.gitlab-ci.yml

 include: "https://git.autistici.org/ai3/build-container/raw/master/common.yml"
+
+# test the newly built container before releasing it.
+stages:
+  - build
+  - test
+  - release
+
+test:
+  stage: test
+  image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/debian:stable
+  services:
+    - name: ${IMAGE_TAG}
+      alias: noblogs
+    - name: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/mysql:latest
+      alias: mysql
+  variables:
+    APACHE_PORT: 8080
+    SITE_URL: "http://noblogs:8080"
+    MYSQL_DATABASE: noblogstest
+    MYSQL_ROOT_PASSWORD: changeme
+    PHP_FPM_USER: www-data
+  script:
+    - apt -q update
+    - env DEBIAN_FRONTEND=noninteractive apt -y --no-install-recommends install curl
+    - "curl -H 'Host: noblogs.org' -v ${SITE_URL}"
+

Dockerfile

-FROM composer:1.10.1 as build
+FROM composer:2.2.9 as build
 
 ADD . /build
 WORKDIR /build
@@ -13,7 +13,9 @@ COPY docker/wp-config.php /opt/noblogs/www/wp-config.php
 COPY docker/wp-cache-config.php /opt/noblogs/www/wp-content/wp-cache-config.php
 COPY docker/conf /tmp/conf
 COPY docker/build.sh /tmp/build.sh
-COPY docker/post-upgrade.sh /post-upgrade.sh
 
 RUN /tmp/build.sh && rm /tmp/build.sh
 
+# For testing purposes (8080 is the default port of apache2-php-base).
+EXPOSE 8080/tcp
+

