Initial bootstrap: cpanel-importer sanitization sandbox
Skeleton for the cpanel-importer Docker container — a one-shot sandbox the WHP panel invokes BEFORE extracting a customer cpmove tarball. See cpanel-import-container-spec.md (in /workspace/) for the full design. What this ships in v1.0: - Dockerfile: almalinux:10-minimal + PHP 8.4 (Remi) + ClamAV 1.4 + SaneSecurity Foxhole.PHP rules + tar/mariadb-client/rsync. Runs as UID 999 (whp-import) via the panel-side --user 999:999 flag. - scripts/entrypoint.sh: validates env, runs (optional) freshclam, drives extract -> scan-files -> scan-dbs -> rsync -> report.json. - scripts/extract.sh + scripts/lib/scan-symlinks.php: pre-extract symlink scan ported standalone from web-files/libs/CpanelBackupImporter.php (the existing 2026-05-29 whp02 destruction-vector fix). Aborts with exit 3 before tar runs if any DANGEROUS symlink is found. - scripts/scan-files.php: ClamAV walk + classify-and-action. v1.0 ships with an empty cleaner registry — every hit is QUARANTINE_ONLY. Cleaner hooks are stubbed for v1.1. - scripts/scan-dbs.php: regex MyISAM -> InnoDB rewrite (always applied), WordPress identification, and ONE WP content scan check (siteurl_external_domain). v1.1 will grow the check set. - scripts/lib/safety-net.php: container-narrow open_basedir allow-list, much tighter than the panel-side one. - .gitea/workflows/build-push.yaml: builds + smoke-tests + PHP-syntax-checks + bash-syntax-checks before pushing to repo.anhonesthost.net/cloud-hosting-platform/cpanel-importer. - tests/build-fixtures.sh: builds cpmove-clean.tar.gz (benign WP dump) and cpmove-alfa.tar.gz (the ALFA-shell symlink-to-/etc vector) for local end-to-end testing. - README.md / CONTRIBUTING.md: docker-run invocation, bind-mount catalog, report.json schema, how to add a cleaner pattern or a WP scan signature. Local acceptance test results: - clean fixture -> status=completed, 3 MyISAM->InnoDB, no flags, 0 - ALFA fixture -> exit 1, status=failed, failed_stage=extract, "tarball contains dangerous symlinks; aborting" on stderr - compromised-siteurl fixture -> imported_into_new_server=false, .flagged file written, summary_for_panel.show_alert=true Image size: 197 MB compressed (gzipped docker save), ~397 MB unique layers extracted. Well under the spec's 600 MB compressed / 1.2 GB extracted budget. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude (bootstrap)
219
scripts/entrypoint.sh
Executable file
219
scripts/entrypoint.sh
Executable file
@@ -0,0 +1,219 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# entrypoint.sh — main controller for the cpanel-importer sandbox.
|
||||
#
|
||||
# Inputs (env, set by the panel's docker run):
|
||||
# IMPORT_ID unique id for this run; used in quarantine + report paths
|
||||
# IMPORT_USERNAME cPanel/WHP username the cpmove belongs to
|
||||
# IMPORT_BACKUP_FILE absolute path inside the container, typically
|
||||
# /host/backup/cpmove-<user>.tar.gz
|
||||
# CLAMAV_REFRESH "true" to run freshclam at start (default: true)
|
||||
#
|
||||
# Flow (spec §0):
|
||||
# 1. validate env
|
||||
# 2. (optional) refresh ClamAV signatures
|
||||
# 3. extract → /tmp/extract/
|
||||
# 4. file scan → /tmp/scan-files-report.json
|
||||
# 5. DB sanitize → /tmp/sanitized/mysql/, /tmp/scan-dbs-report.json
|
||||
# 6. rsync /tmp/sanitized/ → /host/sanitized/<importid>/
|
||||
# 7. write /host/sanitized/<importid>/report.json (merged)
|
||||
#
|
||||
# On failure at any stage we still write a partial report.json with
|
||||
# status="failed" + the stage that broke, then exit non-zero.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# --- logging ---------------------------------------------------------------
|
||||
|
||||
ts() { date -u +'%Y-%m-%dT%H:%M:%SZ'; }
|
||||
log() { printf '[%s] %s\n' "$(ts)" "$*"; }
|
||||
die() { log "FATAL: $*"; write_failure_report "$STAGE" "$*"; exit 1; }
|
||||
|
||||
# Buffered partial state. The final report.json is written by the merge
|
||||
# step (see write_final_report); if we crash before then, write_failure_report
|
||||
# emits whatever partial pieces exist.
|
||||
STAGE="init"
|
||||
START_TS="$(date -u +%s)"
|
||||
|
||||
write_failure_report() {
|
||||
local stage="$1"
|
||||
local msg="$2"
|
||||
local out_dir="/host/sanitized/${IMPORT_ID:-unknown}"
