fix(security): Upgrade Go runner to 1.26, fix Python CVEs, harden remaining DHI images

docker/bash.Dockerfile

@@ -97,6 +97,7 @@ RUN apt-get update && \
     gawk \
     findutils \
     jq \
+    bc \
     ca-certificates \
     # --- python (interpreter; lib stack installed via pip below) ---
     # No apt python3-numpy/pandas/etc. — they pull liblapack3 +
@@ -180,6 +181,9 @@ RUN python3 -m pip install --break-system-packages --no-cache-dir \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* /tmp/*
 
+# yq — YAML/JSON/XML/TOML processor (static Go binary, no system deps)
+ADD --chmod=755 https://github.com/mikefarah/yq/releases/download/v4.53.2/yq_linux_amd64 /usr/local/bin/yq
+
 WORKDIR /mnt/data
 
 USER 65532

docker/c-cpp.Dockerfile

@@ -20,17 +20,13 @@ LABEL org.opencontainers.image.title="KubeCodeRun C/C++ Environment" \
 # Enable pipefail for safer pipe operations
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-# Install compilers, development tools and scientific libraries
+# Install compilers, development tools and libraries
 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
     gcc \
     g++ \
     make \
     cmake \
-    # Math and science libraries
-    libgsl-dev \
-    libblas-dev \
-    liblapack-dev \
     # File handling libraries
     libzip-dev \
     zlib1g-dev \

docker/fortran.Dockerfile

@@ -1,6 +1,10 @@
 # syntax=docker/dockerfile:1
 # Fortran execution environment with Docker Hardened Images.
-# Uses -dev variant because compilers and dev libraries must be available at runtime.
+#
+# DHI ships gcc-14-base=14.2.0-19dhi0 which conflicts with stock Debian's
+# gfortran → libgfortran5 → gcc-14-base (= 14.2.0-19) dependency chain.
+# Solution: use equivs to create a dummy package satisfying the version
+# constraint, then install gfortran-12 normally via apt.
 
 ARG RUNNER_IMAGE=ghcr.io/aron-muon/kubecoderun-runner:latest
 FROM ${RUNNER_IMAGE} AS runner
@@ -20,17 +24,22 @@ LABEL org.opencontainers.image.title="KubeCodeRun Fortran Environment" \
 # Enable pipefail for safer pipe operations
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-# Install Fortran compiler and scientific libraries
+# Install gfortran-12 via equivs dummy package to resolve DHI gcc-14-base conflict
 RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends equivs && \
+    printf 'Section: misc\nPriority: optional\nStandards-Version: 3.9.2\nPackage: gcc-14-base-dummy\nVersion: 14.2.0-19\nProvides: gcc-14-base (= 14.2.0-19)\nDescription: Satisfies gcc-14-base version constraint on DHI\n' > /tmp/gcc-14-base-dummy && \
+    cd /tmp && equivs-build gcc-14-base-dummy && \
+    dpkg -i gcc-14-base-dummy_14.2.0-19_all.deb && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-    gfortran \
+    gfortran-12 \
     cmake \
     make \
-    libblas-dev \
-    liblapack-dev \
-    libnetcdf-dev \
-    libhdf5-dev \
-    && rm -rf /var/lib/apt/lists/*
+    && apt-get purge -y equivs && \
+    apt-get autoremove -y && \
+    rm -rf /var/lib/apt/lists/* /tmp/*.deb /tmp/gcc-14-base-dummy
+
+# Create symlink so 'gfortran' command works
+RUN mkdir -p /usr/local/bin && ln -sf /usr/bin/gfortran-12 /usr/local/bin/gfortran
 
 RUN mkdir -p /mnt/data && chown 65532:65532 /mnt/data
 

docker/php.Dockerfile

@@ -1,96 +1,105 @@
 # syntax=docker/dockerfile:1
 # PHP execution environment with Docker Hardened Images.
-
-# PHP version configuration - single source of truth
-# These must be declared before any FROM to be available in all stages.
-ARG PHP_VERSION=8.5.6
-ARG PHP_MAJOR=8.5
-ARG DEBIAN_VERSION=debian13
+# Strategy: Copy PHP from DHI PHP image into DHI debian-base where equivs
+# works correctly for installing dev dependencies needed to compile extensions.
 
