mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-15 01:16:50 +00:00
cfa1ae7a08
* fix(security): add --proto '=https' to all curl bun installer calls Fixes #2134 All _ensure_bun() functions across aws, hetzner, gcp, local, daytona, and sprite scripts now enforce HTTPS-only downloads via --proto '=https'. This prevents MITM attacks during bun installation on remote VMs. DigitalOcean scripts were already correct and are not changed. Agent: security-auditor Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): add --proto '=https' to bun installer in TS files Address security reviewer feedback: the same MITM vulnerability existed in 5 TypeScript programmatic provisioning files. Agent: pr-maintainer Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): quote --proto '=https' in su -c curl calls The aws.ts and gcp.ts files had --proto =https without quotes inside su -c '...' blocks. Uses double quotes ("=https") to properly nest inside the single-quoted su -c argument while maintaining protocol restriction. Agent: security-auditor Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
32 lines
1 KiB
Docker
32 lines
1 KiB
Docker
FROM ubuntu:24.04
|
|
|
|
ENV DEBIAN_FRONTEND=noninteractive
|
|
|
|
# Base packages
|
|
RUN apt-get update -y && \
|
|
apt-get install -y --no-install-recommends \
|
|
curl git ca-certificates build-essential unzip xz-utils zsh && \
|
|
rm -rf /var/lib/apt/lists/*
|
|
|
|
# Node.js 22 via apt + n
|
|
RUN apt-get update -y && \
|
|
apt-get install -y --no-install-recommends nodejs npm && \
|
|
npm install -g n && n 22 && \
|
|
ln -sf /usr/local/bin/node /usr/bin/node && \
|
|
ln -sf /usr/local/bin/npm /usr/bin/npm && \
|
|
ln -sf /usr/local/bin/npx /usr/bin/npx && \
|
|
rm -rf /var/lib/apt/lists/*
|
|
|
|
# Bun
|
|
RUN curl -fsSL --proto '=https' https://bun.sh/install | bash
|
|
ENV PATH="/root/.bun/bin:/root/.local/bin:${PATH}"
|
|
|
|
# OpenClaw via npm (Node runtime needs standard node_modules layout)
|
|
RUN npm install -g openclaw
|
|
# Ensure tools are on PATH for all shells
|
|
RUN for rc in /root/.bashrc /root/.zshrc; do \
|
|
grep -q '.bun/bin' "$rc" 2>/dev/null || \
|
|
echo 'export PATH="$HOME/.local/bin:$HOME/.bun/bin:$PATH"' >> "$rc"; \
|
|
done
|
|
|
|
CMD ["/bin/sleep", "inf"]
|