@
 
 from contextlib import suppress
 from ipaddress import ip_address, ip_network
-from os import _exit, getenv, makedirs
+from os import _exit, getenv
 from pathlib import Path
 from re import IGNORECASE, compile as re_compile
 from sys import exit as sys_exit, path as sys_path
@@ -80,13 +80,13 @@ try:
     elif getenv("USE_BLACKLIST", "yes") == "yes":
         blacklist_activated = True
 
-    if blacklist_activated is False:
+    if not blacklist_activated:
         logger.info("Blacklist is not activated, skipping downloads...")
         _exit(0)
 
     # Create directories if they don't exist
-    makedirs("/var/cache/bunkerweb/blacklist", exist_ok=True)
+    Path("/var/cache/bunkerweb/blacklist").mkdir(parents=True, exist_ok=True)
-    makedirs("/var/tmp/bunkerweb/blacklist", exist_ok=True)
+    Path("/var/tmp/bunkerweb/blacklist").mkdir(parents=True, exist_ok=True)
 
     # Our urls data
     urls = {"IP": [], "RDNS": [], "ASN": [], "USER_AGENT": [], "URI": []}
@@ -116,7 +116,7 @@ try:
             logger.info(
                 f"Blacklist for {kind} is already in cache, skipping downloads...",
             )
-    if all_fresh is True:
+    if all_fresh:
         _exit(0)
 
     # Get URLs
@@ -139,7 +139,7 @@ try:
 
     # Loop on kinds
     for kind, urls_list in urls.items():
-        if kinds_fresh[kind] is True:
+        if kinds_fresh[kind]:
             continue
         # Write combined data of the kind to a single temp file
         for url in urls_list:
@@ -161,7 +161,7 @@ try:
                         line = line.split(b" ")[0]
 
                     ok, data = check_line(kind, line)
-                    if ok is True:
+                    if ok:
                         content += data + b"\n"
                         i += 1
 

src/common/core/bunkernet/jobs/bunkernet-data.py

@@ -1,7 +1,6 @@
 #!/usr/bin/python3
 
-from os import _exit, getenv, makedirs
+from os import _exit, getenv
-from os.path import isfile
 from pathlib import Path
 from sys import exit as sys_exit, path as sys_path
 from traceback import format_exc
@@ -44,15 +43,15 @@ try:
     elif getenv("USE_BUNKERNET", "yes") == "yes":
         bunkernet_activated = True
 
-    if bunkernet_activated is False:
+    if not bunkernet_activated:
         logger.info("BunkerNet is not activated, skipping download...")
         _exit(0)
 
     # Create directory if it doesn't exist
-    makedirs("/var/cache/bunkerweb/bunkernet", exist_ok=True)
+    Path("/var/cache/bunkerweb/bunkernet").mkdir(parents=True, exist_ok=True)
 
     # Check if ID is present
-    if not isfile("/var/cache/bunkerweb/bunkernet/instance.id"):
+    if not Path("/var/cache/bunkerweb/bunkernet/instance.id").is_file():
         logger.error(
             "Not downloading BunkerNet data because instance is not registered",
         )
@@ -83,7 +82,16 @@ try:
             "BunkerNet has banned this instance, retrying a register later...",
         )
         _exit(0)
-    elif data["result"] != "ok":
+
+    try:
+        assert isinstance(data, dict)
+    except AssertionError:
+        logger.error(
+            f"Received invalid data from BunkerNet API while sending db request : {data}",
+        )
+        _exit(1)
+
+    if data["result"] != "ok":
         logger.error(
             f"Received error from BunkerNet API while sending db request : {data['data']}, removing instance ID",
         )

src/common/core/bunkernet/jobs/bunkernet-register.py

@@ -1,7 +1,6 @@
 #!/usr/bin/python3
 
-from os import _exit, getenv, makedirs, remove
+from os import _exit, getenv
-from os.path import isfile
 from pathlib import Path
 from sys import exit as sys_exit, path as sys_path
 from time import sleep
@@ -33,7 +32,12 @@ try:
     bunkernet_activated = False
     # Multisite case
     if getenv("MULTISITE", "no") == "yes":
-        for first_server in getenv("SERVER_NAME").split(" "):
+        servers = getenv("SERVER_NAME", [])
+
+        if isinstance(servers, str):
+            servers = servers.split(" ")
+
+        for first_server in servers:
             if (
                 getenv(f"{first_server}_USE_BUNKERNET", getenv("USE_BUNKERNET", "yes"))
                 == "yes"
@@ -44,16 +48,16 @@ try:
     elif getenv("USE_BUNKERNET", "yes") == "yes":
         bunkernet_activated = True
 