 ARG RUNNER_IMAGE=ghcr.io/aron-muon/kubecoderun-runner:latest
 FROM ${RUNNER_IMAGE} AS runner
 
-ARG BUILD_DATE
-ARG VERSION
-ARG VCS_REF
+# Source for PHP binaries
+FROM dhi.io/php:8.5.6-debian13-dev AS php-source
 
 ################################
-# Builder stage - install Composer and packages
+# Main image based on debian-base (equivs works here for gcc-14-base conflict)
 ################################
-FROM dhi.io/php:${PHP_VERSION}-${DEBIAN_VERSION}-dev AS builder
+FROM dhi.io/debian-base:trixie-debian13-dev
+
+ARG BUILD_DATE
+ARG VERSION
+ARG VCS_REF
 
-# Re-declare ARGs needed in this stage
-ARG PHP_VERSION
-ARG PHP_MAJOR
+LABEL org.opencontainers.image.title="KubeCodeRun PHP Environment" \
+      org.opencontainers.image.description="Secure execution environment for PHP code" \
+      org.opencontainers.image.version="${VERSION}" \
+      org.opencontainers.image.created="${BUILD_DATE}" \
+      org.opencontainers.image.revision="${VCS_REF}"
 
-# Enable pipefail for safer pipe operations
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-# PHP paths in DHI image
-# DHI installs PHP at /opt/php-<major.minor>, we create /opt/php symlink for version-agnostic paths
-ENV PHP_VERSIONED_HOME=/opt/php-${PHP_MAJOR}
-ENV PHP_HOME=/opt/php
-ENV PHP_BIN=${PHP_VERSIONED_HOME}/bin/php
-ENV PHP_CONFIG=${PHP_VERSIONED_HOME}/bin/php-config
-ENV PHP_IZE=${PHP_VERSIONED_HOME}/bin/phpize
-ENV PECL=${PHP_VERSIONED_HOME}/bin/pecl
-ENV PHP_INI_DIR=${PHP_VERSIONED_HOME}/etc/conf.d
-
-# Install build dependencies for PHP extensions and Composer packages
+# Copy PHP installation from DHI PHP image
+COPY --from=php-source /opt/php-8.5 /opt/php-8.5
+# Copy shared libraries PHP depends on (avoids chasing individual packages)
+COPY --from=php-source /usr/lib/x86_64-linux-gnu/libargon2.so* /usr/lib/x86_64-linux-gnu/
+COPY --from=php-source /usr/lib/x86_64-linux-gnu/libsodium.so* /usr/lib/x86_64-linux-gnu/
+COPY --from=php-source /usr/lib/x86_64-linux-gnu/libicu*.so* /usr/lib/x86_64-linux-gnu/
+COPY --from=php-source /usr/lib/x86_64-linux-gnu/libonig.so* /usr/lib/x86_64-linux-gnu/
+
+# Put PHP in PATH for build steps
+ENV PATH="/opt/php-8.5/bin:${PATH}"
+
+# Install build deps for PHP extensions (GD, zip) + runtime deps + Composer prereqs
+# DHI ships gcc-14-base=14.2.0-19dhi0; equivs dummy satisfies stock deps needing =14.2.0-19
 RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends equivs && \
+    printf 'Section: misc\nPriority: optional\nStandards-Version: 3.9.2\nPackage: gcc-14-base-dummy\nVersion: 14.2.0-19\nProvides: gcc-14-base (= 14.2.0-19)\nDescription: Satisfies gcc-14-base version constraint on DHI\n' > /tmp/gcc-14-base-dummy && \
+    cd /tmp && equivs-build gcc-14-base-dummy && \
+    dpkg -i gcc-14-base-dummy_14.2.0-19_all.deb && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-    # Build tools
-    gcc \
-    g++ \
+    # Build deps for extensions
     make \
+    gcc \
     autoconf \
     pkg-config \
-    # GD dependencies
     libpng-dev \
     libjpeg-dev \
-    libfreetype6-dev \
