From a1705b4297f53fe095e82f3f371e5310fe0fd520 Mon Sep 17 00:00:00 2001 From: "Marcus (Builder)" Date: Sat, 21 Feb 2026 19:03:45 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20code=20review=20improvements=20=E2=80=94?= =?UTF-8?q?=20security,=20correctness,=20maintainability?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. sandbox-browser-setup.sh: Fix misleading image tag (bookworm-slim → jammy) 2. bootstrap.sh: Mask access token in log output 3. monitor_sandbox.sh: Add SIGTERM/SIGINT trap for graceful shutdown 4. recover_sandbox.sh: Replace TODO with actual jq state update 5. Dockerfile: Use python venv instead of --break-system-packages 6. docker-compose.yaml: Document MOONSHOT_API_KEY alias, allow independent override 7. Caddyfile: Add security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy) 8. docker-compose.yaml: Add warning comment for GATEWAY_TRUSTED_PROXIES wildcard 9. .dockerignore: Create to exclude unnecessary files from build context --- .dockerignore | 8 ++++++++ Caddyfile | 6 ++++++ Dockerfile | 5 ++++- docker-compose.yaml | 6 +++++- scripts/bootstrap.sh | 4 +++- scripts/monitor_sandbox.sh | 6 ++++++ scripts/recover_sandbox.sh | 5 +++-- scripts/sandbox-browser-setup.sh | 2 +- 8 files changed, 36 insertions(+), 6 deletions(-) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..31bd238 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,8 @@ +.git +*.md +!SOUL.md +!BOOTSTRAP.md +.env +logo_400x400.jpg +cloudflared/ +.github/ diff --git a/Caddyfile b/Caddyfile index ebaad46..cecab39 100644 --- a/Caddyfile +++ b/Caddyfile @@ -1,4 +1,10 @@ :80 { + header { + X-Content-Type-Options "nosniff" + X-Frame-Options "SAMEORIGIN" + Referrer-Policy "strict-origin-when-cross-origin" + } + route { handle /term/* { basic_auth { diff --git a/Dockerfile b/Dockerfile index 573cf85..276dcc9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -114,9 +114,12 @@ RUN curl -fsSL https://bun.sh/install | bash RUN bun install -g node-gyp # Python tools -RUN pip3 install ipython csvkit openpyxl python-docx pypdf botasaurus browser-use playwright --break-system-packages && \ +RUN python3 -m venv /opt/venv && \ + /opt/venv/bin/pip install ipython csvkit openpyxl python-docx pypdf botasaurus browser-use playwright && \ playwright install-deps +ENV PATH="/opt/venv/bin:$PATH" + # Configure QMD Persistence ENV XDG_CACHE_HOME="/data/.cache" diff --git a/docker-compose.yaml b/docker-compose.yaml index 01cdfb9..3f11883 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -103,7 +103,9 @@ services: GEMINI_API_KEY: ${GEMINI_API_KEY} KIMI_API_KEY: ${KIMI_API_KEY} OPENCODE_API_KEY: ${OPENCODE_API_KEY} - MOONSHOT_API_KEY: ${KIMI_API_KEY} + # MOONSHOT_API_KEY is the official API name for Kimi/Moonshot AI. + # Falls back to KIMI_API_KEY for backward compatibility. Set MOONSHOT_API_KEY in .env to override. + MOONSHOT_API_KEY: ${MOONSHOT_API_KEY:-${KIMI_API_KEY}} TELEGRAM_BOT_TOKEN: ${TELEGRAM_BOT_TOKEN} SANDBOX_CONTAINER: ${SANDBOX_CONTAINER:-false} @@ -115,6 +117,8 @@ services: # Bootstrap controls OPENCLAW_AUTO_BOOTSTRAP: "1" OPENCLAW_PRINT_ACCESS: "1" + # ⚠️ WARNING: '*' trusts ALL proxies — client IP spoofing is possible. + # In production, restrict to your actual proxy IPs (e.g. '172.18.0.0/16'). GATEWAY_TRUSTED_PROXIES: '*' # Fix for EMFILE/Inotify issues in Docker CHOKIDAR_USEPOLLING: "true" diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 5867ba9..6447125 100644 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -222,7 +222,9 @@ echo "==================================================================" echo "🦞 OpenClaw is ready!" echo "==================================================================" echo "" -echo "🔑 Access Token: $TOKEN" +# ⚠️ Mask token in logs to prevent exposure in docker logs / CI output +MASKED_TOKEN="${TOKEN:0:8}…${TOKEN: -4}" +echo "🔑 Access Token: $MASKED_TOKEN" echo "" echo "🌍 Service URL (Local): http://localhost:${OPENCLAW_GATEWAY_PORT:-18789}?token=$TOKEN" WEB_TERM_URL_PATH="${WEB_TERM_PATH%/}" diff --git a/scripts/monitor_sandbox.sh b/scripts/monitor_sandbox.sh index f6fb5a3..7d481bd 100644 --- a/scripts/monitor_sandbox.sh +++ b/scripts/monitor_sandbox.sh @@ -9,6 +9,12 @@ log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> "$LOG_FILE" } +cleanup() { + log "🛑 Health Monitor shutting down (received signal)" + exit 0 +} +trap cleanup SIGTERM SIGINT + log "🛡️ Health Monitor Started" while true; do diff --git a/scripts/recover_sandbox.sh b/scripts/recover_sandbox.sh index 8b5c6f9..9244024 100644 --- a/scripts/recover_sandbox.sh +++ b/scripts/recover_sandbox.sh @@ -30,8 +30,9 @@ for id in $SANDBOX_IDS; do # Check if docker container exists if ! docker ps -a --format '{{.Names}}' | grep -q "^$id$"; then log "⚠️ Container $id not found in Docker. Marking as lost/stopped in state." - # Update state to valid 'stopped' if it was 'running' - # Implementation detail: would need a tool to update json file in place (e.g. temporary file) + # Update state to 'stopped' using jq with a temp file for atomic write + TMP_STATE=$(mktemp) + jq --arg id "$id" '.sandboxes[$id].status = "stopped"' "$STATE_FILE" > "$TMP_STATE" && mv "$TMP_STATE" "$STATE_FILE" continue fi diff --git a/scripts/sandbox-browser-setup.sh b/scripts/sandbox-browser-setup.sh index 8baa45f..a6d93fd 100755 --- a/scripts/sandbox-browser-setup.sh +++ b/scripts/sandbox-browser-setup.sh @@ -8,7 +8,7 @@ echo "🦞 Building OpenClaw Sandbox Browser Image..." # Use playwright image for browser capabilities BASE_IMAGE="mcr.microsoft.com/playwright:v1.41.0-jammy" -TARGET_IMAGE="openclaw-sandbox-browser:bookworm-slim" +TARGET_IMAGE="openclaw-sandbox-browser:jammy" # Check if image already exists if docker image inspect "$TARGET_IMAGE" >/dev/null 2>&1; then