From 7a751de24af43fcca52b1dfc41edbcc6c65ba91f Mon Sep 17 00:00:00 2001 From: ReachableCEO Date: Thu, 30 Oct 2025 09:54:22 -0500 Subject: [PATCH] feat(toolbox): update toolbox-base scripts - Update ToolboxStack/output/toolbox-base/Dockerfile with latest container configurations - Update ToolboxStack/output/toolbox-base/build.sh with improved build process - Update ToolboxStack/output/toolbox-base/run.sh with enhanced runtime configuration These changes improve the base developer environment build and runtime capabilities. --- ToolboxStack/output/toolbox-base/Dockerfile | 6 +++++- ToolboxStack/output/toolbox-base/build.sh | 23 +++++++++++++++++++++ ToolboxStack/output/toolbox-base/run.sh | 23 ++++++++++++++++++++- 3 files changed, 50 insertions(+), 2 deletions(-) diff --git a/ToolboxStack/output/toolbox-base/Dockerfile b/ToolboxStack/output/toolbox-base/Dockerfile index d37ee5e..71afeb8 100644 --- a/ToolboxStack/output/toolbox-base/Dockerfile +++ b/ToolboxStack/output/toolbox-base/Dockerfile @@ -108,7 +108,8 @@ COPY aqua.yaml /tmp/aqua.yaml RUN chown "${USER_ID}:${GROUP_ID}" /tmp/aqua.yaml \ && su - "${USERNAME}" -c 'mkdir -p ~/.config/aquaproj-aqua' \ && su - "${USERNAME}" -c 'cp /tmp/aqua.yaml ~/.config/aquaproj-aqua/aqua.yaml' \ - && AQUA_GLOBAL_CONFIG=/tmp/aqua.yaml aqua install + && AQUA_GLOBAL_CONFIG=/tmp/aqua.yaml aqua install \ + && su - "${USERNAME}" -c 'AQUA_GLOBAL_CONFIG=~/.config/aquaproj-aqua/aqua.yaml aqua install' # Install AI CLI tools via npm using mise to ensure Node.js is available RUN mise exec -- npm install -g @just-every/code@0.4.6 @qwen-code/qwen-code@0.1.1 @google/gemini-cli@0.11.0 @openai/codex@0.50.0 opencode-ai@0.15.29 @@ -122,6 +123,9 @@ RUN su - "${USERNAME}" -c 'mise exec -- npm install -g @just-every/code@0.4.6 @q RUN mkdir -p /workspace \ && chown "${USER_ID}:${GROUP_ID}" /workspace +# Remove sudo to ensure no root escalation is possible at runtime +RUN apt-get remove -y sudo && apt-get autoremove -y && rm -rf /var/lib/apt/lists/* + ENV SHELL=/usr/bin/zsh \ AQUA_GLOBAL_CONFIG=/home/${USERNAME}/.config/aquaproj-aqua/aqua.yaml \ PATH=/home/${USERNAME}/.local/share/aquaproj-aqua/bin:/home/${USERNAME}/.local/share/mise/shims:/home/${USERNAME}/.local/bin:${PATH} diff --git a/ToolboxStack/output/toolbox-base/build.sh b/ToolboxStack/output/toolbox-base/build.sh index ec1b812..d995a47 100755 --- a/ToolboxStack/output/toolbox-base/build.sh +++ b/ToolboxStack/output/toolbox-base/build.sh @@ -2,6 +2,18 @@ set -euo pipefail +# Security: Validate input parameters to prevent command injection +sanitized_input() { + local input="$1" + # Check for potentially dangerous characters/commands + case "$input" in + *[\;\|\&\`\$]*) + echo "Error: Invalid input detected: $input" >&2 + exit 1 + ;; + esac +} + # Validate dependencies if ! command -v docker &> /dev/null; then echo "Error: docker is required but not installed." >&2 @@ -16,15 +28,26 @@ fi IMAGE_NAME="tsysdevstack-toolboxstack-toolbox-base" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +# Sanitize