Dockerfile.dev

-FROM composer:1.10.1
+FROM composer:2.2.9
 
 ARG uid=1000
 ARG gid=1000

composer.json

@@ -31,17 +31,17 @@
     },
     "require": {
         "php": ">=7.1",
-        "composer/installers": "1.11.0",
-        "oomphinc/composer-installers-extender": "2.0.0",
-        "cweagans/composer-patches": "1.7.1",
-        "koodimonni/composer-dropin-installer": "1.3",
-        "johnpbloch/wordpress": "5.8.1",
-        "bjornjohansen/wplang": "0.1.1",
-        "wpackagist-plugin/disable-wordpress-updates": "1.6.8",
+        "composer/installers": "1.12.0",
+        "oomphinc/composer-installers-extender": "2.0.1",
+        "cweagans/composer-patches": "1.7.2",
+        "koodimonni/composer-dropin-installer": "1.4",
+        "johnpbloch/wordpress": "5.9.3",
+        "bjornjohansen/wplang": "0.2.0",
+        "wpackagist-plugin/disable-wordpress-updates": "1.7.0",
         "wpackagist-plugin/more-privacy-options": "4.6",
-        "wpackagist-plugin/disable-emojis": "1.7.3",
-        "wpackagist-plugin/wp-super-cache": "1.7.4",
-        "wpackagist-plugin/wp-piwik": "1.0.26",
+        "wpackagist-plugin/disable-emojis": "1.7.4",
+        "wpackagist-plugin/wp-super-cache": "1.7.7",
+        "wpackagist-plugin/wp-piwik": "1.0.27",
         "wpackagist-plugin/wp-statusnet": "1.4.2",
         "wpackagist-plugin/wp-syntax": "1.1",
         "wpackagist-plugin/wpmu-custom-css": "^1.06",
@@ -68,61 +68,65 @@
         "wpackagist-theme/thematic": "1.0.4",
         "wpackagist-theme/the-scenery": "0.93",
         "wpackagist-theme/threattocreativity": "3.2",
-        "wpackagist-theme/twentyeleven": "3.9",
-        "wpackagist-theme/twentyfifteen": "3.0",
-        "wpackagist-theme/twentyfourteen": "3.2",
-        "wpackagist-theme/twentynineteen": "2.1",
-        "wpackagist-theme/twentyseventeen": "2.8",
+        "wpackagist-theme/twentyeleven": "4.0",
+        "wpackagist-theme/twentyfifteen": "3.1",
+        "wpackagist-theme/twentyfourteen": "3.3",
+        "wpackagist-theme/twentynineteen": "2.2",
+        "wpackagist-theme/twentyseventeen": "2.9",
         "wpackagist-theme/twentysixteen": "2.5",
-        "wpackagist-theme/twentyten": "3.5",
-        "wpackagist-theme/twentythirteen": "3.4",
-        "wpackagist-theme/twentytwelve": "3.5",
-        "wpackagist-theme/twentytwenty": "1.8",
+        "wpackagist-theme/twentyten": "3.6",
+        "wpackagist-theme/twentythirteen": "3.5",
+        "wpackagist-theme/twentytwelve": "3.6",
+        "wpackagist-theme/twentytwenty": "1.9",
         "wpackagist-theme/wp-andreas01": "2.0",
         "wpackagist-theme/zenlite": "4.10",
         "npm-asset/scriptaculous-js": "1.9.0",
         "npm-asset/prototype-js-core": "1.7.3",
+	"noblogs/event-list": "0.8.6",
         "noblogs/r2db": "0.1.7",
-        "noblogs/ai-global-activity-plugin": "0.0.11",
-        "noblogs/ai-buddypress-plugin": "0.1.1",
+        "noblogs/ai-global-activity-plugin": "0.0.18",
         "noblogs/ai-mu-plugins": "0.3.1",
         "noblogs/noblogs-wp-ssl": "0.1.0",
         "noblogs/remove-gravatar": "0.1.1",
-        "noblogs/themes-child": "0.2.0",
+        "noblogs/themes-child": "0.5.2",
         "wpackagist-plugin/autopost-to-mastodon": "3.6.1",
         "wpackagist-plugin/bogo": "3.5.3",
         "wpackagist-plugin/classic-editor": "1.6.2",
         "wpackagist-plugin/disable-comments": "1.11.0",
         "wpackagist-plugin/dvk-social-sharing": "1.3.3",
-        "wpackagist-plugin/event-list": "0.8.6",
         "wpackagist-plugin/feedwordpress": "^2020.0818",
         "wpackagist-plugin/footnotation": "1.2",
         "wpackagist-plugin/i-love-xm24-ribbon": "0.0.4",
         "wpackagist-plugin/nofollow-free": "1.6.3",
-        "wpackagist-plugin/pubsubhubbub": "3.1.0",
+        "wpackagist-plugin/pubsubhubbub": "3.1.2",
         "wpackagist-plugin/rss-license": "0.1",
         "wpackagist-plugin/simply-exclude": "2.0.6.6",
         "wpackagist-plugin/soundcloud-shortcode": "3.0.2",
-        "wpackagist-plugin/squat-radar-calendar-integration": "2.0.8",
+        "wpackagist-plugin/squat-radar-calendar-integration": "2.0.9",
         "wpackagist-plugin/two-factor": "0.7.1",
         "wpackagist-plugin/video-sidebar-widgets": "6.1",
         "wpackagist-plugin/wordpress-importer": "0.7",
         "wpackagist-plugin/wp-recaptcha-bp": "4.1",
         "wpackagist-plugin/wp2pgpmail": "1.28",
-        "wpackagist-plugin/buddypress": "9.1.1",
         "noblogs/noblogs-home": "0.1.4",
-        "wpackagist-plugin/katex": "2.2.2",
+        "wpackagist-plugin/katex": "2.2.3",
         "noblogs/eu-compliance": "0.1.0",
         "noblogs/nospam": "0.2.2",
         "noblogs/themes-misc": "0.1.2",
         "stuttter/ludicrousdb": "5.0.0",
         "wpackagist-plugin/creative-commons": "^2021.04",
-        "wpackagist-plugin/disable-remove-google-fonts": "1.3.1",
+        "wpackagist-plugin/disable-remove-google-fonts": "1.3.7",
         "wpackagist-plugin/footnotes": "2.7.3",
         "wpackagist-plugin/wpuntexturize": "2.2",
-        "wpackagist-theme/spearhead": "^1.2",
-        "wpackagist-theme/blank-canvas": "^1.2",
-        "wpackagist-theme/seedlet": "^1.1"
+        "wpackagist-theme/seedlet": "1.1.13",
+        "wpackagist-theme/enjoyblog": "1.0.2",
+        "wpackagist-theme/big-scene": "1.2.4",
+        "wpackagist-theme/lalita": "1.4.0",
+        "wpackagist-theme/newscard": "1.2.8",
+        "wpackagist-theme/digitally": "1.0.8",
+        "wpackagist-theme/ff-multipurpose": "1.2.0",
+        "wpackagist-plugin/two-factor-provider-webauthn": "1.0.3",
+        "wpackagist-plugin/event-organiser": "3.12.0"
     },    
     "extra": {
         "wordpress-install-dir": "app",

composer.patches.json

 {
     "patches": {
         "johnpbloch/wordpress-core": {
-            "Patch definition of WP_CONTENT_URL to include SSL when it might not ": "patches/core/0052-fix-ssl-wp-content-url.patch",
             "Anonymize requests to api.wordpress.org for updates": "patches/core/anonymize-update.php.patch",
             "Do not perform pingbacks and trackbacks when we update via cron": "patches/core/0103-Remove-pingback-trackback.patch",
             "Load JS library locally instead than from Googleapis": "patches/core/0155-Removing-reference-to-googleapis-from-wp-includes-up.patch",

docker/build.sh

@@ -18,10 +18,13 @@ PACKAGES="
         libapache2-mod-xsendfile
         libapache2-mod-security2
         modsecurity-crs
-        php-xml
+        php-imagick
+        php-intl
         php-mysql
         php-memcached
         php-mbstring
+        php-xml
+        php-zip
 
         noblogs-cli
 "

