Address some security hotspots

arkid15r · arkid15r · commit b549e7072c12 · 2025-03-27T18:58:48.000-07:00
diff --git a/backend/docker/Dockerfile b/backend/docker/Dockerfile
@@ -16,7 +16,7 @@ WORKDIR /home/owasp
 
 USER owasp
 
-COPY --chown=owasp:owasp poetry.lock pyproject.toml ./
+COPY --chmod=644 --chown=owasp:owasp poetry.lock pyproject.toml ./
 RUN poetry install --no-root --without dev --without test
 
 COPY apps apps
@@ -41,7 +41,7 @@ ENV PATH="/home/owasp/.venv/bin:$PATH" \
 
 WORKDIR /home/owasp
 
-COPY --from=builder --chown=owasp:owasp /home/owasp /home/owasp
+COPY --from=builder --chmod=755 --chown=owasp:owasp /home/owasp /home/owasp
 RUN chmod +x /home/owasp/entrypoint.sh
 
 USER owasp
diff --git a/backend/docker/Dockerfile.local b/backend/docker/Dockerfile.local
@@ -15,7 +15,7 @@ ENV POETRY_VIRTUALENVS_IN_PROJECT=true \
 USER owasp
 WORKDIR /home/owasp
 
-COPY --chown=owasp:owasp poetry.lock pyproject.toml ./
+COPY --chmod=644 --chown=owasp:owasp poetry.lock pyproject.toml ./
 RUN poetry install --no-root --without dev --without test
 
 FROM python:3.13-slim
@@ -37,4 +37,4 @@ EXPOSE 8000
 USER owasp
 WORKDIR /home/owasp
 
-COPY --from=builder /home/owasp /home/owasp
+COPY --from=builder --chmod=755 --chown=owasp:owasp /home/owasp /home/owasp
diff --git a/backend/docker/Dockerfile.test b/backend/docker/Dockerfile.test
@@ -16,7 +16,7 @@ ENV FORCE_COLOR=1 \
 WORKDIR /home/owasp
 USER owasp
 
-COPY poetry.lock pyproject.toml ./
+COPY --chmod=644 poetry.lock pyproject.toml ./
 RUN poetry install --no-root
 
 COPY .env.example .env.example
@@ -44,4 +44,4 @@ ENV FORCE_COLOR=1 \
 WORKDIR /home/owasp
 USER owasp
 
-COPY --from=builder /home/owasp /home/owasp
+COPY --from=builder --chmod=755 --chown=owasp:owasp /home/owasp /home/owasp
diff --git a/backend/poetry.lock b/backend/poetry.lock
diff --git a/docs/docker/Dockerfile.local b/docs/docker/Dockerfile.local
@@ -16,7 +16,7 @@ ENV FORCE_COLOR=1 \
 WORKDIR /home/owasp
 USER owasp
 
-COPY --chown=owasp:owasp docs/poetry.lock docs/pyproject.toml mkdocs.yaml ./
+COPY --chmod=644 --chown=owasp:owasp docs/poetry.lock docs/pyproject.toml mkdocs.yaml ./
 RUN poetry install --no-root && \
     rm -rf docs/poetry.lock docs/pyproject.toml
 
@@ -38,4 +38,4 @@ EXPOSE 8001
 USER owasp
 WORKDIR /home/owasp
 
-COPY --from=builder /home/owasp /home/owasp
+COPY --from=builder --chmod=755 --chown=owasp:owasp /home/owasp /home/owasp
diff --git a/frontend/docker/Dockerfile b/frontend/docker/Dockerfile
@@ -2,7 +2,7 @@ FROM node:22 AS builder
 
 WORKDIR /app
 
-COPY package.json pnpm-lock.yaml ./
+COPY --chmod=644 package.json pnpm-lock.yaml ./
 RUN npm install -g pnpm  && \
     pnpm install
 
