fix: CTF Makefile audit — resolve 3 critical, 4 high, 8 medium findings#154
Open
t0kubetsu wants to merge 1 commit into
Open
fix: CTF Makefile audit — resolve 3 critical, 4 high, 8 medium findings#154t0kubetsu wants to merge 1 commit into
t0kubetsu wants to merge 1 commit into
Conversation
…gs (#153) Critical fixes: - C1: Replace host-wide `docker system prune` + `docker ps -aq` clean target with scoped `docker compose down --rmi all --volumes --remove-orphans` - C2: Fix wrong SERVICE in CVE-2024-6387 (was openssh-cve-2018-15473) - C3: Fix wrong SERVICE in CVE-2019-11043 (was apache-cve-2021-42013) High fixes: - H1: Eliminate $(shell docker ps -aq) parse-time expansion in all files - H2: Fix stop-debug-build hardcoded 'debug' literal → $(DEBUG_SERVICE) - H3: Scope docker compose build/up to $(SERVICE) in all build targets - H4: Moot — resolved by C1 fix Medium fixes: - M1: Add .PHONY declarations to all 18 Makefiles - M2: Add `print: help` alias (was advertised but missing) - M3: Update vite CVE-2023-34092 SERVICE + compose.yml service name (stale vite-cve-2022-44615 from pre-rename) - M4: Remove dead 5-line commented block from term-debug-build - M5: Fix stop-debug-build comment ("stop only" → "stop and remove") - M6: Set blank_template SERVICE = REPLACE_ME (was tomcat service name) - M7: Fix lpe-01 duplicate help entry; expose make term-user properly - M8: Moot — resolved by C1 fix Low fixes: - L1: Normalize ISSUE header formats to `# ISSUE N` across all files - L2: Standardize term shell to /bin/bash (vite CVEs used /bin/sh) - L3: Remove trailing whitespace on target definition lines
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all findings from the audit of the 18 CTF lab Makefiles. The
cleantarget was host-destructive, three labs had wrongSERVICEvariables silently targeting sibling exercises, and every file was missing.PHONYdeclarations. All fixes are applied template-first and propagated uniformly.Closes #153
Changes
Critical fixes
cleanblock (docker system prune+docker ps -aq/docker images -q/docker volume ls -q) with scopeddocker compose down --rmi all --volumes --remove-orphans(all 18 files)SERVICEinCVE-2024-6387/Makefile:openssh-cve-2018-15473→openssh-cve-2024-6387SERVICEinCVE-2019-11043/Makefile:apache-cve-2021-42013→php-cve-2019-11043High fixes
$(shell docker ps -aq)/$(shell docker images -q)parse-time expansion (removed with C1)stop-debug-buildhardcodeddebugliteral →$(DEBUG_SERVICE)(all 18 files)docker compose buildanddocker compose up -dto$(SERVICE)in all build/rebuild targets (all 18 files)Medium fixes
.PHONYdeclarations for all targets (all 18 files)print: helpalias (advertised in help text but missing)CVE-2023-34092SERVICEandcompose.ymlservice name:vite-cve-2022-44615→vite-cve-2023-34092term-debug-build(all 18 files)stop-debug-buildcomment:# stop only debug→# stop and remove debugblank_template/MakefileSERVICE = REPLACE_ME(wastomcat-cve-2025-24813— root cause of C2/C3)lpe-01duplicatemake termhelp entry; exposemake term-userproperly with descriptionLow fixes
# ISSUE Nacross all filestermshell to/bin/bash(vite CVEs used/bin/sh)Files Changed
cve/blank_template/MakefileSERVICE = REPLACE_MEcve/network/openssh/CVE-2024-6387/Makefilecve/web/php/CVE-2019-11043/Makefilecve/web/vite/CVE-2023-34092/Makefilecve/web/vite/CVE-2023-34092/compose.ymlmisconfiguration/system/lpe-01/Makefileterm-userTesting
Each Makefile was validated by grep assertions:
.PHONYpresent in all 18 ✓docker system pruneabsent in all 18 ✓docker compose build(unscoped) absent in all 18 ✓rm -sf debugliteral absent in all 18 ✓print: helppresent in all 18 ✓