-    if bunkernet_activated is False:
+    if not bunkernet_activated:
         logger.info("BunkerNet is not activated, skipping registration...")
         _exit(0)
 
     # Create directory if it doesn't exist
-    makedirs("/var/cache/bunkerweb/bunkernet", exist_ok=True)
+    Path("/var/cache/bunkerweb/bunkernet").mkdir(parents=True, exist_ok=True)
 
     # Ask an ID if needed
     bunkernet_id = None
-    if not isfile("/var/cache/bunkerweb/bunkernet/instance.id"):
+    if not Path("/var/cache/bunkerweb/bunkernet/instance.id").is_file():
         logger.info("Registering instance on BunkerNet API ...")
         ok, status, data = register()
         if not ok:
@@ -71,7 +75,16 @@ try:
                 "BunkerNet has banned this instance, retrying a register later...",
             )
             _exit(0)
-        elif status != 200:
+
+        try:
+            assert isinstance(data, dict)
+        except AssertionError:
+            logger.error(
+                f"Received invalid data from BunkerNet API while sending db request : {data}, retrying later...",
+            )
+            _exit(1)
+
+        if status != 200:
             logger.error(
                 f"Error {status} from BunkerNet API : {data['data']}",
             )
@@ -111,9 +124,18 @@ try:
             logger.warning(
                 "Instance ID is not registered, removing it and retrying a register later...",
             )
-            remove("/var/cache/bunkerweb/bunkernet/instance.id")
+            Path("/var/cache/bunkerweb/bunkernet/instance.id").unlink()
             _exit(2)
-        elif data.get("result", "ko") != "ok":
+
+        try:
+            assert isinstance(data, dict)
+        except AssertionError:
+            logger.error(
+                f"Received invalid data from BunkerNet API while sending db request : {data}, retrying later...",
+            )
+            _exit(1)
+
+        if data.get("result", "ko") != "ok":
             logger.error(
                 f"Received error from BunkerNet API while sending ping request : {data.get('data', {})}, removing instance ID",
             )
@@ -127,7 +149,7 @@ try:
     if bunkernet_ping and status != 403:
         logger.info("Connectivity with BunkerWeb is successful !")
         status = 1
-        if not isfile("/var/cache/bunkerweb/bunkernet/instance.id"):
+        if not Path("/var/cache/bunkerweb/bunkernet/instance.id").is_file():
             Path("/var/cache/bunkerweb/bunkernet/instance.id").write_text(bunkernet_id)
 
             # Update db

src/common/core/bunkernet/jobs/bunkernet.py

@@ -1,7 +1,7 @@
-from typing import Literal, Optional, Tuple, Union
-import requests
 from os import getenv
-from os.path import exists
+from pathlib import Path
+from requests import request as requests_request, ReadTimeout
+from typing import Literal, Optional, Tuple, Union
 
 
 def request(
@@ -12,7 +12,7 @@ def request(
     if _id is not None:
         data["id"] = _id
     try:
-        resp = requests.request(
+        resp = requests_request(
             method,
             f"{getenv('BUNKERNET_SERVER', 'https://api.bunkerweb.io')}{url}",
             json=data,
@@ -29,7 +29,7 @@ def request(
 
         assert "result" in raw_data
         assert "data" in raw_data
-    except requests.ReadTimeout:
+    except ReadTimeout:
         return False, None, "request timed out"
     except Exception as e:
         return False, None, f"request failed: {e}"
@@ -66,7 +66,7 @@ def get_integration():
             return "swarm"
         elif getenv("KUBERNETES_MODE") == "yes":
             return "kubernetes"
-        elif exists("/usr/share/bunkerweb/INTEGRATION"):
+        elif Path("/usr/share/bunkerweb/INTEGRATION").exists():
             with open("/usr/share/bunkerweb/INTEGRATION", "r") as f:
                 return f.read().strip().lower()
 

src/common/core/customcert/jobs/custom-cert.py

@@ -1,11 +1,11 @@
 #!/usr/bin/python3
 
-from os import getenv, makedirs, remove
+from os import getenv, makedirs
-from os.path import isfile
 from pathlib import Path
 from shutil import copy
 from sys import exit as sys_exit, path as sys_path
 from traceback import format_exc
+from typing import Optional
 
 sys_path.extend(
     (
@@ -26,19 +26,19 @@ db = Database(
 )
 
