feat : multi-stage build and optimization (#57)

closes #54 
partially closes #59

Author: opbot-xd

src/backend/scripts.ts

@@ -1,52 +1,79 @@
 import { exec } from "./dependencies.ts";
-import dockerize from "./utils/container.ts";
+import dockerize, { dockerignore } from "./utils/container.ts";
 import DfContentMap from "./types/maps_interface.ts";
 
 const MEMORY_LIMIT = Deno.env.get("MEMORY_LIMIT");
 
+function shellEscape(input: string, label = "input"): string {
+  if (!input) return "";
+  if (input.startsWith("-")) {
+    throw new Error(`[scripts] Invalid ${label}: cannot start with a hyphen`);
+  }
+  const safeCharPattern = /^[a-zA-Z0-9.\-_:/~?=#]+$/;
+
+  if (!safeCharPattern.test(input)) {
+    throw new Error(`[scripts] Invalid characters in ${label}: ${input}`);
+  }
+  return input;
+}
+
+async function safeExec(command: string): Promise<void> {
+  try {
+    await exec(command);
+  } catch (error) {
+    console.error(`[scripts] exec failed: ${command}`);
+    console.error(error);
+    throw error;
+  }
+}
+
 async function addScript(
   document: DfContentMap,
   env_content: string,
   static_content: string,
-  dockerfile_present:string,
+  dockerfile_present: string,
   stack: string,
   port: string,
   build_cmds: string,
 ) {
+  const subdomain = shellEscape(document.subdomain, "subdomain");
+  const resource = shellEscape(document.resource, "resource");
+  const safePort = shellEscape(port, "port");
+  const memLimit = shellEscape(MEMORY_LIMIT || "512m", "MEMORY_LIMIT");
+
   if (document.resource_type === "URL") {
-    await exec(
-      `bash -c "echo 'bash ../../src/backend/shell_scripts/automate.sh -u ${document.resource} ${document.subdomain}' > /hostpipe/pipe"`,
+    await safeExec(
+      `bash -c "echo 'bash ../../src/backend/shell_scripts/automate.sh -u ${resource} ${subdomain}' > /hostpipe/pipe"`,
     );
   } else if (document.resource_type === "PORT") {
-    await exec(
-      `bash -c "echo 'bash ../../src/backend/shell_scripts/automate.sh -p ${document.resource} ${document.subdomain}' > /hostpipe/pipe"`,
+    await safeExec(
+      `bash -c "echo 'bash ../../src/backend/shell_scripts/automate.sh -p ${resource} ${subdomain}' > /hostpipe/pipe"`,
     );
   } else if (document.resource_type === "GITHUB" && static_content == "Yes") {
-    Deno.writeTextFile(`/hostpipe/.env`, env_content);
-    await exec(
-      `bash -c "echo 'bash ../../src/backend/shell_scripts/container.sh -s ${document.subdomain} ${document.resource} 80 ${MEMORY_LIMIT}' > /hostpipe/pipe"`,
+    await Deno.writeTextFile(`/hostpipe/.env`, env_content);
+    await safeExec(
+      `bash -c "echo 'bash ../../src/backend/shell_scripts/container.sh -s ${subdomain} ${resource} 80 ${memLimit}' > /hostpipe/pipe"`,
     );
   } else if (document.resource_type === "GITHUB" && static_content == "No") {
-    if(dockerfile_present === 'No'){
-      const dockerfile = dockerize(stack, port, build_cmds);
-    Deno.writeTextFile(`/hostpipe/Dockerfile`, dockerfile);
-    Deno.writeTextFile(`/hostpipe/.env`, env_content);
-    await exec(
-      `bash -c "echo 'bash ../../src/backend/shell_scripts/container.sh -g ${document.subdomain} ${document.resource} ${port} ${MEMORY_LIMIT}' > /hostpipe/pipe"`,
-    );
-    }else if(dockerfile_present === 'Yes'){
-      
-      await exec(
-        `bash -c "echo 'bash ../../src/backend/shell_scripts/container.sh -d ${document.subdomain} ${document.resource} ${port} ${MEMORY_LIMIT}' > /hostpipe/pipe"`,
+    if (dockerfile_present === 'No') {
+      await Deno.writeTextFile(`/hostpipe/Dockerfile`, dockerize(stack, safePort, build_cmds));
+      await Deno.writeTextFile(`/hostpipe/.dockerignore`, dockerignore(stack));
+      await Deno.writeTextFile(`/hostpipe/.env`, env_content);
+      await safeExec(
+        `bash -c "echo 'bash ../../src/backend/shell_scripts/container.sh -g ${subdomain} ${resource} ${safePort} ${memLimit}' > /hostpipe/pipe"`,
+      );
+    } else if (dockerfile_present === 'Yes') {
+      await safeExec(
+        `bash -c "echo 'bash ../../src/backend/shell_scripts/container.sh -d ${subdomain} ${resource} ${safePort} ${memLimit}' > /hostpipe/pipe"`,
       );
     }
-    
   }
 }
 
