|
|
@@ -644,6 +644,63 @@
|
|
|
it into the published image. Test fixtures and `bin/console` are
|
|
|
also available to any future LFI / arbitrary-file-read primitive.
|
|
|
- **Severity: 2**
|
|
|
+- **Status:** Fixed in `96eaa10`. `api/.dockerignore` and
|
|
|
+ `ui/.dockerignore` now apply to both build contexts and explicitly
|
|
|
+ exclude:
|
|
|
+
|
|
|
+ - `.env` / `.env.*` — the central F19 concern. Compose loads `.env`
|
|
|
+ from the repo root (outside both build contexts), so nothing here
|
|
|
+ is needed at runtime; blocking the pattern outright keeps any
|
|
|
+ future stray secret file from shipping in the image.
|
|
|
+ - `tests/` — fixtures and integration scaffolding that doubles as
|
|
|
+ LFI surface area.
|
|
|
+ - Dev-tooling caches and configs: `.phpunit.cache/`,
|
|
|
+ `.phpunit.result.cache`, `.phpstan.cache/`, `.php-cs-fixer.cache`,
|
|
|
+ `.php-cs-fixer.dist.php`, `phpstan.neon`, `phpunit.xml`.
|
|
|
+ - VCS / editor noise: `.git`, `.gitignore`, `.gitattributes`,
|
|
|
+ `.idea/`, `.vscode/`, `*.swp`, `*~`, `.DS_Store`.
|
|
|
+ - `CHANGELOG.md`, `Dockerfile`, `.dockerignore`, `.claude/`.
|
|
|
+ - `vendor/` (both subprojects) and `node_modules/` (ui) — the
|
|
|
+ multi-stage builds install clean copies in the `deps`/`assets`
|
|
|
+ stages and pull them in via `COPY --from=...`. Excluding the
|
|
|
+ host copies also fixes a subtle bug: in
|
|
|
+ `api/Dockerfile:30-31` and `ui/Dockerfile:36-37`, the
|
|
|
+ `COPY --from=deps /app/vendor ./vendor` line is followed
|
|
|
+ immediately by `COPY . ./`, which would have clobbered the
|
|
|
+ deps-stage vendor with whatever the host had (typically a
|
|
|
+ `composer install`-with-dev tree).
|
|
|
+
|
|
|
+ Things that ARE needed at runtime stay in the context: `src/`,
|
|
|
+ `public/`, `config/`, `docker/`, `composer.json`, `composer.lock`;
|
|
|
+ api also keeps `db/migrations/`, `db/seeds/`, `bin/console`, and
|
|
|
+ `openapi.php`; ui also keeps `resources/` (Twig views are loaded
|
|
|
+ at runtime, and `resources/css|js/` are consumed by the assets
|
|
|
+ stage). The ui `package.json`, `package-lock.json`,
|
|
|
+ `tailwind.config.js`, and `postcss.config.js` are kept because the
|
|
|
+ assets stage references them by name — `.dockerignore` applies to
|
|
|
+ every stage that shares the same context, so excluding them would
|
|
|
+ break `npx tailwindcss` / `npx esbuild`. They are tiny and
|
|
|
+ non-sensitive.
|
|
|
+
|
|
|
+ `bin/console` (api) is intentionally retained — `entrypoint.sh`
|
|
|
+ invokes `php bin/console auth:bootstrap-service-token` on every
|
|
|
+ api start, and `phinx migrate` plus the seeders run from the
|
|
|
+ `migrate` mode. Removing them would break startup; the LFI-surface
|
|
|
+ concern is mitigated by F18 (image runs as uid 1000, source tree
|
|
|
+ is root-owned and read-only to the runtime user) and tracked
|
|
|
+ further by F20.
|
|
|
+
|
|
|
+ Verification: rebuilt both images; confirmed the excluded paths
|
|
|
+ (tests, dev caches, `.dockerignore`, `Dockerfile`, `.git`, ui
|
|
|
+ `node_modules`) are absent from `/app/` in the final images and
|
|
|
+ the runtime-required paths (`src`, `public`, `config`,
|
|
|
+ `db/migrations`, `db/seeds`, `bin/console`, `vendor`, `docker`,
|
|
|
+ `openapi.php`, ui `resources/views`, ui
|
|
|
+ `public/assets/{app.css,app.js,logo.svg}`) are present. api
|
|
|
+ phpunit is 429/430 — the lone failure is the timing-sensitive
|
|
|
+ `BlocklistPerfTest::test50kEntriesUnder500Ms` perf-budget
|
|
|
+ assertion (628 ms vs 500 ms budget), unrelated to this change. ui
|
|
|
+ phpunit is 134/134.
|
|
|
|
|
|
### F20 — Application source is writable by the process serving requests
|
|
|
- **Files:** `api/Dockerfile:36-38`, `ui/Dockerfile:42`
|
chiappa