From 265b365f0b58ce5f6081c8e25c32aac71af8ee74 Mon Sep 17 00:00:00 2001 From: Josh Knapp Date: Sat, 28 Feb 2026 20:43:04 +0000 Subject: [PATCH] Fix security: enable CSP and eliminate shell injection in entrypoint - Enable restrictive Content Security Policy in tauri.conf.json instead of null (disabled), restricting scripts/connects to self + Tauri IPC - Fix shell injection in entrypoint.sh by replacing su -c with direct git config --file writes, preventing names with quotes (e.g. O'Brien) from breaking startup or enabling code execution Co-Authored-By: Claude Opus 4.6 --- app/src-tauri/tauri.conf.json | 2 +- container/entrypoint.sh | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/app/src-tauri/tauri.conf.json b/app/src-tauri/tauri.conf.json index f689c17..3c9724d 100644 --- a/app/src-tauri/tauri.conf.json +++ b/app/src-tauri/tauri.conf.json @@ -22,7 +22,7 @@ } ], "security": { - "csp": null + "csp": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' asset: https://asset.localhost; font-src 'self' data:; connect-src 'self' ipc: http://ipc.localhost" } }, "bundle": { diff --git a/container/entrypoint.sh b/container/entrypoint.sh index 395ad09..7805665 100644 --- a/container/entrypoint.sh +++ b/container/entrypoint.sh @@ -82,17 +82,18 @@ if [ -n "$GIT_TOKEN" ]; then echo "https://oauth2:${GIT_TOKEN}@github.com" >> "$CRED_FILE" echo "https://oauth2:${GIT_TOKEN}@gitlab.com" >> "$CRED_FILE" echo "https://oauth2:${GIT_TOKEN}@bitbucket.org" >> "$CRED_FILE" - su -s /bin/bash claude -c "git config --global credential.helper 'store --file=$CRED_FILE'" + git config --global --file /home/claude/.gitconfig credential.helper "store --file=$CRED_FILE" unset GIT_TOKEN fi # ── Git user config ────────────────────────────────────────────────────────── if [ -n "$GIT_USER_NAME" ]; then - su -s /bin/bash claude -c "git config --global user.name '$GIT_USER_NAME'" + git config --global --file /home/claude/.gitconfig user.name "$GIT_USER_NAME" fi if [ -n "$GIT_USER_EMAIL" ]; then - su -s /bin/bash claude -c "git config --global user.email '$GIT_USER_EMAIL'" + git config --global --file /home/claude/.gitconfig user.email "$GIT_USER_EMAIL" fi +chown claude:claude /home/claude/.gitconfig 2>/dev/null || true # ── Claude instructions ────────────────────────────────────────────────────── if [ -n "$CLAUDE_INSTRUCTIONS" ]; then