 async function deleteScript(document: DfContentMap) {
-  await exec(
-    `bash -c "echo 'bash ../../src/backend/shell_scripts/delete.sh ${document.subdomain}' > /hostpipe/pipe"`,
+  const subdomain = shellEscape(document.subdomain, "subdomain");
+  await safeExec(
+    `bash -c "echo 'bash ../../src/backend/shell_scripts/delete.sh ${subdomain}' > /hostpipe/pipe"`,
   );
 }
 

src/backend/shell_scripts/container.sh

@@ -23,6 +23,7 @@ cd $name
 
 if [ $flag = "-g" ]; then
     sudo cp ../Dockerfile ./
+    sudo cp ../.dockerignore ./ 2>/dev/null || true
 elif [ $flag = "-s" ]; then
     sudo echo "
     FROM nginx:alpine
@@ -31,18 +32,18 @@ elif [ $flag = "-s" ]; then
 fi
 
 sudo docker build -t $name .
-sudo docker run --memory=$max_mem --name=$name -d -p ${available_ports[$AVAILABLE]}:$exp_port $2
+sudo docker run --memory=$max_mem --name=$name -d -p ${available_ports[$AVAILABLE]}:$exp_port $name
 cd ..
 sudo rm -rf $name
 sudo rm Dockerfile
 sudo rm .env
-sudo touch /etc/nginx/sites-available/$2.conf
-sudo chmod 666 /etc/nginx/sites-available/$2.conf
-sudo echo "# Virtual Host configuration for $2
+sudo touch /etc/nginx/sites-available/$name.conf
+sudo chmod 666 /etc/nginx/sites-available/$name.conf
+sudo echo "# Virtual Host configuration for $name
     server {
     listen 80;
     listen [::]:80;
-    server_name $2;
+    server_name $name;
     location / {
         proxy_pass http://localhost:${available_ports[$AVAILABLE]};
         proxy_http_version 1.1;
@@ -53,6 +54,6 @@ sudo echo "# Virtual Host configuration for $2
     }
     charset utf-8;
     client_max_body_size 20M;
-    }" > /etc/nginx/sites-available/$2.conf
-sudo ln -s /etc/nginx/sites-available/$2.conf /etc/nginx/sites-enabled/$2.conf
+    }" > /etc/nginx/sites-available/$name.conf
+sudo ln -s /etc/nginx/sites-available/$name.conf /etc/nginx/sites-enabled/$name.conf
 sudo systemctl reload nginx

