Merge pull request #43 from flyingrobots/task/container-hardening

flyingrobots · web-flow · commit cac8e5ecd70b · 2025-10-24T17:42:50.000-07:00
task/container hardening
diff --git a/ACTIVITY.log.jsonl b/ACTIVITY.log.jsonl
@@ -63,6 +63,10 @@
 {"who": "AGENT", "what": "Taught activity validation about custom formats", "where": ["tools/lint/validate_activity_log.sh"], "when": "2025-10-23T23:56:59Z", "why": "Re-adding format: uri broke ajv until we told it to ignore unknown formats", "how": "Passed --unknown-format ignore to ajv-cli so the schema stays strict while CI stays happy", "protip": "When ajv whines about formats, appease it with the flag instead of dumbing down the schema"}
 {"who": "AGENT", "what": "Tweaked the ajv flag spelling", "where": ["tools/lint/validate_activity_log.sh"], "when": "2025-10-23T23:57:38Z", "why": "Turns out the CLI wants --unknown-formats, not --unknown-format", "how": "Swapped the flag and re-ran make activity-validate", "protip": "If a CLI yells about unknown options, double-check the pluralization"}
 {"who": "AGENT", "what": "Settled on ajv --strict=false", "where": ["tools/lint/validate_activity_log.sh"], "when": "2025-10-23T23:58:32Z", "why": "ajv-cli 5 ignores both unknown-format flags; loosening strict mode stops the warning without gutting schema", "how": "Swapped to --strict=false after experimenting with the missing options", "protip": "Sometimes the older CLI just wants strict mode off—document it and move on"}
+{"who": "AGENT", "what": "Starting container safety follow-up", "where": ["tools/container/invoke.sh", "tools/container/run-matrix.sh", "tools/lint/clang_format_check.sh"], "when": "2025-10-24T01:08:53Z", "why": "New feedback landed post-merge; need fresh branch off origin/main", "how": "Preparing to fetch main and branch for hardening work", "protip": "Always reset the slate before opening a new PR"}
+{"who": "AGENT", "what": "Guarded container invoke paths", "where": ["tools/container/invoke.sh"], "when": "2025-10-24T01:10:23Z", "why": "rm -rf needed hard walls around WORK_ROOT/JOB_NAME and fixture script must exist", "how": "Resolved paths with python3, rejected traversal patterns, and verified the fixture helper before execution", "protip": "Never trust environment-sourced directories—canonicalize and fence them"}
+{"who": "AGENT", "what": "Tuned matrix runner for safer docker orchestration", "where": ["tools/container/run-matrix.sh"], "when": "2025-10-24T01:11:48Z", "why": "Reviewer wanted docker presence checks, optional builds, and safer parsing", "how": "Added docker availability guard, optional pull/build flow, newline-based config parsing, sanitized command construction, and explicit rc handling", "protip": "When configs might grow spaces, switch to newline-delimited records and read -r"}
+{"who": "AGENT", "what": "Stopped clang-format checks from splitting filenames", "where": ["tools/lint/clang_format_check.sh"], "when": "2025-10-24T01:12:47Z", "why": "Shell feedback pointed out the loop exploded on spaces", "how": "Swapped git ls-files output into a mapfile array and iterated with quoted elements", "protip": "git ls-files + mapfile is the fastest way to get a safe filename array"}
 {"who": "AGENT", "what": "Starting clang-tidy remediation", "where": ["tools/lint/run_clang_tidy.sh"], "when": "2025-10-24T03:19:19Z", "why": "Need baseline before tackling warnings", "how": "Preparing to run clang-tidy with verbose output", "protip": "Count and categorize warnings before you start hammering"}
 {"who": "AGENT", "what": "De-noised clang-tidy", "where": [".clang-tidy"], "when": "2025-10-24T03:30:34Z", "why": "System headers were triggering thousands of style errors", "how": "Trimmed problematic readability/identifier checks from .clang-tidy and reran make lint", "protip": "When tidy screams at libc, prune the checks until the noise floor hits zero"}
 {"who": "AGENT", "what": "Debrief request acknowledged", "where": ["ACTIVITY.log.jsonl"], "when": "2025-10-24T10:22:09Z", "why": "Closing out the clang-tidy cleanup session", "how": "Ready to summarize findings and next steps for the branch", "protip": "Keep the ledger current even when the work shifts to review"}
diff --git a/tools/container/invoke.sh b/tools/container/invoke.sh
@@ -10,11 +10,62 @@ TARGET="$1"
 shift
 
