From ff9b6455fc700f070c0967d69122db0ac7f54e86 Mon Sep 17 00:00:00 2001
From: dan <dan@mesoform.com>
Date: Tue, 31 Mar 2026 00:07:07 +0200
Subject: [PATCH 1/2] Upgrades postgres image to version 14.22

---
 Dockerfile | 101 ++++++++++++++++++++++++++++-------------------------
 1 file changed, 54 insertions(+), 47 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 7db0263..dcc59de 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,62 +1,69 @@
-FROM golang:1.24-alpine AS builder
+FROM golang:1.22-alpine AS builder
 
 ENV WALG_VERSION=v1.1
 
-ENV _build_deps="wget cmake git build-base bash"
-
-RUN set -ex  \
-     && apk add --no-cache $_build_deps \
-     && git clone https://github.com/wal-g/wal-g/  $GOPATH/src/wal-g \
-     && cd $GOPATH/src/wal-g/ \
-     && git checkout $WALG_VERSION \
-     # Resolves vulnerability CVE-2021-38561 - Out-of-bounds Read
-     && go get golang.org/x/text@v0.3.7 \
-     # Resolves vulnerabilities CVE-2023-44487, CVE-2021-44716, CVE-2022-41723 & CVE-2022-27664 - Denial of Service (DoS)
-     # Resolves vulnerability CVE-2023-45288 & CVE-2023-39325- Allocation of Resources Without Limits or Throttling
-     && go get golang.org/x/net/http2@v0.34.0 \
-     # Resolves vulnerability CVE-2023-44487 - Denial of Service (DoS)
-     && go get google.golang.org/grpc@v1.71.1 \
-     # Resolves vulnerability CVE-2025-22868 - Allocation of Resources Without Limits or Throttling
-     && go get golang.org/x/oauth2@v0.28.0 \
-     # Resolves vulnerability CVE-2024-27304 - SQL Injection \
-     && go get github.com/dgrijalva/jwt-go/v4@v4.0.0-preview1 \
-     # Resolves vulnerability CVE-2024-45337 - Incorrect Implementation of Authentication Algorithm
-     # Resolves vulnerability CVE-2025-22869 - Allocation of Resources Without Limits or Throttling
-     # Resolves vulnerability CVE-2020-29652 - NULL Pointer Dereference
-     # Resolves vulnerability CVE-2021-43565 - Denial of Service (DoS)
-     && go get -u golang.org/x/crypto@v0.35.0 \
-     # Update all dependencies safely
-     && go mod tidy \
-     && go mod download \
-     && make install \
-     && make deps \
-     && make pg_build \
-     && install main/pg/wal-g / \
-     && /wal-g --help
-
-FROM postgres:14.19-alpine3.21
-
-# Upgrade vulnerable packages libxml2, libxslt, icu-data-full and icu-libs
-RUN apk upgrade --no-cache libxml2 libxslt icu-data-full icu-libs
-
-RUN apk add --update iputils htop curl busybox-suid jq \
-    && curl -sOL https://cronitor.io/dl/linux_amd64.tar.gz \
-    && tar xvf linux_amd64.tar.gz -C /usr/bin/ \
-    && rm linux_amd64.tar.gz
-
-# Copy compiled wal-g binary from builder
-COPY --from=builder /wal-g /usr/local/bin
+RUN set -eux; \
+    apk add --no-cache \
+        git \
+        make \
+        bash \
+        build-base \
+        cmake; \
+    \
+    git clone https://github.com/wal-g/wal-g.git /go/src/wal-g; \
+    cd /go/src/wal-g; \
+    git checkout $WALG_VERSION; \
+    \
+    go mod download; \
+    go mod tidy; \
+    \
+    make install; \
+    make deps; \
+    make pg_build; \
+    \
+    install main/pg/wal-g /wal-g; \
+    /wal-g --help
 