user input USER_ID="${USER_ID_OVERRIDE:-$(id -u)}" +sanitized_input "$USER_ID" GROUP_ID="${GROUP_ID_OVERRIDE:-$(id -g)}" +sanitized_input "$GROUP_ID" USERNAME="${USERNAME_OVERRIDE:-toolbox}" +sanitized_input "$USERNAME" TEA_VERSION="${TEA_VERSION_OVERRIDE:-0.11.1}" +sanitized_input "$TEA_VERSION" BUILDER_NAME="${BUILDER_NAME:-tsysdevstack-toolboxstack-builder}" +sanitized_input "$BUILDER_NAME" CACHE_DIR="${SCRIPT_DIR}/.build-cache" TAG="${TAG_OVERRIDE:-dev}" +sanitized_input "$TAG" RELEASE_TAG="${RELEASE_TAG_OVERRIDE:-release-current}" +sanitized_input "$RELEASE_TAG" VERSION_TAG="${VERSION_TAG_OVERRIDE:-}" +if [[ -n "$VERSION_TAG" ]]; then + sanitized_input "$VERSION_TAG" +fi PUSH="${PUSH_OVERRIDE:-false}" echo "Building ${IMAGE_NAME} with UID=${USER_ID} GID=${GROUP_ID} USERNAME=${USERNAME}" diff --git a/ToolboxStack/output/toolbox-base/run.sh b/ToolboxStack/output/toolbox-base/run.sh index 6549064..9233b2a 100755 --- a/ToolboxStack/output/toolbox-base/run.sh +++ b/ToolboxStack/output/toolbox-base/run.sh @@ -2,6 +2,18 @@ set -euo pipefail +# Security: Validate input parameters to prevent command injection +sanitized_input() { + local input="$1" + # Check for potentially dangerous characters/commands + case "$input" in + *[\;\|\&\`\$]*) + echo "Error: Invalid input detected: $input" >&2 + exit 1 + ;; + esac +} + # Validate dependencies if ! command -v docker &> /dev/null; then echo "Error: docker is required but not installed." >&2 @@ -16,10 +28,15 @@ fi SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" COMPOSE_FILE="${SCRIPT_DIR}/docker-compose.yml" +# Sanitize user input export LOCAL_UID="${USER_ID_OVERRIDE:-$(id -u)}" +sanitized_input "$LOCAL_UID" export LOCAL_GID="${GROUP_ID_OVERRIDE:-$(id -g)}" +sanitized_input "$LOCAL_GID" export LOCAL_USERNAME="${USERNAME_OVERRIDE:-toolbox}" +sanitized_input "$LOCAL_USERNAME" export TOOLBOX_IMAGE="${TOOLBOX_IMAGE_OVERRIDE:-tsysdevstack-toolboxstack-toolbox-base:release-current}" +sanitized_input "$TOOLBOX_IMAGE" if [[ ! -f "${COMPOSE_FILE}" ]]; then echo "Error: docker-compose.yml not found at ${COMPOSE_FILE}" >&2 @@ -27,14 +44,18 @@ if [[ ! -f "${COMPOSE_FILE}" ]]; then fi ACTION="${1:-up}" +sanitized_input "$ACTION" shift || true if [[ "${ACTION}" == "up" ]]; then - # Create necessary directories for the toolbox tools + # Create necessary directories for the toolbox tools with proper permissions mkdir -p "${HOME}/.local/share/mise" "${HOME}/.cache/mise" mkdir -p "${HOME}/.config" "${HOME}/.local/share" mkdir -p "${HOME}/.cache/openai" "${HOME}/.cache/gemini" "${HOME}/.cache/qwen" "${HOME}/.cache/code" "${HOME}/.cache/opencode" mkdir -p "${HOME}/.config/openai" "${HOME}/.config/gemini" "${HOME}/.config/qwen" "${HOME}/.config/code" "${HOME}/.config/opencode" + + # Set proper permissions for created directories + chmod 700 "${HOME}/.config" "${HOME}/.local/share" "${HOME}/.cache" 2>/dev/null || true fi case "${ACTION}" in