 SRC_DIR="${SRC_DIR:-/workspace}"
-WORK_ROOT="${WORK_ROOT:-/tmp/libgitledger}" 
+WORK_ROOT_RAW="${WORK_ROOT:-/tmp/libgitledger}"
 JOB_NAME="${LIBGITLEDGER_MATRIX_JOB:-matrix}"
-TARGET_DIR="${WORK_ROOT}/${JOB_NAME}"
 
-rm -rf "${TARGET_DIR}"
+if [[ -z "${JOB_NAME}" ]]; then
+    echo "invoke: LIBGITLEDGER_MATRIX_JOB must not be empty" >&2
+    exit 1
+fi
+
+if [[ "${JOB_NAME}" == .* || "${JOB_NAME}" == *".."* || "${JOB_NAME}" == */* || "${JOB_NAME}" == *\\* ]]; then
+    echo "invoke: unsafe job name '${JOB_NAME}'" >&2
+    exit 1
+fi
+
+if ! command -v python3 >/dev/null 2>&1; then
+    echo "invoke: python3 is required to resolve WORK_ROOT" >&2
+    exit 1
+fi
+
+WORK_ROOT="$(python3 - "$WORK_ROOT_RAW" <<'PY'
+import os
+import sys
+work_root = sys.argv[1]
+resolved = os.path.abspath(work_root)
+print(resolved)
+PY
+)"
+
+if [[ -z "${WORK_ROOT}" || "${WORK_ROOT}" != /* ]]; then
+    echo "invoke: WORK_ROOT must resolve to an absolute path" >&2
+    exit 1
+fi
+
+if [[ "${WORK_ROOT}" == "/" ]]; then
+    echo "invoke: refusing to operate on root directory" >&2
+    exit 1
+fi
+
+TARGET_DIR="$(python3 - "$WORK_ROOT" "$JOB_NAME" <<'PY'
+import os
+import sys
+base = sys.argv[1]
+job = sys.argv[2]
+print(os.path.abspath(os.path.join(base, job)))
+PY
+)"
+
+case "${TARGET_DIR}" in
+    "${WORK_ROOT}"|${WORK_ROOT}/*)
+        ;;
+    *)
+        echo "invoke: resolved target '${TARGET_DIR}' escapes work root '${WORK_ROOT}'" >&2
+        exit 1
+        ;;
+esac
+
+rm -rf -- "${TARGET_DIR}"
 mkdir -p "${TARGET_DIR}"
 
 rsync -a --delete \
@@ -42,6 +93,21 @@ fi
 
 export LIBGITLEDGER_SANDBOX_ROOT="${TARGET_DIR}/.container-fixtures"
 mkdir -p "${LIBGITLEDGER_SANDBOX_ROOT}"
-"${SRC_DIR}/tools/testing/prepare-fixtures.sh" "${LIBGITLEDGER_SANDBOX_ROOT}"
+
+FIXTURE_SCRIPT="${SRC_DIR}/tools/testing/prepare-fixtures.sh"
+
+if [[ ! -f "${FIXTURE_SCRIPT}" ]]; then
+    echo "invoke: fixture script not found at ${FIXTURE_SCRIPT}" >&2
+    exit 1
+fi
+
+if [[ ! -x "${FIXTURE_SCRIPT}" ]]; then
+    if ! chmod +x "${FIXTURE_SCRIPT}" 2>/dev/null; then
+        echo "invoke: unable to mark fixture script executable (${FIXTURE_SCRIPT})" >&2
+        exit 1
+    fi
+fi
+
+"${FIXTURE_SCRIPT}" "${LIBGITLEDGER_SANDBOX_ROOT}"
 
 make "${TARGET}" "$@"
diff --git a/tools/container/run-matrix.sh b/tools/container/run-matrix.sh
@@ -13,12 +13,25 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
 IMAGE_NAME="${LIBGITLEDGER_CONTAINER_IMAGE:-libgitledger-ci:latest}"
 