 
-def check_cert(cert_path, key_path, first_server: str = None) -> bool:
+def check_cert(cert_path, key_path, first_server: Optional[str] = None) -> bool:
     try:
         if not cert_path or not key_path:
             logger.warning(
                 "Both variables CUSTOM_SSL_CERT and CUSTOM_SSL_KEY have to be set to use custom certificates"
             )
             return False
-        elif not isfile(cert_path):
+        elif not Path(cert_path).is_file():
             logger.warning(
                 f"Certificate file {cert_path} is not a valid file, ignoring the custom certificate"
             )
             return False
-        elif not isfile(key_path):
+        elif not Path(key_path).is_file():
             logger.warning(
                 f"Key file {key_path} is not a valid file, ignoring the custom certificate"
             )
@@ -49,7 +49,7 @@ def check_cert(cert_path, key_path, first_server: str = None) -> bool:
         )
         cert_hash = file_hash(cert_path)
 
-        if not isfile(cert_cache_path):
+        if not Path(cert_cache_path).is_file():
             Path(cert_cache_path).write_text(cert_hash)
 
         old_hash = file_hash(cert_cache_path)
@@ -59,12 +59,12 @@ def check_cert(cert_path, key_path, first_server: str = None) -> bool:
         Path(cert_cache_path).write_text(cert_hash)
         copy(cert_path, cert_cache_path.replace(".hash", ""))
 
-        if not isfile(key_path):
+        if not Path(key_path).is_file():
             logger.warning(
                 f"Key file {key_path} is not a valid file, removing the custom certificate ..."
             )
-            remove(cert_path)
+            Path(cert_path).unlink()
-            remove(cert_cache_path)
+            Path(cert_cache_path).unlink()
             return False
 
         key_cache_path = (
@@ -72,7 +72,7 @@ def check_cert(cert_path, key_path, first_server: str = None) -> bool:
         )
         key_hash = file_hash(key_path)
 
-        if not isfile(key_cache_path):
+        if not Path(key_cache_path).is_file():
             Path(key_cache_path).write_text(key_hash)
 
         old_hash = file_hash(key_cache_path)
@@ -122,7 +122,12 @@ try:
 
     # Multisite case
     if getenv("MULTISITE") == "yes":
-        for first_server in getenv("SERVER_NAME").split(" "):
+        servers = getenv("SERVER_NAME", [])
+
+        if isinstance(servers, str):
+            servers = servers.split(" ")
+
+        for first_server in servers:
             if not first_server or (
                 getenv(
                     f"{first_server}_USE_CUSTOM_SSL", getenv("USE_CUSTOM_SSL", "no")

src/common/core/greylist/jobs/greylist-download.py

@@ -2,7 +2,7 @@
 
 from contextlib import suppress
 from ipaddress import ip_address, ip_network
-from os import _exit, getenv, makedirs
+from os import _exit, getenv
 from pathlib import Path
 from re import IGNORECASE, compile as re_compile
 from sys import exit as sys_exit, path as sys_path
@@ -80,13 +80,13 @@ try:
     elif getenv("USE_GREYLIST", "no") == "yes":
         greylist_activated = True
 
-    if greylist_activated is False:
+    if not greylist_activated:
         logger.info("Greylist is not activated, skipping downloads...")
         _exit(0)
 
     # Create directories if they don't exist
-    makedirs("/var/cache/bunkerweb/greylist", exist_ok=True)
+    Path("/var/cache/bunkerweb/greylist").mkdir(parents=True, exist_ok=True)
-    makedirs("/var/tmp/bunkerweb/greylist", exist_ok=True)
+    Path("/var/tmp/bunkerweb/greylist").mkdir(parents=True, exist_ok=True)
 