|
||||
# mkdir AND the report write can both fail (mount RO, missing
|
||||
# /host/sanitized, etc.); we log every failure to stderr and never
|
||||
# let the report-writer abort the script.
|
||||
if ! mkdir -p "$out_dir" 2>/dev/null; then
|
||||
log "WARN: failure-report mkdir failed for $out_dir; report will not be persisted"
|
||||
return 0
|
||||
fi
|
||||
if ! cat > "$out_dir/report.json" 2>/dev/null <<JSON
|
||||
{
|
||||
"import_id": "${IMPORT_ID:-unknown}",
|
||||
"status": "failed",
|
||||
"failed_stage": "$stage",
|
||||
"error": $(printf '%s' "$msg" | php -r 'echo json_encode(stream_get_contents(STDIN));' 2>/dev/null || echo '"(unencodable)"'),
|
||||
"scan_duration_seconds": $(( $(date -u +%s) - START_TS )),
|
||||
"files": null,
|
||||
"databases": null
|
||||
}
|
||||
JSON
|
||||
then
|
||||
log "WARN: failure-report write failed for $out_dir/report.json"
|
||||
fi
|
||||
}
|
||||
|
||||
# --- env validation --------------------------------------------------------
|
||||
|
||||
STAGE="validate_env"
|
||||
log "cpanel-importer starting (container UID=$(id -u) GID=$(id -g))"
|
||||
|
||||
: "${IMPORT_ID:?IMPORT_ID env var is required}"
|
||||
: "${IMPORT_USERNAME:?IMPORT_USERNAME env var is required}"
|
||||
: "${IMPORT_BACKUP_FILE:?IMPORT_BACKUP_FILE env var is required}"
|
||||
CLAMAV_REFRESH="${CLAMAV_REFRESH:-true}"
|
||||
|
||||
log "import_id=$IMPORT_ID username=$IMPORT_USERNAME backup=$IMPORT_BACKUP_FILE"
|
||||
|
||||
if [[ ! -f "$IMPORT_BACKUP_FILE" ]]; then
|
||||
die "backup file does not exist or is not a regular file: $IMPORT_BACKUP_FILE"
|
||||
fi
|
||||
|
||||
# Make sure the output dirs exist (they're bind mounts, so we trust the
|
||||
# host to have created them, but mkdir -p is harmless).
|
||||
QUARANTINE_DIR="/host/quarantine/$IMPORT_ID"
|
||||
SANITIZED_DIR="/host/sanitized/$IMPORT_ID"
|
||||
mkdir -p "$QUARANTINE_DIR" "$SANITIZED_DIR" \
|
||||
|| die "cannot create quarantine/sanitized output dirs (are the bind mounts RW?)"
|
||||
|
||||
# Container-internal scratch space (mounted as tmpfs by the panel).
|
||||
EXTRACT_DIR="/tmp/extract"
|
||||
WORK_DIR="/tmp/sanitized"
|
||||
mkdir -p "$EXTRACT_DIR" "$WORK_DIR/mysql"
|
||||
|
||||
# --- refresh ClamAV signatures --------------------------------------------
|
||||
|
||||
STAGE="freshclam"
|
||||
if [[ "$CLAMAV_REFRESH" == "true" ]]; then
|
||||
log "refreshing ClamAV signatures (freshclam)"
|
||||
# freshclam is allowed to fail (e.g., container has no outbound net);
|
||||
# we proceed with the baseline rules from build time + log a warning.
|
||||
if ! freshclam --no-warnings >/tmp/freshclam.log 2>&1; then
|
||||
log "WARN: freshclam failed; proceeding with build-time signature DB"
|
||||
tail -20 /tmp/freshclam.log || true
|
||||
fi
|
||||
else
|
||||
log "CLAMAV_REFRESH=false; skipping freshclam"
|
||||
fi
|
||||
|
||||
# --- extract the cpmove ----------------------------------------------------
|
||||
|
||||
STAGE="extract"
|
||||
log "stage: extract"
|
||||
if ! /scripts/extract.sh "$IMPORT_BACKUP_FILE" "$EXTRACT_DIR" "$IMPORT_USERNAME"; then
|
||||
die "extract.sh failed; see stderr above"
|
||||
fi
|
||||
|
||||
# --- ClamAV scan + auto-clean/quarantine ----------------------------------
|
||||
|
||||
STAGE="scan_files"
|
||||
log "stage: scan_files"
|
||||
php /scripts/scan-files.php \
|
||||
--extract "$EXTRACT_DIR" \
|
||||
--quarantine "$QUARANTINE_DIR" \
|
||||
--report /tmp/scan-files-report.json \
|
||||
--import-id "$IMPORT_ID" \
|
||||
|| die "scan-files.php failed; see stderr above"
|
||||
|
||||
# --- DB engine swap + WP content scan -------------------------------------
|
||||
|
||||
STAGE="scan_dbs"
|
||||
log "stage: scan_dbs"
|
||||
php /scripts/scan-dbs.php \
|
||||
--extract "$EXTRACT_DIR" \
|
||||
--out "$WORK_DIR/mysql" \
|
||||
--final-prefix "$SANITIZED_DIR/mysql" \
|
||||
--report /tmp/scan-dbs-report.json \
|
||||
--import-id "$IMPORT_ID" \
|
||||
--username "$IMPORT_USERNAME" \
|
||||
|| die "scan-dbs.php failed; see stderr above"
|
||||
|
||||
# --- rsync cleaned tree to /host/sanitized --------------------------------
|
||||
|
||||
STAGE="rsync_out"
|
||||
log "stage: rsync_out"