-    # Zip dependencies
+    libfreetype-dev \
     libzip-dev \
+    libonig-dev \
     libpcre2-dev \
-    # Other tools
+    # Runtime deps for PHP binary (apt provides transitive deps for curl/ssl/xml/etc)
+    libcurl4t64 \
+    libssl3t64 \
+    libxml2 \
+    libsqlite3-0 \
+    libreadline8t64 \
+    libgmp10 \
+    libzip5 \
+    libonig5 \
+    # Composer prereqs
     unzip \
-    wget \
+    curl \
     ca-certificates \
-    && apt-get autoremove -y \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install extensions:
-# - zip via PECL
-# - gd from PHP source (bundled extension, must compile)
-# Use php-config --extension-dir to dynamically get the correct path
-RUN set -eux; \
-    # Update PECL channel
-    $PECL channel-update pecl.php.net; \
-    # Install zip via PECL
-    $PECL install zip; \
-    # Download PHP source for GD (bundled extension)
-    wget -q "https://www.php.net/distributions/php-${PHP_VERSION}.tar.xz" -O /tmp/php.tar.xz; \
-    cd /tmp && tar -xf php.tar.xz; \
-    # Build GD extension
-    cd /tmp/php-${PHP_VERSION}/ext/gd; \
-    $PHP_IZE; \
-    ./configure --with-php-config=$PHP_CONFIG --with-freetype --with-jpeg; \
-    make -j"$(nproc)"; \
-    make install; \
-    # Clean up source
-    rm -rf /tmp/php*; \
-    # Create extension configuration dynamically
-    EXT_DIR=$($PHP_CONFIG --extension-dir); \
-    mkdir -p $PHP_INI_DIR; \
-    echo "extension_dir=${EXT_DIR}" > $PHP_INI_DIR/extensions.ini; \
-    echo "extension=zip.so" >> $PHP_INI_DIR/extensions.ini; \
-    echo "extension=gd.so" >> $PHP_INI_DIR/extensions.ini; \
-    # Create version-agnostic symlink: /opt/php -> /opt/php-<major.minor>
-    ln -sf $PHP_VERSIONED_HOME /opt/php
+    && rm -rf /var/lib/apt/lists/* /tmp/*.deb /tmp/gcc-14-base-dummy
+
+# Compile GD extension with JPEG/PNG/Freetype support
+RUN ldconfig && \
+    which php && php -v && \
+    cd /tmp && \
+    php_src_version=$(php -r 'echo PHP_VERSION;') && \
+    PHP_INI_DIR=$(php --ini | grep "Scan for additional" | sed 's/.*: //' | tr -d ' "') && \
+    mkdir -p "${PHP_INI_DIR}" && \
+    curl -sSL "https://github.com/php/php-src/archive/refs/tags/php-${php_src_version}.tar.gz" | tar xz && \
+    cd "php-src-php-${php_src_version}/ext/gd" && \
+    phpize && \
+    ./configure --with-jpeg --with-png --with-freetype && \
+    make -j"$(nproc)" && make install && \
+    echo "extension=gd.so" > "${PHP_INI_DIR}/20-gd.ini" && \
+    cd /tmp && rm -rf php-src-*
+
+# Compile zip extension
+RUN cd /tmp && \
+    php_src_version=$(php -r 'echo PHP_VERSION;') && \
+    PHP_INI_DIR=$(php --ini | grep "Scan for additional" | sed 's/.*: //' | tr -d ' "') && \
+    mkdir -p "${PHP_INI_DIR}" && \
+    curl -sSL "https://github.com/php/php-src/archive/refs/tags/php-${php_src_version}.tar.gz" | tar xz && \
+    cd "php-src-php-${php_src_version}/ext/zip" && \
+    phpize && \
+    ./configure && \
+    make -j"$(nproc)" && make install && \
+    echo "extension=zip.so" > "${PHP_INI_DIR}/20-zip.ini" && \
+    cd /tmp && rm -rf php-src-*
 