-echo "[container] Building image ${IMAGE_NAME}"
-docker build -t "${IMAGE_NAME}" -f "${SCRIPT_DIR}/Dockerfile" "${REPO_ROOT}"
+if ! command -v docker >/dev/null 2>&1; then
+    echo "[container] ERROR: docker is required" >&2
+    exit 1
+fi
+
+if [[ "${LIBGITLEDGER_SKIP_BUILD:-0}" == "1" ]]; then
+    echo "[container] Skipping image build because LIBGITLEDGER_SKIP_BUILD=1"
+else
+    echo "[container] Ensuring image ${IMAGE_NAME} is available"
+    docker pull "${IMAGE_NAME}" >/dev/null 2>&1 || true
+    if ! docker image inspect "${IMAGE_NAME}" >/dev/null 2>&1; then
+        echo "[container] Building image ${IMAGE_NAME}"
+        docker build -t "${IMAGE_NAME}" -f "${SCRIPT_DIR}/Dockerfile" "${REPO_ROOT}"
+    fi
+fi
 
 matrix_configs=(
-    "name=gcc-14 cc=gcc-14 cxx=g++-14 run_tidy=1"
-    "name=clang-18 cc=clang cxx=clang++ run_tidy=0"
+    $'name=gcc-14\ncc=gcc-14\ncxx=g++-14\nrun_tidy=1'
+    $'name=clang-18\ncc=clang\ncxx=clang++\nrun_tidy=0'
 )
 
 max_jobs="${LIBGITLEDGER_MATRIX_JOBS:-0}"
@@ -35,7 +48,8 @@ start_job() {
     local cxx=""
     local run_tidy="1"
 
-    for pair in ${config}; do
+    while IFS= read -r pair; do
+        [[ -z "${pair}" ]] && continue
         local key="${pair%%=*}"
         local value="${pair#*=}"
         case "${key}" in
@@ -44,7 +58,7 @@ start_job() {
             cxx) cxx="${value}" ;;
             run_tidy) run_tidy="${value}" ;;
         esac
-    done
+    done <<< "${config}"
 
     if [[ -z "${name}" ]]; then
         echo "[container] ERROR: matrix entry missing name" >&2
@@ -56,7 +70,9 @@ start_job() {
         return 2
     fi
 
-    local docker_cmd="/workspace/tools/container/invoke.sh $(printf '%q' "${TARGET}")"
+    local target_escaped
+    target_escaped=$(printf '%q' "${TARGET}")
+    local docker_cmd="/workspace/tools/container/invoke.sh ${target_escaped}"
     for arg in "$@"; do
         docker_cmd+=" $(printf '%q' "${arg}")"
     done
@@ -100,8 +116,14 @@ wait_for_oldest_job() {
 
 for config in "${matrix_configs[@]}"; do
     if start_job "${config}" "$@"; then
+        rc=0
+    else
+        rc=$?
+    fi
+
+    if [[ ${rc} -eq 0 ]]; then
         :
-    elif [[ $? -eq 2 ]]; then
+    elif [[ ${rc} -eq 2 ]]; then
         continue
     else
         status=1
@@ -118,4 +140,3 @@ while [[ ${#job_pids[@]} -gt 0 ]]; do
 done
 
 exit "${status}"
-
diff --git a/tools/lint/clang_format_check.sh b/tools/lint/clang_format_check.sh
@@ -2,13 +2,13 @@
 set -euo pipefail
 
 format_bin="${1:-clang-format}"
-files=$(git ls-files '*.c' '*.h')
+mapfile -t files < <(git ls-files '*.c' '*.h')
 
-if [ -z "${files}" ]; then
+if [[ ${#files[@]} -eq 0 ]]; then
   echo "clang-format: no C sources to check"
   exit 0
 fi
 
-for file in ${files}; do
+for file in "${files[@]}"; do
   "${format_bin}" --dry-run --Werror "${file}"
 done
