From a2f81034263a144f3b6124b75a11b4a90e6cdb47 Mon Sep 17 00:00:00 2001 From: BrightSec Date: Wed, 29 Apr 2026 20:09:13 +0300 Subject: [PATCH 1/2] chore: initialize Bright security scan From 9362102f1db2287b34a6c204beeb9b7fababa789 Mon Sep 17 00:00:00 2001 From: BrightSec Date: Wed, 29 Apr 2026 20:25:50 +0300 Subject: [PATCH 2/2] fix: Bright security scan remediations --- .bright-fetched-page.txt | 391 +++++++++++++++++++++++++++++++++++++++ Dockerfile.bright | 32 ++++ compose.yml | 40 ++++ 3 files changed, 463 insertions(+) create mode 100644 .bright-fetched-page.txt create mode 100644 Dockerfile.bright create mode 100644 compose.yml diff --git a/.bright-fetched-page.txt b/.bright-fetched-page.txt new file mode 100644 index 00000000000..1283a1729d5 --- /dev/null +++ b/.bright-fetched-page.txt @@ -0,0 +1,391 @@ +Configuration Parameters +Configuration Parameters +Home > DocumentationMiniflux can use a configuration file and environment variables. +The configuration file is loaded first if specified. Environment variables take precedence over the options defined in the configuration file. +Boolean options accept the following values (case-insensitive): 1/0, yes/no, true/false, on/off. +For variables ending in _FILE, the value is a path to a file that contains the corresponding secret value. +Configuration Options +Configuration File +Configuration Options ¶ +ADMIN_PASSWORD +Admin user password, it's used only if CREATE_ADMIN is enabled. +Default is empty. + +ADMIN_PASSWORD_FILE +Path to a secret key exposed as a file, it should contain $ADMIN_PASSWORD value. +Default is empty. + +ADMIN_USERNAME +Admin user login, it's used only if CREATE_ADMIN is enabled. +Default is empty. + +ADMIN_USERNAME_FILE +Path to a secret key exposed as a file, it should contain $ADMIN_USERNAME value. +Default is empty. + +AUTH_PROXY_HEADER +Proxy authentication HTTP header. +The option TRUSTED_REVERSE_PROXY_NETWORKS must be configured to allow the proxy to authenticate users. +Default is empty. + +AUTH_PROXY_USER_CREATION +Set to 1 to create users based on proxy authentication information. +Disabled by default. + +BASE_URL +Base URL to generate HTML links and base path for cookies. +Default is http://localhost. + +BATCH_SIZE +Number of feeds to send to the queue for each interval. +Default is 100 feeds. + +CERT_DOMAIN +Use Let's Encrypt to get automatically a certificate for the domain specified in $CERT_DOMAIN. +Default is empty. + +CERT_FILE +Path to SSL certificate. +Default is empty. + +CLEANUP_ARCHIVE_BATCH_SIZE +Number of entries to archive for each job interval. +Default is 10000 entries. + +CLEANUP_ARCHIVE_READ_DAYS +Number of days after marking read entries as removed. Set to -1 to keep all read entries. +Default is 60 days. + +CLEANUP_ARCHIVE_UNREAD_DAYS +Number of days after marking unread entries as removed. Set to -1 to keep all unread entries. +Default is 180 days. + +CLEANUP_FREQUENCY_HOURS +Cleanup job frequency. Remove old sessions and archive entries. +Default is 24 hours. + +CLEANUP_REMOVE_SESSIONS_DAYS +Number of days after removing old user sessions from the database. +Default is 30 days. + +CREATE_ADMIN +Set to 1 to create an admin user from environment variables. +Disabled by default. + +DATABASE_CONNECTION_LIFETIME +Set the maximum amount of time in minutes a connection may be reused. +Default is 5 minutes. + +DATABASE_MAX_CONNS +Maximum number of database connections. +Default is 20. + +DATABASE_MIN_CONNS +Minimum number of database connections. +Default is 1. + +DATABASE_URL +PostgreSQL connection parameters. +Default is "user=postgres password=postgres dbname=miniflux2 sslmode=disable". + +DATABASE_URL_FILE +Path to a secret key exposed as a file, it should contain $DATABASE_URL value. +Default is empty. + +DISABLE_API +Disable miniflux's API. +Default is false (The API is enabled). + +DISABLE_HSTS +Disable HTTP Strict Transport Security header