src/backend/utils/container.ts

@@ -5,19 +5,142 @@ export default function dockerize(
 ) {
   let dockerfile = "";
   build_cmds = build_cmds.replace(/\r?\n$/, '');
-  const run_cmd = build_cmds.split("\n");
-  const execute_cmd = "CMD " + JSON.stringify(run_cmd.pop()?.split(" "));
-  const build_cmds_mapped = run_cmd.map((elem) => {
-    return "RUN " + elem;
-  }).join("\n");
+  const run_cmd = build_cmds.split("\n").map(c => c.trim()).filter(Boolean);
+  const last_cmd = run_cmd.pop();
+  if (!last_cmd) {
+    throw new Error("build_cmds must contain at least one valid execution command");
+  }
+  let execute_cmd = "CMD " + JSON.stringify(last_cmd.split(" "));
+  let build_steps = run_cmd.filter(Boolean).map((cmd) => `RUN ${cmd}`);
   if (stack == "Python") {
-    dockerfile =
-      "FROM python:latest \nWORKDIR /app \nCOPY requirements.txt . \nRUN pip install --no-cache-dir -r requirements.txt \nCOPY . ." +
-      build_cmds_mapped + `\nEXPOSE ${port}\n` + execute_cmd;
+    dockerfile = [
+      "FROM python:3.12-slim AS builder",
+      "WORKDIR /app",
+      "RUN python -m venv /opt/venv",
+      "ENV PATH=\"/opt/venv/bin:$PATH\"",
+      "COPY . .",
+      "RUN if [ -f requirements.txt ]; then pip install --no-cache-dir --upgrade pip && pip install --no-cache-dir -r requirements.txt; fi",
+      ...build_steps,
+      "",
+      "FROM python:3.12-slim",
+      "RUN groupadd -r appuser && useradd -r -g appuser appuser",
+      "WORKDIR /app",
+      "COPY --from=builder /opt/venv /opt/venv",
+      "COPY --from=builder /app /app",
+      "ENV PATH=\"/opt/venv/bin:$PATH\"",
+      "USER appuser",
+      `EXPOSE ${port}`,
+      execute_cmd,
+    ].join("\n");
   } else if (stack == "NodeJS") {
-    dockerfile =
-      "FROM node:latest \nWORKDIR /app \nCOPY ./package*.json . \nRUN npm install \nCOPY . ." +
-      build_cmds_mapped + `\nEXPOSE ${port} \n` + execute_cmd;
+    dockerfile = [
+      "FROM node:22-alpine AS builder",
+      "WORKDIR /app",
+      "COPY . .",
+      "RUN if [ -f package.json ]; then npm install && npm cache clean --force; fi",
+      ...build_steps,
+      "RUN rm -rf node_modules",
+      "",
+      "FROM node:22-alpine",
+      "WORKDIR /app",
+      "ENV NODE_ENV=production",
+      "COPY --from=builder /app ./",
+      "RUN if [ -f package.json ]; then npm install --omit=dev && npm cache clean --force; fi",
+      "USER node",
+      `EXPOSE ${port}`,
+      execute_cmd,
+    ].join("\n");
+  } else if (stack === "Go") {
+    let goBuildOverride: string[] = [];
+    if (last_cmd.startsWith("go run")) {
+      const target = last_cmd.replace("go run ", "");
+      goBuildOverride = [`RUN go build -o app_binary ${target}`];
+      execute_cmd = 'CMD ["./app_binary"]';
+    }
+    dockerfile = [
+      "FROM golang:1.22-alpine AS builder",
+      "WORKDIR /app",
+      "COPY . .",
+      "RUN if [ -f go.mod ]; then go mod download; fi",
+      ...build_steps,
+      ...goBuildOverride,
+      "RUN find . -type f ! -executable -delete && rm -rf vendor/ .git/ *.go go.*",
+      "",
+      "FROM alpine:3.19",
+      "RUN addgroup -S appgroup && adduser -S appuser -G appgroup",
+      "RUN apk add --no-cache ca-certificates",
+      "WORKDIR /app",
+      "COPY --from=builder /app /app",
+      "USER appuser",
+      `EXPOSE ${port}`,
+      execute_cmd,