+# -----------------------------
+# Runtime image (Postgres base)
+# -----------------------------
+FROM postgres:14.22-alpine3.23
+
+# Fix CVEs in base Alpine packages where applicable
+RUN apk upgrade --no-cache
+
+# Install runtime tools
+RUN apk add --no-cache \
+    iputils \
+    htop \
+    curl \
+    busybox-suid \
+    jq
+
+# Install cronitor
+RUN curl -sSL https://cronitor.io/dl/linux_amd64.tar.gz -o /tmp/cronitor.tar.gz \
+    && tar xvf /tmp/cronitor.tar.gz -C /usr/bin/ \
+    && rm -f /tmp/cronitor.tar.gz
+
+# Copy wal-g binary
+COPY --from=builder /wal-g /usr/local/bin/wal-g
+
+# -----------------------------
+# Scripts
+# -----------------------------
 # Add replication and WAL-G backup scripts
 RUN mkdir -p /usr/local/scripts
+
 COPY scripts/setup-master.sh /docker-entrypoint-initdb.d/
 COPY scripts/setup-slave.sh /docker-entrypoint-initdb.d/
+
 RUN chown -R root:postgres /docker-entrypoint-initdb.d/ \
     && chmod -R 775 /docker-entrypoint-initdb.d
 
 # Add WAL-G backup script
 COPY scripts/walg_caller.sh /usr/local/scripts/
 COPY scripts/base_backup.sh /usr/local/scripts/
+
 RUN chown -R root:postgres /usr/local/scripts \
     && chmod -R 775 /usr/local/scripts
 
@@ -64,11 +71,11 @@ RUN chown -R root:postgres /usr/local/scripts \
 COPY scripts/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
-# Add cron permissions to postgres user
+# Fix cron permissions
 RUN chown -R root:postgres /etc/crontabs/root \
     && chmod g+rw /etc/crontabs/root
 
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 CMD ["postgres"]
 
-VOLUME ["/var/run/postgresql", "/usr/share/postgresql/", "/var/lib/postgresql/data", "/tmp"]
+VOLUME ["/var/run/postgresql", "/usr/share/postgresql/", "/var/lib/postgresql/data", "/tmp"]
\ No newline at end of file

From b1ef0ae38a597a5af1e9b05b8ba2bd49d22d173e Mon Sep 17 00:00:00 2001
From: dan <dan@mesoform.com>
Date: Tue, 31 Mar 2026 00:27:14 +0200
Subject: [PATCH 2/2] Upgrades postgres image to version 14.22

---
 Dockerfile | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index dcc59de..20c9001 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,10 @@
+# -----------------------------
+# Builder stage
+# -----------------------------
 FROM golang:1.22-alpine AS builder
 
 ENV WALG_VERSION=v1.1
+ENV GOPATH=/go
 
 RUN set -eux; \
     apk add --no-cache \
@@ -8,15 +12,21 @@ RUN set -eux; \
         make \
         bash \
         build-base \
-        cmake; \
-    \
-    git clone https://github.com/wal-g/wal-g.git /go/src/wal-g; \
-    cd /go/src/wal-g; \
+        cmake
+
+# Fetch WAL-G source
+RUN git clone https://github.com/wal-g/wal-g.git $GOPATH/src/wal-g
+
+WORKDIR $GOPATH/src/wal-g
+
+RUN set -eux; \
     git checkout $WALG_VERSION; \
     \
+    # Deterministic dependency resolution (modern Go approach)
     go mod download; \
     go mod tidy; \
     \
+    # Build WAL-G
     make install; \
     make deps; \
     make pg_build; \
@@ -24,28 +34,29 @@ RUN set -eux; \
     install main/pg/wal-g /wal-g; \
     /wal-g --help
 
+
 # -----------------------------
-# Runtime image (Postgres base)
+# Runtime stage (Postgres)
 # -----------------------------
 FROM postgres:14.22-alpine3.23
 
-# Fix CVEs in base Alpine packages where applicable
+# Security: apply OS-level fixes only (not Go-level hacks)
 RUN apk upgrade --no-cache
 
-# Install runtime tools
+# Minimal runtime tools (keep attack surface small)
 RUN apk add --no-cache \
     iputils \
-    htop \
     curl \
+    jq \
     busybox-suid \
-    jq
+    htop
 
-# Install cronitor
+# Install cronitor (pinned external binary source)
 RUN curl -sSL https://cronitor.io/dl/linux_amd64.tar.gz -o /tmp/cronitor.tar.gz \
     && tar xvf /tmp/cronitor.tar.gz -C /usr/bin/ \
     && rm -f /tmp/cronitor.tar.gz
 
-# Copy wal-g binary
+# WAL-G binary
 COPY --from=builder /wal-g /usr/local/bin/wal-g
 
 # -----------------------------
@@ -71,7 +82,7 @@ RUN chown -R root:postgres /usr/local/scripts \
 COPY scripts/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
-# Fix cron permissions
+# Cron permissions
 RUN chown -R root:postgres /etc/crontabs/root \
     && chmod g+rw /etc/crontabs/root