@@ -12,7 +12,7 @@ RUN pnpm run build
 
 FROM nginx:stable-alpine
 
-COPY --from=builder /app/dist /usr/share/nginx/html
+COPY --from=builder --chmod=755 /app/dist /usr/share/nginx/html
 COPY ./nginx.conf /etc/nginx/conf.d/default.conf
 RUN chmod -R a-w /usr/share/nginx/html
 
diff --git a/frontend/docker/Dockerfile.e2e.test b/frontend/docker/Dockerfile.e2e.test
@@ -6,7 +6,7 @@ ENV FORCE_COLOR=1
 
 WORKDIR /app
 
-COPY package.json pnpm-lock.yaml ./
+COPY --chmod=644 package.json pnpm-lock.yaml ./
 RUN npm install -g pnpm && \
     pnpm install
 
diff --git a/frontend/docker/Dockerfile.local b/frontend/docker/Dockerfile.local
@@ -10,7 +10,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends && \
 
 WORKDIR /home/owasp
 
-COPY package.json pnpm-lock.yaml ./
+COPY --chmod=644 --chown=node:node package.json pnpm-lock.yaml ./
 RUN pnpm config set store-dir /home/owasp/.local/share/pnpm/store/v10 --global && \
     pnpm install
 
@@ -24,7 +24,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends && \
     chown -R node:node /home/owasp && \
     npm install -g pnpm
 
-COPY --from=builder --chown=node:node /home/owasp/node_modules /home/owasp/node_modules
+COPY --from=builder --chmod=755 --chown=node:node /home/owasp/node_modules /home/owasp/node_modules
 
 EXPOSE 3000
 
diff --git a/frontend/docker/Dockerfile.unit.test b/frontend/docker/Dockerfile.unit.test
@@ -6,7 +6,7 @@ ENV FORCE_COLOR=1
 
 WORKDIR /app
 
-COPY package.json pnpm-lock.yaml ./
+COPY --chmod=644 package.json pnpm-lock.yaml ./
 RUN npm install -g pnpm && \
     pnpm install
 
diff --git a/frontend/package.json b/frontend/package.json
@@ -29,7 +29,7 @@
     "@fortawesome/free-solid-svg-icons": "^6.7.2",
     "@fortawesome/react-fontawesome": "^0.2.2",
     "@radix-ui/react-dropdown-menu": "^2.1.6",
-    "@sentry/react": "^9.9.0",
+    "@sentry/react": "^9.10.0",
     "@testing-library/user-event": "^14.6.1",
     "@types/lodash": "^4.17.16",
     "class-variance-authority": "^0.7.1",
diff --git a/frontend/pnpm-lock.yaml b/frontend/pnpm-lock.yaml
diff --git a/frontend/src/components/MarkdownWrapper.tsx b/frontend/src/components/MarkdownWrapper.tsx
@@ -3,7 +3,7 @@ import markdownit from 'markdown-it'
 
 export default function Markdown({ content, className }: { content: string; className?: string }) {
   const md = markdownit({
-    html: true,
+    html: false,
     linkify: true,
     typographer: true,
   })
diff --git a/schema/docker/Dockerfile.test b/schema/docker/Dockerfile.test
@@ -16,7 +16,7 @@ ENV FORCE_COLOR=1 \
 WORKDIR /home/owasp
 USER owasp
 
-COPY poetry.lock pyproject.toml ./
+COPY --chmod=644 --chown=owasp:owasp poetry.lock pyproject.toml ./
 RUN poetry install --no-root
 
 COPY *.json ./
@@ -40,4 +40,4 @@ ENV FORCE_COLOR=1 \
 WORKDIR /home/owasp
 USER owasp
 
-COPY --from=builder /home/owasp /home/owasp
+COPY --from=builder --chmod=755 --chown=owasp:owasp /home/owasp /home/owasp
diff --git a/schema/poetry.lock b/schema/poetry.lock
