cpanel-importer

cloud-hosting-platform/cpanel-importer

Fork 0

Commit Graph

Author	SHA1	Message	Date
Claude (bootstrap)	cda432e808	scan-files: skip symlinks during file walk to avoid open_basedir aborts All checks were successful cpanel-importer Build and Push / Build-and-Push (push) Successful in 56s Details cPanel cpmove tarballs contain symlinks with absolute targets pointing at the SOURCE server's filesystem (e.g. addon docroots symlinked to /home/<user>/<addondomain>.com/ on the cPanel host). After extract into the container, those symlinks dangle — their targets don't exist in the container's namespace AND are not under any open_basedir-allowed prefix. PHP's SplFileInfo::isFile() (called from the RecursiveIteratorIterator file-count loop) follows symlinks. The realpath check against open_basedir then fires on the symlink TARGET, not the link path, and throws RuntimeException mid-iteration — aborting the entire scan without writing report.json. Surfaced on darkside import as: PHP Fatal error: Uncaught RuntimeException: SplFileInfo::isFile(): open_basedir restriction in effect. File(/host/sanitized/.../ cybercoveconsulting.com/wp-content/db.php) is not within the allowed path(s): (/host:/tmp:/opt/whp:/scripts:/var/lib/clamav:...) Fix is two-layered: 1. RecursiveCallbackFilterIterator pre-filters symlinks via is_link() before they reach hasChildren/isFile. is_link is open_basedir-safe (it stats the link itself, doesn't resolve). Skipped count is reported on STDERR so operators see what was skipped. 2. try/catch around the per-entry isFile() as a defense-in-depth layer — if any other fs op throws mid-walk (race, planted device node, etc.) we count it as a walk_error and continue, not abort. Note that clamscan already walks the extract tree on its own pass and its default symlink posture is "don't follow" — the same posture we want here. Symlink-as-file would also be useless to quarantine (it's a 0-byte fs entry whose target is the actual artifact). Skipping symlinks therefore doesn't miss anything. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-31 11:40:44 -07:00
Claude (bootstrap)	5487dfc8f1	Initial bootstrap: cpanel-importer sanitization sandbox Skeleton for the cpanel-importer Docker container — a one-shot sandbox the WHP panel invokes BEFORE extracting a customer cpmove tarball. See cpanel-import-container-spec.md (in /workspace/) for the full design. What this ships in v1.0: - Dockerfile: almalinux:10-minimal + PHP 8.4 (Remi) + ClamAV 1.4 + SaneSecurity Foxhole.PHP rules + tar/mariadb-client/rsync. Runs as UID 999 (whp-import) via the panel-side --user 999:999 flag. - scripts/entrypoint.sh: validates env, runs (optional) freshclam, drives extract -> scan-files -> scan-dbs -> rsync -> report.json. - scripts/extract.sh + scripts/lib/scan-symlinks.php: pre-extract symlink scan ported standalone from web-files/libs/CpanelBackupImporter.php (the existing 2026-05-29 whp02 destruction-vector fix). Aborts with exit 3 before tar runs if any DANGEROUS symlink is found. - scripts/scan-files.php: ClamAV walk + classify-and-action. v1.0 ships with an empty cleaner registry — every hit is QUARANTINE_ONLY. Cleaner hooks are stubbed for v1.1. - scripts/scan-dbs.php: regex MyISAM -> InnoDB rewrite (always applied), WordPress identification, and ONE WP content scan check (siteurl_external_domain). v1.1 will grow the check set. - scripts/lib/safety-net.php: container-narrow open_basedir allow-list, much tighter than the panel-side one. - .gitea/workflows/build-push.yaml: builds + smoke-tests + PHP-syntax-checks + bash-syntax-checks before pushing to repo.anhonesthost.net/cloud-hosting-platform/cpanel-importer. - tests/build-fixtures.sh: builds cpmove-clean.tar.gz (benign WP dump) and cpmove-alfa.tar.gz (the ALFA-shell symlink-to-/etc vector) for local end-to-end testing. - README.md / CONTRIBUTING.md: docker-run invocation, bind-mount catalog, report.json schema, how to add a cleaner pattern or a WP scan signature. Local acceptance test results: - clean fixture -> status=completed, 3 MyISAM->InnoDB, no flags, 0 - ALFA fixture -> exit 1, status=failed, failed_stage=extract, "tarball contains dangerous symlinks; aborting" on stderr - compromised-siteurl fixture -> imported_into_new_server=false, .flagged file written, summary_for_panel.show_alert=true Image size: 197 MB compressed (gzipped docker save), ~397 MB unique layers extracted. Well under the spec's 600 MB compressed / 1.2 GB extracted budget. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-30 19:56:57 -07:00

Author

SHA1

Message

Date

Claude (bootstrap)

cda432e808

scan-files: skip symlinks during file walk to avoid open_basedir aborts

cpanel-importer Build and Push / Build-and-Push (push) Successful in 56s

Details

cPanel cpmove tarballs contain symlinks with absolute targets pointing at
the SOURCE server's filesystem (e.g. addon docroots symlinked to
/home/<user>/<addondomain>.com/ on the cPanel host). After extract into
the container, those symlinks dangle — their targets don't exist in the
container's namespace AND are not under any open_basedir-allowed prefix.