     # Our urls data
     urls = {"IP": [], "RDNS": [], "ASN": [], "USER_AGENT": [], "URI": []}
@@ -111,7 +111,7 @@ try:
             logger.info(
                 f"Greylist for {kind} is already in cache, skipping downloads...",
             )
-    if all_fresh is True:
+    if all_fresh:
         _exit(0)
 
     # Get URLs
@@ -123,7 +123,7 @@ try:
 
     # Loop on kinds
     for kind, urls_list in urls.items():
-        if kinds_fresh[kind] is True:
+        if kinds_fresh[kind]:
             continue
         # Write combined data of the kind to a single temp file
         for url in urls_list:
@@ -145,7 +145,7 @@ try:
                         line = line.split(b" ")[0]
 
                     ok, data = check_line(kind, line)
-                    if ok is True:
+                    if ok:
                         content += data + b"\n"
                         i += 1
 

src/common/core/jobs/jobs/download-plugins.py

@@ -2,7 +2,8 @@
 
 from io import BytesIO
 from os import getenv, listdir, makedirs, chmod, stat, _exit, walk
-from os.path import join, isfile, dirname
+from os.path import dirname, join
+from pathlib import Path
 from stat import S_IEXEC
 from sys import exit as sys_exit, path as sys_path
 from uuid import uuid4
@@ -39,7 +40,7 @@ def install_plugin(plugin_dir):
     with open(f"{plugin_dir}plugin.json", "rb") as f:
         metadata = loads(f.read())
     # Don't go further if plugin is already installed
-    if isfile(f"/data/plugins/{metadata['id']}/plugin.json"):
+    if Path(f"/data/plugins/{metadata['id']}/plugin.json").is_file():
         logger.info(
             f"Skipping installation of plugin {metadata['id']} (already installed)",
         )

src/common/core/letsencrypt/jobs/certbot-auth.py

@@ -1,7 +1,6 @@
 #!/usr/bin/python3
 
 from os import getenv, makedirs
-from os.path import exists
 from pathlib import Path
 from sys import exit as sys_exit, path as sys_path
 from traceback import format_exc
@@ -35,7 +34,7 @@ try:
         bw_integration = "Kubernetes"
     elif getenv("AUTOCONF_MODE") == "yes":
         bw_integration = "Autoconf"
-    elif exists("/usr/share/bunkerweb/INTEGRATION"):
+    elif Path("/usr/share/bunkerweb/INTEGRATION").exists():
         with open("/usr/share/bunkerweb/INTEGRATION", "r") as f:
             bw_integration = f.read().strip()
     token = getenv("CERTBOT_TOKEN", "")

src/common/core/letsencrypt/jobs/certbot-cleanup.py

@@ -1,7 +1,8 @@
 #!/usr/bin/python3
 
-from os import getenv, remove
+from os import getenv
-from os.path import exists, isfile
+from os.path import isfile
+from pathlib import Path
 from sys import exit as sys_exit, path as sys_path
 from traceback import format_exc
 
@@ -34,7 +35,7 @@ try:
         bw_integration = "Kubernetes"
     elif getenv("AUTOCONF_MODE") == "yes":
         bw_integration = "Autoconf"
-    elif exists("/usr/share/bunkerweb/INTEGRATION"):
+    elif Path("/usr/share/bunkerweb/INTEGRATION").exists():
         with open("/usr/share/bunkerweb/INTEGRATION", "r") as f:
             bw_integration = f.read().strip()
     token = getenv("CERTBOT_TOKEN", "")
@@ -69,7 +70,7 @@ try:
             f"/var/tmp/bunkerweb/lets-encrypt/.well-known/acme-challenge/{token}"
         )
         if isfile(challenge_path):
-            remove(challenge_path)
+            Path(challenge_path).unlink()
 except:
     status = 1
     logger.error(f"Exception while running certbot-cleanup.py :\n{format_exc()}")

