#9480: fix: Docker build runs unverified remote Bun installer
scripts
docker
stale
Cluster:
Docker Enhancements and Fixes
## Fix Summary
The Docker build executes `curl | bash` against `https://bun.sh/install` without pinning a version or verifying integrity. This occurs in the production `Dockerfile` and in the sandbox image builder script, enabling a compromised installer or MITM to execute arbitrary code during image builds.
## Issue Linkage
Fixes #9479
## Security Snapshot
- CVSS v3.1: 9.4 (Critical)
- CVSS v4.0: 9.3 (Critical)
## Implementation Details
### Files Changed
- `Dockerfile` (+12/-1)
- `scripts/sandbox-common-setup.sh` (+12/-1)
### Technical Analysis
The Docker build executes `curl | bash` against `https://bun.sh/install` without pinning a version or verifying integrity. This occurs in the production `Dockerfile` and in the sandbox image builder script, enabling a compromised installer or MITM to execute arbitrary code during image builds.
## Validation Evidence
- Command: `curl | bash`
- Status: failed
## Risk and Compatibility
non-breaking; compatibility impact was not explicitly documented in the original PR body.
## AI-Assisted Disclosure
AI-assisted: Codex CLI
This fix was generated with AI assistance (Codex CLI).
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
Replaces the Docker build-time Bun install from `curl | bash` against `https://bun.sh/install` with a pinned Bun GitHub release download plus SHA256 verification, both in the production `Dockerfile` and the sandbox image builder script. This reduces supply-chain/MITM exposure during image builds by verifying the artifact before installing it.
<h3>Confidence Score: 2/5</h3>
- This PR should not be merged yet due to a deterministic Bun install failure in both build paths.
- Both the production Dockerfile and sandbox builder assume the Bun zip extracts into `/tmp/bun-linux-x64/bun`, which will cause `install` to fail if the release archive contains the binary at `/tmp/bun-linux-x64` (the usual layout for bun-linux-x64.zip). Until the install path is corrected, Docker/sandbox builds with Bun enabled will break.
- Dockerfile; scripts/sandbox-common-setup.sh
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#11818: fix(docker): resolve build hang by using in-place ownership and opt...
by dilly · 2026-02-08
78.9%
#19172: fix(docker): prevent HTTPS downgrade in curl commands
by govind-amt · 2026-02-17
75.3%
#13953: feat(docker): add .env template and improve Dockerfile
by n24q02m · 2026-02-11
75.1%
#12033: feat(docker): add linux/riscv64 image to Docker release
by gounthar · 2026-02-08
74.4%
#17123: Add Cloud Run deployment guide and Bun version pinning
by optiflow · 2026-02-15
73.3%
#8161: fix(sandbox): block dangerous environment variables from Docker con...
by yubrew · 2026-02-03
72.4%
#22250: ci: pin GitHub Actions to SHA and harden Dockerfiles
by novalis133 · 2026-02-20
72.2%
#8186: fix(sandbox): validate setupCommand to prevent shell injection
by yubrew · 2026-02-03
72.2%
#10174: fix(docker): exclude .env files from Docker build context
by coygeek · 2026-02-06
71.9%
#2609: bugfix: Docker build fails on main: .dockerignore excludes required...
by yanquankun · 2026-01-27
70.8%