Harden security of the app

The following improvements were made:
- Trimmed Dockerfile and added unprivileged user.
- Introduced entrypoint.js for mode switching.
- Hardened all subprocess.run invocations.
- Removed direct exec() usage by sandboxing user code in subprocesses.
- Updated README with secure run instructions and hardened container command.

Author: MrSidims

Dockerfile

@@ -1,28 +1,62 @@
-FROM ubuntu:latest
+# Single-stage Dockerfile using slim Python base
+FROM python:3.11-slim
 
-COPY . ./app
-WORKDIR /app
-
-RUN apt update; apt install -y wget lsb-release software-properties-common gnupg curl ca-certificates
-
-RUN wget -qO- https://apt.llvm.org/llvm.sh | bash -s -- 21
-RUN apt install -y libmlir-21-dev mlir-21-tools 
+# Environment variables
+ENV DEBIAN_FRONTEND=noninteractive \
+    PYTHONUNBUFFERED=1 \
+    PIP_NO_CACHE_DIR=1 \
+    PIP_DEFAULT_TIMEOUT=100 \
+    NEXT_TELEMETRY_DISABLED=1
 
-RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
-RUN apt install -y nodejs
-RUN npm install
+ARG APP_ENV=production
+ENV NODE_ENV=$APP_ENV
 
-RUN add-apt-repository -y ppa:deadsnakes/ppa; apt install -y python3-pip python3.11-venv
-
-RUN python3.11 -m venv mlir_venv
+WORKDIR /app
 
-RUN mlir_venv/bin/pip install --upgrade pip
-RUN mlir_venv/bin/pip install --pre torch-mlir torchvision \
-      --extra-index-url https://download.pytorch.org/whl/nightly/cpu \
-        -f https://github.com/llvm/torch-mlir-release/releases/expanded_assets/dev-wheels
+# Install minimal tooling
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+      ca-certificates wget curl gnupg lsb-release software-properties-common && \
+    rm -rf /var/lib/apt/lists/*
 
-RUN mlir_venv/bin/pip install fastapi uvicorn pytest httpx
+# Add LLVM 21 repository
+RUN wget -qO- https://apt.llvm.org/llvm.sh | bash -s -- 21
 
+# Add Node.js 20 repository and install runtime deps
+RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+      libmlir-21-dev mlir-21-tools nodejs && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copy application code
+COPY --chown=10001:10001 . /app
+
+# Install JS dependencies, then install 'concurrently' globally
+RUN npm install && \
+    npm install -g concurrently
+
+# Create Python venv and install Python packages
+RUN python3 -m venv /opt/venv && \
+    /opt/venv/bin/pip install --upgrade pip setuptools wheel && \
+    /opt/venv/bin/pip install --pre torch-mlir torchvision \
+      --extra-index-url=https://download.pytorch.org/whl/nightly/cpu \
+      -f https://github.com/llvm/torch-mlir-release/releases/expanded_assets/dev-wheels && \
+    /opt/venv/bin/pip install fastapi uvicorn pytest httpx
+
+# Create non-root user and fix permissions
+RUN useradd -u 10001 -m --shell /usr/sbin/nologin appuser && \
+    mkdir -p /home/appuser/.cache && \
+    chown -R appuser:appuser /home/appuser/.cache /app
+USER appuser
+
+# Update PATH for venv and LLVM
+ENV PATH="/opt/venv/bin:/usr/lib/llvm-21/bin:$PATH"
+
+# Expose ports and add healthcheck
 EXPOSE 3000 8000
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s \
+  CMD curl -f http://localhost:8000/health || exit 1
 
-CMD ["npm", "run", "start:all"]
+# Default to interactive shell
+CMD ["/bin/sh"]

README.md

@@ -47,49 +47,89 @@ Current version of the application is tested on Ubuntu 22.04 windows subsystem u
 
 ### Install dependencies
 
-In case of missing prerequisites here are some scripts to help set them up (runs on Debian and its derivatives).
-
+Clone the repository:
 ```bash
 git clone https://github.com/MrSidims/PytorchExplorer.git
 cd PytorchExplorer
+```
+
+Install frontend dependencies:
+```bash
 source setup_frontend.sh
 ```
 
-When you have venv suitable for `torch-mlir` work, install `fastapi`, `uvicorn` etc in venv like this:
+Set up backend (Torch, MLIR, etc.):
+```bash
+source setup_backend.sh
+```
 
+If you already have a working venv for Torch-MLIR, you can just install FastAPI and testing dependencies:
 ```bash
 pip install fastapi uvicorn pytest httpx
 ```
 
-Otherwise here is the script to setup `torch`, `llvm` etc:
+To use custom builds of `torch-mlir-opt`, `mlir-opt`, etc. without placing them in your `$PATH`, configure the following environment variables:
+- `TORCH_MLIR_OPT_PATH`
+- `LLVM_BIN_PATH`
+- `TRITON_OPT_PATH`
 
+### Run the application
 
+#### Development mode (local)
 ```bash
-source setup_backend.sh
+npm run dev:all
 ```
+Then open http://localhost:3000/
 
-If you want to use your builds of the tools like `torch-mlir-opt`, `mlir-opt` etc without placing them in `PATH` please setup `TORCH_MLIR_OPT_PATH` and `LLVM_BIN_PATH` environment variables.
-
-### Run the application
-
+#### Production mode (local)
 ```bash
+npm run build
 npm run start:all
 ```
 
 Then open http://localhost:3000/ in your browser and enjoy!
 
-### Run in a docker
-
-Build image with:
+#### Run in a container (Docker or Podman)
 
+Build the image (change APP_ENV between development/production, default is production):
 ```bash
-docker build -t pytorch_explorer .
+docker build -t pytorch_explorer --build-arg APP_ENV=development .
 ```
 
-Run it:
+Run the container in **production mode**:
 ```bash
 docker run -p 3000:3000 -p 8000:8000 pytorch_explorer
 ```
+Then inside the container:
+```bash
+npm run build
+npm run start:all
+```
+
+To run in **development mode**:
+```bash
+docker run -it --rm \
+  -e NODE_ENV=development \
+  -p 3000:3000 -p 8000:8000 \
+  pytorch_explorer
+```
+Then inside the container:
+```bash
+npm run dev:all
+```
+
+Secure run (in cases, when you don't trust tested samples):
+```bash
+podman run --rm -it \
+  --read-only \
+  --cap-drop=ALL \
+  --security-opt=no-new-privileges \
+  --tmpfs /app/.next:rw,size=256m \
+  -v stored_sessions:/app/StoredSessions:rw \
+  -p8000:8000 -p3000:3000 \
+  -e NODE_ENV=production \
+  pytorch_explorer
+```
 
 ### Run the tests