PHP's SplFileInfo::isFile() (called from the RecursiveIteratorIterator
file-count loop) follows symlinks. The realpath check against
open_basedir then fires on the symlink TARGET, not the link path, and
throws RuntimeException mid-iteration — aborting the entire scan
without writing report.json. Surfaced on darkside import as:

  PHP Fatal error: Uncaught RuntimeException: SplFileInfo::isFile():
  open_basedir restriction in effect. File(/host/sanitized/.../
  cybercoveconsulting.com/wp-content/db.php) is not within the allowed
  path(s): (/host:/tmp:/opt/whp:/scripts:/var/lib/clamav:...)

Fix is two-layered:

1. RecursiveCallbackFilterIterator pre-filters symlinks via is_link()
   before they reach hasChildren/isFile. is_link is open_basedir-safe
   (it stats the link itself, doesn't resolve). Skipped count is
   reported on STDERR so operators see what was skipped.

2. try/catch around the per-entry isFile() as a defense-in-depth
   layer — if any other fs op throws mid-walk (race, planted device
   node, etc.) we count it as a walk_error and continue, not abort.

Note that clamscan already walks the extract tree on its own pass and
its default symlink posture is "don't follow" — the same posture we
want here. Symlink-as-file would also be useless to quarantine (it's
a 0-byte fs entry whose target is the actual artifact). Skipping
symlinks therefore doesn't miss anything.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-31 11:40:44 -07:00

Claude (bootstrap)

5487dfc8f1

Initial bootstrap: cpanel-importer sanitization sandbox

Skeleton for the cpanel-importer Docker container — a one-shot
sandbox the WHP panel invokes BEFORE extracting a customer cpmove
tarball. See cpanel-import-container-spec.md (in /workspace/) for the
full design.

What this ships in v1.0:

- Dockerfile: almalinux:10-minimal + PHP 8.4 (Remi) + ClamAV 1.4 +
  SaneSecurity Foxhole.PHP rules + tar/mariadb-client/rsync. Runs as
  UID 999 (whp-import) via the panel-side --user 999:999 flag.

- scripts/entrypoint.sh: validates env, runs (optional) freshclam,
  drives extract -> scan-files -> scan-dbs -> rsync -> report.json.

- scripts/extract.sh + scripts/lib/scan-symlinks.php: pre-extract
  symlink scan ported standalone from
  web-files/libs/CpanelBackupImporter.php (the existing 2026-05-29
  whp02 destruction-vector fix). Aborts with exit 3 before tar runs
  if any DANGEROUS symlink is found.

- scripts/scan-files.php: ClamAV walk + classify-and-action. v1.0
  ships with an empty cleaner registry — every hit is
  QUARANTINE_ONLY. Cleaner hooks are stubbed for v1.1.

- scripts/scan-dbs.php: regex MyISAM -> InnoDB rewrite (always
  applied), WordPress identification, and ONE WP content scan check
  (siteurl_external_domain). v1.1 will grow the check set.

- scripts/lib/safety-net.php: container-narrow open_basedir
  allow-list, much tighter than the panel-side one.

- .gitea/workflows/build-push.yaml: builds + smoke-tests +
  PHP-syntax-checks + bash-syntax-checks before pushing to
  repo.anhonesthost.net/cloud-hosting-platform/cpanel-importer.

- tests/build-fixtures.sh: builds cpmove-clean.tar.gz (benign WP
  dump) and cpmove-alfa.tar.gz (the ALFA-shell symlink-to-/etc
  vector) for local end-to-end testing.

- README.md / CONTRIBUTING.md: docker-run invocation, bind-mount
  catalog, report.json schema, how to add a cleaner pattern or a WP
  scan signature.

Local acceptance test results:
- clean fixture -> status=completed, 3 MyISAM->InnoDB, no flags, 0
- ALFA fixture -> exit 1, status=failed, failed_stage=extract,
  "tarball contains dangerous symlinks; aborting" on stderr
- compromised-siteurl fixture -> imported_into_new_server=false,
  .flagged file written, summary_for_panel.show_alert=true

Image size: 197 MB compressed (gzipped docker save), ~397 MB unique
layers extracted. Well under the spec's 600 MB compressed / 1.2 GB
extracted budget.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-30 19:56:57 -07:00

2 Commits