From cbfb8432f80d3aeef4deb36ab22fd060c0776450 Mon Sep 17 00:00:00 2001
From: Myzel394 <50424412+Myzel394@users.noreply.github.com>
Date: Sat, 11 Nov 2023 00:27:15 +0100
Subject: [PATCH] fix: Harden Dockerfile

---
 .dockerignore |  5 +++++
 Dockerfile    | 21 +++++++++++++--------
 2 files changed, 18 insertions(+), 8 deletions(-)
 create mode 100644 .dockerignore

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 00000000..26043ad7
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,5 @@
+node_modules
+.gitignore
+Dockerfile
+README.md
+docs
diff --git a/Dockerfile b/Dockerfile
index b3064281..6b53a66a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,20 @@
-FROM node:18-bullseye-slim
+FROM node:20-slim
 WORKDIR /app
+EXPOSE 9000
 
 RUN apt-get update
 RUN apt-get install -y git
-RUN rm -rf /var/lib/apt/lists/*
-
-COPY package*.json ./
-RUN npm install
-
-RUN git clone -n https://github.com/wukko/cobalt.git --depth 1 && mv cobalt/.git ./ && rm -rf cobalt
+RUN apt-get install -y git
 
 COPY . .
-EXPOSE 9000
+
+RUN npm install
+
+# Drop privileges
+RUN groupadd cobalt && useradd -g cobalt cobalt
+RUN chown -R cobalt:cobalt /app
+RUN chmod -R 755 /app
+
+USER cobalt
+
 CMD [ "node", "src/cobalt" ]