src/common/core/letsencrypt/jobs/certbot-deploy.py

@@ -2,7 +2,8 @@
 
 from io import BytesIO
 from os import chmod, getenv, walk
-from os.path import exists, join
+from os.path import join
+from pathlib import Path
 from shutil import chown
 from subprocess import run, DEVNULL, STDOUT
 from sys import exit as sys_exit, path as sys_path
@@ -38,7 +39,7 @@ try:
         bw_integration = "Kubernetes"
     elif getenv("AUTOCONF_MODE") == "yes":
         bw_integration = "Autoconf"
-    elif exists("/usr/share/bunkerweb/INTEGRATION"):
+    elif Path("/usr/share/bunkerweb/INTEGRATION").exists():
         with open("/usr/share/bunkerweb/INTEGRATION", "r") as f:
             bw_integration = f.read().strip()
     token = getenv("CERTBOT_TOKEN", "")

src/common/core/letsencrypt/jobs/certbot-new.py

@@ -1,7 +1,6 @@
 #!/usr/bin/python3
 
-from os import environ, getcwd, getenv
+from os import environ, getenv
-from os.path import exists
 from pathlib import Path
 from subprocess import DEVNULL, STDOUT, run
 from sys import exit as sys_exit, path as sys_path
@@ -71,7 +70,7 @@ try:
                 " ", ","
             )
 
-            if exists(f"/etc/letsencrypt/live/{first_server}/cert.pem"):
+            if Path(f"/etc/letsencrypt/live/{first_server}/cert.pem").exists():
                 logger.info(
                     f"Certificates already exists for domain(s) {domains}",
                 )
@@ -97,7 +96,7 @@ try:
                     f"Certificate generation succeeded for domain(s) : {domains}"
                 )
 
-                if exists(f"/etc/letsencrypt/live/{first_server}/cert.pem"):
+                if Path(f"/etc/letsencrypt/live/{first_server}/cert.pem").exists():
                     cert = Path(
                         f"/etc/letsencrypt/live/{first_server}/cert.pem"
                     ).read_bytes()
@@ -113,11 +112,11 @@ try:
                         logger.warning(f"Couldn't update db cache: {err}")
 
     # Singlesite case
-    elif getenv("AUTO_LETS_ENCRYPT", "no") == "yes" and getenv("SERVER_NAME", ""):
+    elif getenv("AUTO_LETS_ENCRYPT", "no") == "yes" and getenv("SERVER_NAME"):
         first_server = getenv("SERVER_NAME", "").split(" ")[0]
         domains = getenv("SERVER_NAME", "").replace(" ", ",")
 
-        if exists(f"/etc/letsencrypt/live/{first_server}/cert.pem"):
+        if Path(f"/etc/letsencrypt/live/{first_server}/cert.pem").exists():
             logger.info(f"Certificates already exists for domain(s) {domains}")
         else:
             real_email = getenv("EMAIL_LETS_ENCRYPT", f"contact@{first_server}")
@@ -135,7 +134,7 @@ try:
                     f"Certificate generation succeeded for domain(s) : {domains}"
                 )
 
-                if exists(f"/etc/letsencrypt/live/{first_server}/cert.pem"):
+                if Path(f"/etc/letsencrypt/live/{first_server}/cert.pem").exists():
                     cert = Path(
                         f"/etc/letsencrypt/live/{first_server}/cert.pem"
                     ).read_bytes()

src/common/core/letsencrypt/jobs/certbot-renew.py

@@ -1,7 +1,7 @@
 #!/usr/bin/python3
 
-from os import environ, getcwd, getenv
+from os import environ, getenv
-from os.path import exists
+from pathlib import Path
 from subprocess import DEVNULL, STDOUT, run
 from sys import exit as sys_exit, path as sys_path
 from traceback import format_exc
@@ -39,7 +39,12 @@ status = 0
 
 try:
     if getenv("MULTISITE") == "yes":
-        for first_server in getenv("SERVER_NAME").split(" "):
+        servers = getenv("SERVER_NAME", [])
+
+        if isinstance(servers, str):
+            servers = servers.split(" ")
+
+        for first_server in servers:
             if (
                 not first_server
                 or getenv(
@@ -47,7 +52,7 @@ try:
                     getenv("AUTO_LETS_ENCRYPT", "no"),
                 )
                 != "yes"
-                or not exists(f"/etc/letsencrypt/live/{first_server}/cert.pem")
+                or not Path(f"/etc/letsencrypt/live/{first_server}/cert.pem").exists()
             ):
                 continue
 