if HTTPS is set. +Default is false (The HSTS is enabled). + +DISABLE_HTTP_SERVICE +Set the value to 1 to disable the HTTP service. +Default is false (The HTTP service is enabled). + +DISABLE_LOCAL_AUTH +Disable local authentication. +When set to true, the username/password form is hidden from the login screen, and the options to change username/password or unlink OAuth2 account are hidden from the settings page. +Default is false. + +DISABLE_SCHEDULER_SERVICE +Set the value to 1 to disable the internal scheduler service. +Default is false (The internal scheduler service is enabled). + +FETCH_BILIBILI_WATCH_TIME +Set the value to 1 to scrape video duration from Bilibili website and use it as a reading time. +Disabled by default. + +FETCH_NEBULA_WATCH_TIME +Set the value to 1 to scrape video duration from Nebula website and use it as a reading time. +Disabled by default. + +FETCH_ODYSEE_WATCH_TIME +Set the value to 1 to scrape video duration from Odysee website and use it as a reading time. +Disabled by default. + +FETCH_YOUTUBE_WATCH_TIME +Set the value to 1 to scrape video duration from YouTube website and use it as a reading time. +Disabled by default. + +FETCHER_ALLOW_PRIVATE_NETWORKS +Set to 1 to allow outgoing fetcher requests to private or loopback networks. +Disabled by default, private networks are refused. + +FORCE_REFRESH_INTERVAL +The minimum interval in minutes for manual refresh. +Default is 30 minutes. + +HTTP_CLIENT_MAX_BODY_SIZE +Maximum body size for HTTP requests in Mebibyte (MiB). +Default is 15 MiB. + +HTTP_CLIENT_PROXIES +Enable proxy rotation for outgoing requests by providing a comma-separated list of proxy URLs. +Default is empty. + +HTTP_CLIENT_PROXY +Proxy URL to use when the "Fetch via proxy" feed option is enabled. For example: http://127.0.0.1:8888. +If you prefer to have a proxy for all outgoing requests, use the environment variables HTTP_PROXY or HTTPS_PROXY, look at the official Golang documentation for more details. +Default is empty. + +HTTP_CLIENT_TIMEOUT +Time limit in seconds before the HTTP client cancels the request. +Default is 20 seconds. + +HTTP_CLIENT_USER_AGENT +The default User-Agent header to use for the HTTP client. Can be overridden in per-feed settings. +When empty, Miniflux uses a default User-Agent that includes the Miniflux version. +Default is empty. + +HTTP_SERVER_TIMEOUT +Read, write, and idle timeout in seconds for the HTTP server. +Default is 300 seconds. + +HTTPS +Forces cookies to use secure flag and send HSTS header. +Default is disabled. + +INTEGRATION_ALLOW_PRIVATE_NETWORKS +Set to 1 to allow outgoing integration requests to private or loopback networks. +Disabled by default, private networks are refused. + +INVIDIOUS_INSTANCE +Set a custom invidious instance to use. +Default is yewtu.be. + +KEY_FILE +Path to SSL private key. +Default is empty. + +LISTEN_ADDR +Address to listen on. Use absolute path to listen on Unix socket (/var/run/miniflux.sock). +Multiple addresses can be specified, separated by commas. For example: 127.0.0.1:8080, 127.0.0.1:8081. +Default is 127.0.0.1:8080. + +LOG_DATE_TIME +Display the date and time in log messages. +Disabled by default. + +LOG_FILE +Supported values are stderr, stdout, or a file name. +Default is stderr. + +LOG_FORMAT +Supported log formats are text or json. +Default is text. + +LOG_LEVEL +Supported values are debug, info, warning, or error. +Default is info. + +MAINTENANCE_MESSAGE +Define a custom maintenance message. +Default is "Miniflux is currently under maintenance". + +MAINTENANCE_MODE +Set to 1 to enable maintenance mode. +Disabled by default. + +MEDIA_PROXY_CUSTOM_URL +Sets an external server to proxy media through. +Default is empty, Miniflux does the proxying. + +MEDIA_PROXY_HTTP_CLIENT_TIMEOUT +Time limit in seconds before the media proxy HTTP client cancels the request. +Default is 120 seconds. + +MEDIA_PROXY_MODE +Possible values: