Skip to content

Refactor for security and modularity #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Refactor for security and modularity #9

wants to merge 2 commits into from

Conversation

abhishek-anand
Copy link
Collaborator

No description provided.

@mkagenius
Copy link
Collaborator

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 9, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces significant improvements by refactoring the code for better modularity and adding cross-platform support. The introduction of a non-root user in the Docker container is a good security enhancement. However, this change has introduced some critical permission issues in the Docker setup that will cause the application to fail at runtime. I've added two critical comments with details on the issues and suggestions for fixing them. Once these are addressed, this will be an excellent update.

Dockerfile
Comment on lines +101 to +102
RUN useradd -ms /bin/bash coderunner

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The newly created coderunner user needs write permissions for directories within /app, such as /app/jupyter_runtime, which are currently owned by root. Without this, the Jupyter server may fail at runtime. Please change the ownership of the /app directory after creating the user.

RUN useradd -ms /bin/bash coderunner
RUN chown -R coderunner:coderunner /app

install.sh
Comment on lines +83 to +86
docker run -d --rm --name coderunner \
-p 8222:8222 \
-v "$ASSETS_SRC:/app/uploads" \
instavm/coderunner
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

There's a critical permission issue with the mounted volume. The /app/uploads directory inside the container will be owned by the host user's UID/GID, but the processes inside the container run as the coderunner user, which likely has a different UID. This will prevent the application and Jupyter from writing files to the shared directory, causing runtime failures.

A common solution is to handle this at container startup. For example, the entrypoint script could be run as root to chown the mounted directory, and then switch to the coderunner user before executing the main application.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should revert this commit. Or maybe I will handle it in a new PR soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkagenius mkagenius Awaiting requested review from mkagenius

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@abhishek-anand @mkagenius