From dbb7e49ab670cb7daf1ecbbdb2c6035d06482a6f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 15 May 2026 20:06:10 +0000 Subject: [PATCH 1/2] Initial plan From 047a17a3459378de07c1a2a94815b88828ace504 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 15 May 2026 20:08:13 +0000 Subject: [PATCH 2/2] security: harden Docker runtime file ownership (docker:S6504) Copy runtime artefacts as root:root and apply chmod -R a-w /app so the non-root runtime user cannot modify deployed application files. - apps/app-frontend/Dockerfile: COPY --chown=root:root + chmod -R a-w /app - apps/marketing-site/Dockerfile: COPY --chown=root:root + chmod -R a-w /app - services/core-api/src/Curvit.Api/Dockerfile: COPY --chown=root:root + chmod -R a-w /app + move USER appuser after chmod Each service's ephemeral write needs (uploads, temp buffers) are satisfied by the world-writable /tmp mount; no /app path requires runtime write access. Agent-Logs-Url: https://github.com/NickLetts2/Curvit/sessions/5b834229-6f26-48e1-a7bb-3e840815643f Co-authored-by: NickLetts2 <90337962+NickLetts2@users.noreply.github.com> --- apps/app-frontend/Dockerfile | 10 +++++++--- apps/marketing-site/Dockerfile | 8 ++++++-- services/core-api/src/Curvit.Api/Dockerfile | 7 ++++++- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/apps/app-frontend/Dockerfile b/apps/app-frontend/Dockerfile index da3314c8..66a1d88f 100644 --- a/apps/app-frontend/Dockerfile +++ b/apps/app-frontend/Dockerfile @@ -39,9 +39,13 @@ RUN addgroup -S appgroup && adduser -S appuser -G appgroup # In Docker the workspace root has no apps/package.json so Next.js sets # outputFileTracingRoot to the app directory — standalone output lands # directly at .next/standalone/server.js (no subdirectory nesting). -COPY --from=builder --chown=appuser:appgroup /repo/apps/app-frontend/.next/standalone ./ -COPY --from=builder --chown=appuser:appgroup /repo/apps/app-frontend/.next/static ./.next/static -COPY --from=builder --chown=appuser:appgroup /repo/apps/app-frontend/public ./public +# Files are owned by root so the runtime user cannot tamper with deployed artefacts. +COPY --from=builder --chown=root:root /repo/apps/app-frontend/.next/standalone ./ +COPY --from=builder --chown=root:root /repo/apps/app-frontend/.next/static ./.next/static +COPY --from=builder --chown=root:root /repo/apps/app-frontend/public ./public +# Remove write permission for all users on application files (immutable container). +# Next.js standalone only needs /tmp for any ephemeral writes, which is world-writable. +RUN chmod -R a-w /app USER appuser EXPOSE 3000 diff --git a/apps/marketing-site/Dockerfile b/apps/marketing-site/Dockerfile index cb66d1cd..b91ef42b 100644 --- a/apps/marketing-site/Dockerfile +++ b/apps/marketing-site/Dockerfile @@ -28,8 +28,12 @@ RUN apk upgrade --no-cache && \ /usr/local/bin/corepack RUN addgroup -S appgroup && adduser -S appuser -G appgroup -COPY --from=builder --chown=appuser:appgroup /app/dist ./dist -COPY --from=builder --chown=appuser:appgroup /app/node_modules ./node_modules +# Files are owned by root so the runtime user cannot tamper with deployed artefacts. +COPY --from=builder --chown=root:root /app/dist ./dist +COPY --from=builder --chown=root:root /app/node_modules ./node_modules +# Remove write permission for all users on application files (immutable container). +# The Astro @astrojs/node adapter only needs /tmp for any ephemeral writes. +RUN chmod -R a-w /app ENV NODE_ENV=production ENV HOST=0.0.0.0 diff --git a/services/core-api/src/Curvit.Api/Dockerfile b/services/core-api/src/Curvit.Api/Dockerfile index 32b437c3..523a94a7 100644 --- a/services/core-api/src/Curvit.Api/Dockerfile +++ b/services/core-api/src/Curvit.Api/Dockerfile @@ -19,8 +19,13 @@ FROM mcr.microsoft.com/dotnet/aspnet:10.0-alpine@sha256:60eb031b554df75a4b9f3582 WORKDIR /app RUN apk update && apk upgrade --no-cache && apk add --no-cache krb5-libs && \ addgroup -S appgroup && adduser -S appuser -G appgroup +# Files are owned by root so the runtime user cannot tamper with deployed artefacts. +COPY --from=build --chown=root:root /app/publish . +# Remove write permission for all users on application files (immutable container). +# ASP.NET Core uses /tmp for ephemeral writes (e.g. form-file buffers); no +# writable path is needed inside /app. +RUN chmod -R a-w /app USER appuser -COPY --from=build --chown=appuser:appgroup /app/publish . EXPOSE 5000 ENV ASPNETCORE_URLS=http://+:5000 ENTRYPOINT ["dotnet", "Curvit.Api.dll"]