 # Install Composer with signature verification
-# Create /usr/local/bin since DHI images don't have it
 RUN mkdir -p /usr/local/bin && \
     EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')" && \
     php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" && \
@@ -103,17 +112,11 @@ RUN mkdir -p /usr/local/bin && \
     php composer-setup.php --install-dir=/usr/local/bin --filename=composer && \
     rm composer-setup.php
 
-# Create composer directory structure
+# Create composer directory and install packages
 RUN mkdir -p /opt/composer/global
-
-# Set composer home and PHP_INI_SCAN_DIR for extension loading
 ENV COMPOSER_HOME=/opt/composer/global
-ENV PHP_INI_SCAN_DIR=${PHP_INI_DIR}
-
-# Verify extensions are loaded
-RUN php -m | grep -E "^(gd|zip)$"
 
-# Pre-install PHP packages globally with cache mount
+# Pre-install PHP packages globally
 RUN --mount=type=cache,target=/opt/composer/global/cache \
     composer global require \
     league/csv \
@@ -128,81 +131,41 @@ RUN --mount=type=cache,target=/opt/composer/global/cache \
     symfony/console \
     --optimize-autoloader && \
     # Auto-include Composer autoloader so packages work without manual require
-    echo "auto_prepend_file=/opt/composer/global/vendor/autoload.php" >> $PHP_INI_DIR/autoload.ini
-
-################################
-# Runtime dependencies stage - install runtime libraries
-################################
-ARG PHP_VERSION
-ARG DEBIAN_VERSION
-FROM dhi.io/php:${PHP_VERSION}-${DEBIAN_VERSION}-dev AS runtime-deps
-
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-
-# Install ONLY runtime dependencies (no -dev packages)
-# Create both arch lib dirs to ensure COPY works on either architecture
-RUN mkdir -p /usr/lib/x86_64-linux-gnu /usr/lib/aarch64-linux-gnu && \
-    apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-    # Runtime libraries for gd extension
-    libpng16-16t64 \
-    libjpeg62-turbo \
-    libfreetype6 \
-    # Runtime library for zip extension
-    libzip5 \
-    && apt-get autoremove -y \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* \
-    && mkdir -p /mnt/data && chmod 777 /mnt/data && touch /mnt/data/.keep
-
-################################
-# Final stage - minimal runtime image
-################################
-ARG PHP_VERSION
-ARG PHP_MAJOR
-ARG DEBIAN_VERSION
-FROM dhi.io/php:${PHP_VERSION}-${DEBIAN_VERSION} AS final
-
-# Re-declare ARGs needed in this stage (PHP_MAJOR used in COPY commands)
-ARG PHP_MAJOR
-ARG BUILD_DATE
-ARG VERSION
-ARG VCS_REF
-
-LABEL org.opencontainers.image.title="KubeCodeRun PHP Environment" \
-      org.opencontainers.image.description="Secure execution environment for PHP code" \
-      org.opencontainers.image.version="${VERSION}" \
-      org.opencontainers.image.created="${BUILD_DATE}" \
-      org.opencontainers.image.revision="${VCS_REF}"
+    PHP_INI_DIR=$(php --ini | grep "Scan for additional" | sed 's/.*: //' | tr -d ' "') && \
+    mkdir -p "${PHP_INI_DIR}" && \
+    echo "auto_prepend_file=/opt/composer/global/vendor/autoload.php" > "${PHP_INI_DIR}/99-autoload.ini"
 
-# Copy runtime libraries from runtime-deps stage
-COPY --from=runtime-deps /usr/lib/x86_64-linux-gnu /usr/lib/x86_64-linux-gnu
-COPY --from=runtime-deps /usr/lib/aarch64-linux-gnu /usr/lib/aarch64-linux-gnu
-
-# Copy PHP installation from builder
-# /opt/php is a symlink to the versioned dir, provides version-agnostic paths
-COPY --from=builder /opt/php-${PHP_MAJOR}/lib/php/extensions/ /opt/php-${PHP_MAJOR}/lib/php/extensions/
-COPY --from=builder /opt/php-${PHP_MAJOR}/etc/conf.d/ /opt/php-${PHP_MAJOR}/etc/conf.d/
-COPY --from=builder /opt/php /opt/php
-
-# Copy pre-installed composer packages with correct ownership
-COPY --from=builder --chown=65532:65532 /opt/composer/global /opt/composer/global
-
-# Copy /usr/bin/env for ENTRYPOINT
-COPY --from=runtime-deps /usr/bin/env /usr/bin/
+# Clean up build deps to reduce image size
+RUN apt-get purge -y \
+    make \
+    gcc \
+    autoconf \
+    pkg-config \
+    equivs \
+    libpng-dev \
+    libjpeg-dev \
+    libfreetype-dev \
+    libzip-dev \
+    libonig-dev \
+    libpcre2-dev \
+    && apt-get autoremove -y && \
+    rm -rf /var/lib/apt/lists/* /etc/apt/preferences.d/no-stock-gcc && \
+    ldconfig
 
 # Copy runner binary for code execution
 COPY --from=runner /runner /usr/local/bin/runner
 
+RUN mkdir -p /mnt/data && chown 65532:65532 /mnt/data
+
 WORKDIR /mnt/data
 
+USER 65532
+
 # Sanitized environment via env -i
-# Use /opt/php symlink for version-agnostic paths
 ENTRYPOINT ["/usr/bin/env", "-i", \
-    "PATH=/opt/composer/global/vendor/bin:/opt/php/bin:/usr/bin:/bin", \
+    "PATH=/opt/composer/global/vendor/bin:/opt/php-8.5/bin:/usr/local/bin:/usr/bin:/bin", \
     "HOME=/tmp", \
     "TMPDIR=/tmp", \
     "COMPOSER_HOME=/opt/composer/global", \
-    "PHP_INI_SCAN_DIR=/opt/php/etc/conf.d", \
     "LANGUAGE=php"]
 CMD ["/usr/local/bin/runner"]