+    ].join("\n");
+  } else if (stack === "Rust") {
+    let rustBuildOverride: string[] = [];
+    let processed_build_steps = build_steps;
+
+    if (last_cmd.startsWith("cargo run")) {
+      processed_build_steps = build_steps.filter(step => !step.includes("cargo build"));
+      rustBuildOverride = [`RUN cargo build --release && find target/release -maxdepth 1 -type f -executable -exec mv {} ./app_binary \\;`];
+      execute_cmd = 'CMD ["./app_binary"]';
+    } else if (last_cmd.startsWith("rustc ")) {
+      const target = last_cmd.replace("rustc ", "");
+      processed_build_steps = build_steps.filter(step => !step.includes("rustc "));
+      rustBuildOverride = [`RUN rustc ${target} -o app_binary`];
+      execute_cmd = 'CMD ["./app_binary"]';
+    }
+
+    dockerfile = [
+      "FROM rust:alpine AS builder",
+      "RUN apk add --no-cache musl-dev",
+      "WORKDIR /app",
+      "COPY . .",
+      ...processed_build_steps,
+      ...rustBuildOverride,
+      "# Generator limitation: Since we don't know the exact binary name, we delete all source files and keep only the compiled executables",
+      "RUN find . -type f ! -executable -delete && rm -rf src/ .git/ Cargo.* vendor/ target/",
+      "",
+      "FROM alpine:3.19",
+      "RUN addgroup -S appgroup && adduser -S appuser -G appgroup",
+      "RUN apk add --no-cache ca-certificates libgcc",
+      "WORKDIR /app",
+      "COPY --from=builder /app /app",
+      "USER appuser",
+      `EXPOSE ${port}`,
+      execute_cmd,
+    ].join("\n");
+  } else if (stack === "React") {
+    dockerfile = [
+      "FROM node:22-alpine AS builder",
+      "WORKDIR /app",
+      "COPY . .",
+      "RUN if [ -f package.json ]; then npm install && npm cache clean --force; fi",
+      ...run_cmd.map((cmd) => `RUN ${cmd}`),
+      `RUN ${last_cmd}`,
+      "RUN if [ -d \"build\" ]; then mv build /app_output; elif [ -d \"dist\" ]; then mv dist /app_output; else echo \"No build or dist folder found!\" && exit 1; fi",
+      "",
+      "FROM nginx:alpine",
+      "COPY --from=builder /app_output /usr/share/nginx/html",
+      `RUN printf "server {\\n    listen ${port};\\n    location / {\\n        root /usr/share/nginx/html;\\n        index index.html index.htm;\\n        try_files \\$uri \\$uri/ /index.html;\\n    }\\n}" > /etc/nginx/conf.d/default.conf`,
+      `EXPOSE ${port}`,
+    ].join("\n");
   }
   return dockerfile.toString();
 }
+
+export function dockerignore(stack: string): string {
+  const common = [
+    ".git", ".gitignore", ".dockerignore",
+    "*.md", ".DS_Store",
+  ];
+
+  const stackRules: Record<string, string[]> = {
+    Python: ["__pycache__/", "*.pyc", "*.pyo", ".venv/", "dist/", "*.egg-info/"],
+    NodeJS: ["node_modules/", "dist/", ".npm/", "*.log", "coverage/"],
+    Go: ["bin/", "obj/", "*.exe", "*.dll", "*.so", "*.dylib"],
+    Rust: ["target/", "**/*.rs.bk"],
+    React: ["node_modules/", "build/", "dist/", ".npm/", "*.log", "coverage/"],
+  };
+
+  return [...common, ...(stackRules[stack] ?? [])].join("\n") + "\n";
+}

src/frontend/src/components/modal.vue

@@ -65,7 +65,7 @@ export default {
       stack: '',
       build_cmds: '',
       resourceTypes: ['URL', 'PORT', 'GITHUB'],
-      stacks: ['Python', 'NodeJS']
+      stacks: ['Python', 'NodeJS', 'Go', 'Rust', 'React']
     };
   },
   methods: {