|
||||
# Copy the (now-cleaned) extracted tree to the sanitized output. We exclude
|
||||
# files that scan-files.php quarantined — they are NOT present in the
|
||||
# extract dir anymore (the scanner moved them), so this is the cleaned
|
||||
# tree by construction.
|
||||
rsync -a --no-owner --no-group --no-perms --chmod=Du=rwx,Dg=rx,Do=,Fu=rw,Fg=r,Fo= \
|
||||
"$EXTRACT_DIR"/ "$SANITIZED_DIR/extracted/" \
|
||||
|| die "rsync to sanitized dir failed"
|
||||
|
||||
# Then drop the cleaned .sql files in place too.
|
||||
rsync -a --no-owner --no-group --no-perms --chmod=Du=rwx,Dg=rx,Do=,Fu=rw,Fg=r,Fo= \
|
||||
"$WORK_DIR/mysql"/ "$SANITIZED_DIR/mysql/" \
|
||||
|| die "rsync of cleaned .sql files failed"
|
||||
|
||||
# --- merge per-stage reports into the final report.json -------------------
|
||||
|
||||
STAGE="write_report"
|
||||
log "stage: write_report"
|
||||
DURATION=$(( $(date -u +%s) - START_TS ))
|
||||
php -r '
|
||||
$importId = $argv[1];
|
||||
$duration = (int) $argv[2];
|
||||
$filesPath = $argv[3];
|
||||
$dbsPath = $argv[4];
|
||||
$outPath = $argv[5];
|
||||
|
||||
$files = is_file($filesPath) ? json_decode(file_get_contents($filesPath), true) : null;
|
||||
$dbs = is_file($dbsPath) ? json_decode(file_get_contents($dbsPath), true) : null;
|
||||
|
||||
$filesScanned = $files["files_scanned"] ?? 0;
|
||||
$filesClean = $files["files_clean"] ?? 0;
|
||||
$filesCleaned = $files["files_cleaned"] ?? 0;
|
||||
$filesQuarantined = $files["files_quarantined"] ?? 0;
|
||||
$actions = $files["actions"] ?? [];
|
||||
$databases = $dbs["databases"] ?? [];
|
||||
|
||||
$dbRefused = 0;
|
||||
foreach ($databases as $db) {
|
||||
if (($db["imported_into_new_server"] ?? true) === false) $dbRefused++;
|
||||
}
|
||||
|
||||
$severity = "info";
|
||||
$alert = false;
|
||||
$msg = "Sanitization clean: no malware signatures detected.";
|
||||
if ($filesQuarantined > 0 || $dbRefused > 0) {
|
||||
$alert = true;
|
||||
$severity = ($filesQuarantined > 50 || $dbRefused > 0) ? "warning" : "info";
|
||||
$msg = sprintf(
|
||||
"%d files quarantined + %d cleaned in place; %d database(s) refused as compromised. Customer site may have been compromised at the source — recommend review.",
|
||||
$filesQuarantined, $filesCleaned, $dbRefused
|
||||
);
|
||||
}
|
||||
|
||||
$report = [
|
||||
"import_id" => $importId,
|
||||
"status" => "completed",
|
||||
"scan_duration_seconds" => $duration,
|
||||
"files_scanned" => $filesScanned,
|
||||
"files_clean" => $filesClean,
|
||||
"files_cleaned" => $filesCleaned,
|
||||
"files_quarantined" => $filesQuarantined,
|
||||
"actions" => $actions,
|
||||
"databases" => $databases,
|
||||
"summary_for_panel" => [
|
||||
"show_alert" => $alert,
|
||||
"alert_severity" => $severity,
|
||||
"alert_message" => $msg,
|
||||
],
|
||||
];
|
||||
|
||||
file_put_contents($outPath, json_encode($report, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "\n");
|
||||
fprintf(STDERR, "report written: %s\n", $outPath);
|
||||
' "$IMPORT_ID" "$DURATION" /tmp/scan-files-report.json /tmp/scan-dbs-report.json "$SANITIZED_DIR/report.json" \
|
||||
|| die "report merge failed"
|
||||
|
||||
log "done — exited cleanly after ${DURATION}s"
|
||||
exit 0
|
||||
Reference in New Issue
Block a user