@@ -59,7 +64,7 @@ try:
                 )
     elif getenv("AUTO_LETS_ENCRYPT", "no") == "yes" and not getenv("SERVER_NAME", ""):
         first_server = getenv("SERVER_NAME", "").split(" ")[0]
-        if exists(f"/etc/letsencrypt/live/{first_server}/cert.pem"):
+        if Path(f"/etc/letsencrypt/live/{first_server}/cert.pem").exists():
             ret = renew(first_server)
             if ret != 0:
                 status = 2

src/common/core/misc/jobs/default-server-cert.py

@@ -24,11 +24,16 @@ try:
     need_default_cert = False
     if getenv("MULTISITE", "no") == "yes":
         for first_server in getenv("SERVER_NAME", "").split(" "):
+<<<<<<< HEAD
             for check_var in [
                 "USE_CUSTOM_SSL",
+=======
+            for check_var in (
+                "USE_CUSTOM_HTTPS",
+>>>>>>> 6bf59b59a25691c6c6dbafc4ffb3051bc1519f34
                 "AUTO_LETS_ENCRYPT",
                 "GENERATE_SELF_SIGNED_SSL",
-            ]:
+            ):
                 if (
                     getenv(f"{first_server}_{check_var}", getenv(check_var, "no"))
                     == "yes"
@@ -38,9 +43,12 @@ try:
             if need_default_cert:
                 break
     elif getenv("DISABLE_DEFAULT_SERVER", "no") == "yes" and (
-        getenv("USE_CUSTOM_SSL", "no") == "yes"
+        "yes"
-        or getenv("AUTO_LETS_ENCRYPT", "no") == "yes"
+        in (
-        or getenv("GENERATE_SELF_SIGNED_SSL", "no") == "yes"
+            getenv("USE_CUSTOM_SSL", "no"),
+            getenv("AUTO_LETS_ENCRYPT", "no"),
+            getenv("GENERATE_SELF_SIGNED_SSL", "no"),
+        )
     ):
         need_default_cert = True
 

src/common/core/realip/jobs/realip-download.py

@@ -2,7 +2,7 @@
 
 from contextlib import suppress
 from ipaddress import ip_address, ip_network
-from os import _exit, getenv, makedirs
+from os import _exit, getenv
 from pathlib import Path
 from sys import exit as sys_exit, path as sys_path
 from traceback import format_exc
@@ -46,7 +46,12 @@ try:
     realip_activated = False
     # Multisite case
     if getenv("MULTISITE", "no") == "yes":
-        for first_server in getenv("SERVER_NAME").split(" "):
+        servers = getenv("SERVER_NAME", [])
+
+        if isinstance(servers, str):
+            servers = servers.split(" ")
+
+        for first_server in servers:
             if (
                 getenv(f"{first_server}_USE_REAL_IP", getenv("USE_REAL_IP", "no"))
                 == "yes"
@@ -58,12 +63,12 @@ try:
     elif getenv("USE_REAL_IP", "no") == "yes":
         realip_activated = True
 
-    if realip_activated is False:
+    if not realip_activated:
         logger.info("RealIP is not activated, skipping download...")
         _exit(0)
 
     # Create directory if it doesn't exist
-    makedirs("/var/cache/bunkerweb/realip", exist_ok=True)
+    Path("/var/cache/bunkerweb/realip").mkdir(parents=True, exist_ok=True)
 
     # Don't go further if the cache is fresh
     if is_cached_file("/var/cache/bunkerweb/realip/combined.list", "hour"):

src/common/core/selfsigned/jobs/self-signed.py

@@ -1,7 +1,7 @@
 #!/usr/bin/python3
 
-from os import getenv, makedirs
+from os import getenv
-from os.path import isfile
+from pathlib import Path
 from subprocess import DEVNULL, STDOUT, run
 from sys import exit as sys_exit, path as sys_path
 from traceback import format_exc
@@ -25,7 +25,7 @@ db = Database(
 
 
 def generate_cert(first_server, days, subj):
-    if isfile(f"/var/cache/bunkerweb/selfsigned/{first_server}.pem"):
+    if Path(f"/var/cache/bunkerweb/selfsigned/{first_server}.pem").is_file():
         cmd = f"openssl x509 -checkend 86400 -noout -in /var/cache/bunkerweb/selfsigned/{first_server}.pem"
         proc = run(cmd.split(" "), stdin=DEVNULL, stderr=STDOUT)
         if proc.returncode == 0:
@@ -67,12 +67,16 @@ def generate_cert(first_server, days, subj):
 status = 0
 
 try:
-
+    Path("/var/cache/bunkerweb/selfsigned/").mkdir(parents=True, exist_ok=True)
-    makedirs("/var/cache/bunkerweb/selfsigned/", exist_ok=True)
 
