try to contain path traversal better

jruehlow · jruehlow · commit c4bd4d189e93 · 2025-07-15T13:41:11.000+02:00
diff --git a/service/Dockerfile b/service/Dockerfile
@@ -46,7 +46,8 @@ COPY --from=builder /root/.local/bin /service
 COPY --from=builder /app/config /service/config
 
 COPY --from=builder /app/static /service/static
-RUN chown -R service:service /service/static
+RUN mkdir -p /data/uploads
+RUN chown -R service:service /service/static /data
 
 COPY cleanup/cleanup.sh /service/cleanup.sh
 RUN chmod +x /service/cleanup.sh
diff --git a/service/docker-compose.yml b/service/docker-compose.yml
@@ -3,12 +3,17 @@
 services:
   timetype:
     build: .
+    read_only: true
     volumes:
       - ./data:/data:rw
+    tmpfs:
+      - /var/run
+      - /service/static/tmp
     ports:
       - "4711:3000"
     restart: unless-stopped
     environment:
+      # Yesod
       YESOD_PORT: 3000
       YESOD_HOST: 0.0.0.0
       YESOD_DATA_DIR: /data
diff --git a/service/entrypoint.sh b/service/entrypoint.sh
@@ -2,8 +2,6 @@
 set -e
 set -x
 
-chown -R service:service "/data/"
-
 cron
 
 exec su -s /bin/sh -c '/service/timetype' service