http-only, all, or none. +Default is http-only. + +MEDIA_PROXY_PRIVATE_KEY +Set a custom private key used to sign proxified media URLs. +By default, a secret key is randomly generated during startup. + +MEDIA_PROXY_RESOURCE_TYPES +A comma-separated list of media types to proxify. Supported values are: image, audio, video. +Default is image. + +METRICS_ALLOWED_NETWORKS +List of networks allowed to access the /metrics endpoint (comma-separated values). +Default is 127.0.0.1/8. + +METRICS_COLLECTOR +Set to 1 to enable metrics collector. Expose a /metrics endpoint for Prometheus. +Disabled by default. + +METRICS_PASSWORD +Metrics endpoint password for basic HTTP authentication. +Default is empty. + +METRICS_PASSWORD_FILE +Path to a file that contains the password for the metrics endpoint HTTP authentication. +Default is empty. + +METRICS_REFRESH_INTERVAL +Refresh interval in seconds to collect database metrics. +Default is 60 seconds. + +METRICS_USERNAME +Metrics endpoint username for basic HTTP authentication. +Default is empty. + +METRICS_USERNAME_FILE +Path to a file that contains the username for the metrics endpoint HTTP authentication. +Default is empty. + +OAUTH2_CLIENT_ID +OAuth2 client ID. +Default is empty. + +OAUTH2_CLIENT_ID_FILE +Path to a client ID exposed as a file, it should contain $OAUTH2_CLIENT_ID value. +Default is empty. + +OAUTH2_CLIENT_SECRET +OAuth2 client secret. +Default is empty. + +OAUTH2_CLIENT_SECRET_FILE +Path to a secret key exposed as a file, it should contain $OAUTH2_CLIENT_SECRET value. +Default is empty. + +OAUTH2_OIDC_DISCOVERY_ENDPOINT +OpenID Connect discovery endpoint. +Note that the OIDC library automatically appends the .well-known/openid-configuration, this part has to be removed from the URL when setting OAUTH2_OIDC_DISCOVERY_ENDPOINT. +Default is empty. + +OAUTH2_OIDC_PROVIDER_NAME +Name to display for the OIDC provider. +Default is "OpenID Connect". + +OAUTH2_PROVIDER +OAuth2 provider. Possible values are google or oidc for a generic OpenID Connect provider. +Default is empty. + +OAUTH2_REDIRECT_URL +OAuth2 redirect URL. +This URL must be registered with the provider and is something like https://miniflux.example.org/oauth2/oidc/callback. +Default is empty. + +OAUTH2_USER_CREATION +Set to 1 to authorize OAuth2 user creation. +Disabled by default. + +POLLING_FREQUENCY +Interval for the background job scheduler. +Determines how often a batch of feeds is selected for refresh, based on their last refresh time. +Default is 60 minutes. + +POLLING_LIMIT_PER_HOST +Limits the number of concurrent requests to the same hostname when polling feeds. +This helps prevent overwhelming a single server during batch processing by the worker pool. +Default is 0 (disabled). + +POLLING_PARSING_ERROR_LIMIT +The maximum number of parsing errors that the program will try before stopping polling a feed. +Once the limit is reached, the user must refresh the feed manually. Set to 0 for unlimited. +Default is 3. + +POLLING_SCHEDULER +Determines the strategy used to schedule feed polling. +Supported values are round_robin and entry_frequency. +- round_robin: Feeds are polled in a fixed, rotating order. +- entry_frequency: The polling interval for each feed is based on the average update frequency over the past week. +The number of feeds polled in a given period is limited by the POLLING_FREQUENCY and BATCH_SIZE settings. +Regardless of the scheduler used, the total number of polled feeds will not exceed the maximum allowed per polling cycle. +Default is round_robin. + +PORT +Override LISTEN_ADDR to 0.0.0.0:$PORT (Automatic configuration for PaaS). +Default is empty. + +RUN_MIGRATIONS +Set to 1 to run database migrations. +Disabled by default. + +SCHEDULER_ENTRY_FREQUENCY_FACTOR +Factor to increase refresh frequency for the entry frequency scheduler. +Default is 1. + +SCHEDULER_ENTRY_FREQUENCY_MAX_INTERVAL +Maximum interval in minutes