     # Multisite case
     if getenv("MULTISITE") == "yes":
-        for first_server in getenv("SERVER_NAME").split(" "):
+        servers = getenv("SERVER_NAME", [])
+
+        if isinstance(servers, str):
+            servers = servers.split(" ")
+
+        for first_server in servers:
             if (
                 not first_server
                 or getenv(
@@ -80,7 +84,7 @@ try:
                     getenv("GENERATE_SELF_SIGNED_SSL", "no"),
                 )
                 != "yes"
-                or isfile(f"/var/cache/bunkerweb/selfsigned/{first_server}.pem")
+                or Path(f"/var/cache/bunkerweb/selfsigned/{first_server}.pem").is_file()
             ):
                 continue
 
@@ -101,9 +105,7 @@ try:
                 status = 1
 
     # Singlesite case
-    elif getenv("GENERATE_SELF_SIGNED_SSL", "no") == "yes" and getenv(
+    elif getenv("GENERATE_SELF_SIGNED_SSL", "no") == "yes" and getenv("SERVER_NAME"):
-        "SERVER_NAME", ""
-    ):
         first_server = getenv("SERVER_NAME", "").split(" ")[0]
         ret, ret_status = generate_cert(
             first_server,

src/common/core/whitelist/jobs/whitelist-download.py

@@ -2,7 +2,7 @@
 
 from contextlib import suppress
 from ipaddress import ip_address, ip_network
-from os import _exit, getenv, makedirs
+from os import _exit, getenv
 from pathlib import Path
 from re import IGNORECASE, compile as re_compile
 from sys import exit as sys_exit, path as sys_path
@@ -80,13 +80,13 @@ try:
     elif getenv("USE_WHITELIST", "no") == "yes":
         whitelist_activated = True
 
-    if whitelist_activated is False:
+    if not whitelist_activated:
         logger.info("Whitelist is not activated, skipping downloads...")
         _exit(0)
 
     # Create directories if they don't exist
-    makedirs("/var/cache/bunkerweb/whitelist", exist_ok=True)
+    Path("/var/cache/bunkerweb/whitelist").mkdir(parents=True, exist_ok=True)
-    makedirs("/var/tmp/bunkerweb/whitelist", exist_ok=True)
+    Path("/var/tmp/bunkerweb/whitelist").mkdir(parents=True, exist_ok=True)
 
     # Our urls data
     urls = {"IP": [], "RDNS": [], "ASN": [], "USER_AGENT": [], "URI": []}
@@ -111,7 +111,7 @@ try:
             logger.info(
                 f"Whitelist for {kind} is already in cache, skipping downloads...",
             )
-    if all_fresh is True:
+    if all_fresh:
         _exit(0)
 
     # Get URLs
@@ -123,7 +123,7 @@ try:
 
     # Loop on kinds
     for kind, urls_list in urls.items():
-        if kinds_fresh[kind] is True:
+        if kinds_fresh[kind]:
             continue
         # Write combined data of the kind to a single temp file
         for url in urls_list:
@@ -145,7 +145,7 @@ try:
                         line = line.split(b" ")[0]
 
                     ok, data = check_line(kind, line)
-                    if ok is True:
+                    if ok:
                         content += data + b"\n"
                         i += 1
 

src/scheduler/Dockerfile

@@ -64,7 +64,7 @@ RUN apk add --no-cache bash libgcc libstdc++ openssl && \
   chmod 660 /usr/share/bunkerweb/INTEGRATION
 
 # Fix CVEs
-RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0"
+RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2"
 
 VOLUME /data /etc/nginx
 

src/ui/Dockerfile

@@ -50,7 +50,7 @@ RUN apk add --no-cache bash && \
     chmod 660 /usr/share/bunkerweb/INTEGRATION
 
 # Fix CVEs
-RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0"
+RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2"
 
 VOLUME /data /etc/nginx