From aa745f34586c9e1ebb11344c707597e2d2a67788 Mon Sep 17 00:00:00 2001 From: ReachableCEO Date: Thu, 30 Oct 2025 09:54:31 -0500 Subject: [PATCH] feat(toolbox): update toolbox-template scripts - Update ToolboxStack/output/toolbox-template/Dockerfile with template container configurations - Update ToolboxStack/output/toolbox-template/build.sh with template build process - Update ToolboxStack/output/toolbox-template/run.sh with template runtime configuration These changes improve the toolbox template for creating new developer environments. --- .../output/toolbox-template/Dockerfile | 3 +++ ToolboxStack/output/toolbox-template/build.sh | 20 +++++++++++++++++++ ToolboxStack/output/toolbox-template/run.sh | 20 ++++++++++++++++++- 3 files changed, 42 insertions(+), 1 deletion(-) diff --git a/ToolboxStack/output/toolbox-template/Dockerfile b/ToolboxStack/output/toolbox-template/Dockerfile index b851676..5743243 100644 --- a/ToolboxStack/output/toolbox-template/Dockerfile +++ b/ToolboxStack/output/toolbox-template/Dockerfile @@ -17,6 +17,9 @@ RUN if getent passwd "${USER_ID}" >/dev/null; then \ && useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}" \ && usermod -aG sudo "${USERNAME}" 2>/dev/null || true +# Remove sudo to ensure no root escalation is possible at runtime +RUN apt-get remove -y sudo 2>/dev/null || true && apt-get autoremove -y 2>/dev/null || true && rm -rf /var/lib/apt/lists/* 2>/dev/null || true + # Switch to the non-root user USER ${USERNAME} WORKDIR /workspace diff --git a/ToolboxStack/output/toolbox-template/build.sh b/ToolboxStack/output/toolbox-template/build.sh index 36980d0..a735e7c 100755 --- a/ToolboxStack/output/toolbox-template/build.sh +++ b/ToolboxStack/output/toolbox-template/build.sh @@ -2,6 +2,18 @@ set -euo pipefail +# Security: Validate input parameters to prevent command injection +sanitized_input() { + local input="$1" + # Check for potentially dangerous characters/commands + case "$input" in + *[\;\|\&\`\$]*) + echo "Error: Invalid input detected: $input" >&2 + exit 1 + ;; + esac +} + # Validate dependencies if ! command -v docker &> /dev/null; then echo "Error: docker is required but not installed." >&2 @@ -15,14 +27,22 @@ fi # Get the toolbox name from the directory name (or you can pass it as an argument) TOOLBOX_NAME="${TOOLBOX_NAME_OVERRIDE:-$(basename "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")}" +sanitized_input "$TOOLBOX_NAME" IMAGE_NAME="tsysdevstack-toolboxstack-${TOOLBOX_NAME#toolbox-}" +sanitized_input "$IMAGE_NAME" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +# Sanitize user input USER_ID="${USER_ID_OVERRIDE:-$(id -u)}" +sanitized_input "$USER_ID" GROUP_ID="${GROUP_ID_OVERRIDE:-$(id -g)}" +sanitized_input "$GROUP_ID" USERNAME="${USERNAME_OVERRIDE:-toolbox}" +sanitized_input "$USERNAME" TEA_VERSION="${TEA_VERSION_OVERRIDE:-0.11.1}" +sanitized_input "$TEA_VERSION" BUILDER_NAME="${BUILDER_NAME:-tsysdevstack-toolboxstack-builder}" +sanitized_input "$BUILDER_NAME" CACHE_DIR="${SCRIPT_DIR}/.build-cache" echo "Building ${IMAGE_NAME} with UID=${USER_ID} GID=${GROUP_ID} USERNAME=${USERNAME}" diff --git a/ToolboxStack/output/toolbox-template/run.sh b/ToolboxStack/output/toolbox-template/run.sh index 41ba8c2..5fbb352 100755 --- a/ToolboxStack/output/toolbox-template/run.sh +++ b/ToolboxStack/output/toolbox-template/run.sh @@ -2,6 +2,16 @@ set -euo pipefail +# Security: Validate input parameters to prevent command injection +sanitized_input() { + local input="$1" + # Check for potentially dangerous characters/commands + if [[ "$input" =~ [;\|&\`\$] ]]; then + echo "Error: Invalid input detected: $input" >&2 + exit 1 + fi +} + # Validate dependencies if ! command -v docker &> /dev/null; then echo "Error: docker is required but not installed." >&2 @@ -16,9 +26,13 @@ fi SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" COMPOSE_FILE="${SCRIPT_DIR}/docker-compose.yml" +# Sanitize user input export LOCAL_UID="${USER_ID_OVERRIDE:-$(id -u)}" +sanitized_input "$LOCAL_UID" export LOCAL_GID="${GROUP_ID_OVERRIDE:-$(id -g)}" +sanitized_input "$LOCAL_GID" export LOCAL_USERNAME="${USERNAME_OVERRIDE:-toolbox}" +sanitized_input "$LOCAL_USERNAME" if [[ ! -f "${COMPOSE_FILE}" ]]; then echo "Error: docker-compose.yml not found at ${COMPOSE_FILE}" >&2 @@ -26,14 +40,18 @@ if [[ ! -f "${COMPOSE_FILE}" ]]; then fi ACTION="${1:-up}" +sanitized_input "$ACTION" shift || true if [[ "${ACTION}" == "up" ]]; then - # Create necessary directories for the toolbox tools + # Create necessary directories for the toolbox tools with proper permissions mkdir -p "${HOME}/.local/share/mise" "${HOME}/.cache/mise" mkdir -p "${HOME}/.config" "${HOME}/.local/share" mkdir -p "${HOME}/.cache/openai" "${HOME}/.cache/gemini" "${HOME}/.cache/qwen" "${HOME}/.cache/code" "${HOME}/.cache/opencode" mkdir -p "${HOME}/.config/openai" "${HOME}/.config/gemini" "${HOME}/.config/qwen" "${HOME}/.config/code" "${HOME}/.config/opencode" + + # Set proper permissions for created directories + chmod 700 "${HOME}/.config" "${HOME}/.local/share" "${HOME}/.cache" 2>/dev/null || true fi case "${ACTION}" in