services:
  # Vulnerable Hubble UI nginx reverse proxy + stub /api backend.
  # Origin A (the Hubble UI origin): http://127.0.0.1:8081
  hubble-ui:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: cve-2025-23047-hubble-ui
    ports:
      - "127.0.0.1:8081:8081"
    networks:
      - cve-net
    healthcheck:
      test: ["CMD", "curl", "-fsS", "http://127.0.0.1:8081/healthz"]
      interval: 5s
      timeout: 3s
      retries: 10

  # Attacker-controlled web origin, DISTINCT from the Hubble UI origin so the
  # browser treats requests to hubble-ui as cross-origin.
  # Origin B (the attacker origin): http://127.0.0.1:8088
  attacker:
    image: nginx:1.27.3-bookworm
    container_name: cve-2025-23047-attacker
    ports:
      - "127.0.0.1:8088:80"
    volumes:
      - ./config/attacker:/usr/share/nginx/html:ro
    networks:
      - cve-net
    healthcheck:
      test: ["CMD", "curl", "-fsS", "http://127.0.0.1:80/"]
      interval: 5s
      timeout: 3s
      retries: 10

networks:
  cve-net:
    driver: bridge