docker/conf/chaperone.d/clean-sessions.service

-clean_sessions.service: {
-    type: cron,
-    interval: "10,40 * * * *",
-    command: "/usr/bin/find /var/lib/php/sessions -mindepth 1 -type f -mtime +1 -delete",
-}

docker/conf/chaperone.d/startup.conf

-noblogs_upgrade.service: {
-    type: oneshot,
-    stdout: inherit,
-    command: "/post-upgrade.sh",
-    ignore_failures: true,
-    process_timeout: 7200,
-    exit_kills: false,
-}

docker/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

@@ -21,16 +21,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/themes.php" \
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:newcontent"
-
-# The ability to edit CSS triggers XSS rules when editing posts.
-# Disable all CRS rules on the wp-json API endpoint.
-SecRule REQUEST_URI "@beginsWith /wp-json/wp/v2/posts/" \
-    "id:1003,\
-    phase:2,\
-    pass,\
-    nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:content"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newcontent"
 
 # Make the eventlist plugin work (SIGH for the lack of regexps).
 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
@@ -38,26 +29,26 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[1][title],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[1][cat_filter],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[1][num_events],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[1][location_length],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[2][title],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[2][cat_filter],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[2][num_events],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[2][location_length],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[3][title],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[3][cat_filter],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[3][num_events],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[3][location_length],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[4][title],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[4][cat_filter],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[4][num_events],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[4][location_length],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[5][title],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[5][cat_filter],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[5][num_events],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[5][location_length]"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][title],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][cat_filter],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][num_events],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][location_length],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][title],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][cat_filter],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][num_events],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][location_length],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][title],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][cat_filter],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][num_events],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][location_length],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][title],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][cat_filter],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][num_events],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][location_length],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][title],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][cat_filter],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][num_events],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][location_length]"
 
 # More eventlist plugin workarounds.
 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
@@ -78,3 +69,24 @@ SecRule REQUEST_URI "@beginsWith /" \
     ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:message_body,\
     ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:text"
 
+# Gutenberg-related requests.
+SecRule REQUEST_URI "@beginsWith /wp-json/batch/v1" \
+    "id:1007,\
+    phase:2,\
+    pass,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:requests.requests.body.instance.raw.content"
+SecRule REQUEST_URI "@beginsWith /wp-json/wp/v2/widget-types/text/encode" \
+    "id:1008,\
+    pass,\
+    nolog,\
+    ctl:ruleEngine=Off"
+
+SecRule REQUEST_URI "@beginsWith /wp-admin/network/site-settings.php" \
+    "id:1009,\
+    phase:2,\
+    pass,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:option[wp-piwik-tracking_code],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:option[wp-piwik-noscript_code]"
+

docker/conf/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

@@ -36,3 +36,9 @@ SecRuleRemoveByID 930110
 # CR/LF + HTTP method name.
 SecRuleRemoveByID 921110
 
+# Ingres SQL exfil rule.
+SecRuleRemoveByID 951190
+
+# Windows PowerShell Command
+SecRuleRemoveByID 932120
+

docker/conf/php/7.3/fpm/pool.d/www.conf → docker/conf/php/7.4/fpm/pool.d/www.conf

 [www]
-listen = /run/php/php7.3-fpm.sock
+user = ${PHP_FPM_USER}
+listen = /run/php/php7.4-fpm.sock
 
 pm = dynamic
 pm.max_children = 75

docker/wp-config.php

@@ -4,8 +4,38 @@
  * First of all, read our own configuration file.
  *
  * Store the result in an associative array '$noblogs_config'.
+ *
+ * If the configuration file does not exist, start with a testing
+ * configuration that is meant to work with our CI.
  */
-$noblogs_config = json_decode(file_get_contents('/etc/noblogs/config.json'), true);
+$noblogs_config = array(
+                        "secrets" => array(
+                                           "auth_key" => "testkey",
+                                           "secure_auth_key" => "testkey",
+                                           "logged_in_key" => "testkey",
+                                           "nonce_key" => "testkey",
+                                           "auth_salt" => "testkey",
+                                           "secure_auth_salt" => "testkey",
+                                           "logged_in_salt" => "testkey",
+                                           "nonce_salt" => "testkey"
+                                           ),
+                        "db_config" => array(
+                                             "backends" => array(
+                                                                 "default" => array(
+                                                                                    "host" => "mysql",
+                                                                                    "port" => "3306",
+                                                                                    "name" => getenv("MYSQL_DATABASE"),
+                                                                                    "user" => "root",
+                                                                                    "password" => getenv("MYSQL_ROOT_PASSWORD")
+                                                                                    )
+                                                                 )
+                                             )
+                        );
+
+$noblogs_config_json = file_get_contents('/etc/noblogs/config.json');
+if ($noblogs_config_json) {
+  $noblogs_config = json_decode($noblogs_config_json, true);
+}
 
 /**
  * The base configurations of the WordPress.