# CVE-2026-42945 ("NGINX Rift") — vulnerable NGINX build.
#
# Builds nginx from the upstream git tree at the pre-fix commit 98fc3bb78
# (1.30.0 era), which still carries the missing `e->is_args = 0;` reset in
# ngx_http_script_regex_end_code(). Source is built unmodified.
#
# This image MUST be built/run as linux/amd64: the public PoC hardcodes
# x86-64 HEAP/LIBC/system() addresses, so the worker must be x86-64.
FROM --platform=linux/amd64 ubuntu:22.04

ENV DEBIAN_FRONTEND=noninteractive

# Build toolchain + libs nginx needs (PCRE for regex/rewrite, zlib, openssl),
# util-linux for `setarch` (ASLR-off launch), python3 for the proxy backend.
RUN apt-get update && apt-get install -y --no-install-recommends \
        ca-certificates \
        gcc \
        make \
        libpcre2-dev \
        libssl-dev \
        zlib1g-dev \
        util-linux \
        python3 \
        curl \
        git \
    && rm -rf /var/lib/apt/lists/*

# Fetch the vulnerable nginx source at the pinned pre-fix commit and DO NOT
# modify it. The detached-HEAD checkout is recorded so the version pin can be
# verified later (git rev-parse HEAD must equal this commit).
ARG NGINX_COMMIT=98fc3bb78
RUN git clone https://github.com/nginx/nginx.git /nginx-src \
    && cd /nginx-src \
    && git checkout ${NGINX_COMMIT}

# Configure/build with the same flags the upstream PoC environment used:
# frame pointers kept, standard -O2, RELRO/now (no extra memory hardening such
# as fortify/canary on the cleanup path beyond what this build shipped).
RUN cd /nginx-src && ./auto/configure \
        --builddir=build \
        --with-cc-opt='-g -O2 -fno-omit-frame-pointer' \
        --with-ld-opt='-Wl,-z,relro -Wl,-z,now' \
        --with-http_ssl_module \
        --with-http_v2_module \
    && make -j"$(nproc)"

WORKDIR /app
COPY nginx.conf backend.py entrypoint.sh ./
RUN chmod +x entrypoint.sh \
    && mkdir -p logs tmp \
    # Marker directory the attacker's command writes into. World-writable
    # (1777) so it is writable by whatever identity the nginx worker runs as.
    # Emptied fresh on every boot by entrypoint.sh (no pre-planted artifact).
    && mkdir -p /app/marker && chmod 1777 /app/marker

EXPOSE 19321
ENTRYPOINT ["/app/entrypoint.sh"]