for the entry frequency scheduler. +Default is 1440 minutes (24 hours). + +SCHEDULER_ENTRY_FREQUENCY_MIN_INTERVAL +Minimum interval in minutes for the entry frequency scheduler. +Default is 5 minutes. + +SCHEDULER_ROUND_ROBIN_MAX_INTERVAL +Maximum interval in minutes for the round robin scheduler. +This option is used when the values of the Cache-Control max-age and Expires headers are excessively high. +Default is 1440 minutes (24 hours). + +SCHEDULER_ROUND_ROBIN_MIN_INTERVAL +Minimum interval in minutes for the round robin scheduler. +Default is 60 minutes. + +TRUSTED_REVERSE_PROXY_NETWORKS +List of networks (CIDR notation) allowed to use the proxy authentication header, X-Forwarded-For, X-Forwarded-Proto, and X-Real-Ip headers. +Default is empty. + +WATCHDOG +Enable or disable Systemd watchdog. +Enabled by default. + +WEBAUTHN +Enable or disable WebAuthn/Passkey authentication. +You must provide a username on the login page if you are using non-residential keys. However, this is not required for discoverable credentials. +Default is disabled. + +WORKER_POOL_SIZE +Number of background workers. +Default is 16 workers. + +YOUTUBE_API_KEY +YouTube API key for use with FETCH_YOUTUBE_WATCH_TIME. If nonempty, the duration will be fetched from the YouTube API. Otherwise, the duration will be fetched from the YouTube website. +Default is empty. + +YOUTUBE_EMBED_URL_OVERRIDE +YouTube URL which will be used for embeds. +Default is https://www.youtube-nocookie.com/embed/. + +Configuration File ¶ +The configuration file is optional. It’s a text file that follow these rules: +Miniflux expects each line to be in KEY=VALUE format. +Lines beginning with # are processed as comments and ignored. +Blank lines are ignored. +There is no variable interpolation. +Keys are the same as the environment variables described above. +Example: +LOG_LEVEL=debug +WORKER_POOL_SIZE=20 + +Environment variables override the values defined in the config file. +To specify a configuration file, use the command line argument -config-file or -c. +You can also dump interpreted values with the flag -config-dump for debugging. +Systemd uses the file /etc/miniflux.conf to populate environment variables. + +Edit this page \ No newline at end of file diff --git a/Dockerfile.bright b/Dockerfile.bright new file mode 100644 index 00000000000..1c8611bcb2b --- /dev/null +++ b/Dockerfile.bright @@ -0,0 +1,32 @@ +FROM golang:1.26-alpine AS build + +RUN apk add --no-cache build-base git make + +WORKDIR /go/src/app +COPY go.mod go.sum ./ +RUN go mod download + +COPY . . + +RUN sed -i 's#127.0.0.1:8080#0.0.0.0:8080#g' internal/config/options.go \ + && make miniflux + +FROM alpine:3.22 + +RUN apk add --no-cache ca-certificates tzdata + +WORKDIR /app + +ENV LISTEN_ADDR=0.0.0.0:8080 \ + LOG_LEVEL=info \ + LOG_FILE=stderr \ + RUN_MIGRATIONS=1 \ + CREATE_ADMIN=1 + +EXPOSE 8080 + +COPY --from=build /go/src/app/miniflux /usr/local/bin/miniflux + +USER 65534:65534 + +CMD ["/usr/local/bin/miniflux"] diff --git a/compose.yml b/compose.yml new file mode 100644 index 00000000000..b32405ea6f8 --- /dev/null +++ b/compose.yml @@ -0,0 +1,40 @@ +services: + db: + image: postgres:16-alpine + environment: + POSTGRES_USER: miniflux + POSTGRES_PASSWORD: secret + POSTGRES_DB: miniflux + volumes: + - db-data:/var/lib/postgresql/data + healthcheck: + test: ["CMD-SHELL", "pg_isready -U miniflux"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 10s + + app: + build: + context: . + dockerfile: Dockerfile.bright + ports: + - "8080:8080" + environment: + LISTEN_ADDR: 0.0.0.0:8080 + RAILS_ENV: production + NODE_ENV: production + DATABASE_URL: postgres://miniflux:secret@db/miniflux?sslmode=disable + RUN_MIGRATIONS: "1" + CREATE_ADMIN: "1" + ADMIN_USERNAME: admin + ADMIN_PASSWORD: test123 + BASE_URL: https://miniflux.example.org + depends_on: + db: + condition: service_healthy + stdin_open: true + tty: true + +volumes: + db-data: