fix: docker sandbox execution, CSP iframe allowlist, and stable test pipeline Docker handling

Author: ttbombadil

Dockerfile

@@ -1,3 +1,6 @@
+# Pull Docker CLI binary from official image to avoid apt repo complexity
+FROM docker:27-cli AS docker-cli
+
 # Multi-stage build using Node 25.2.1
 FROM node:25.2.1 AS builder
 WORKDIR /app
@@ -17,25 +20,22 @@ WORKDIR /app
 ENV NODE_ENV=production
 ENV ARDUINO_CACHE_DIR=/app/server/arduino-cache
 
-# 1. Installiere System-Tools UND Docker-CLI
+# 1. Copy Docker CLI binary from official image (no apt repo setup needed)
+COPY --from=docker-cli /usr/local/bin/docker /usr/local/bin/docker
+
+# 2. Install system tools and Arduino CLI
 RUN apt-get update && apt-get install -y --no-install-recommends \
     curl \
     ca-certificates \
     tar \
     xz-utils \
     g++ \
-    gnupg \
-    lsb-release \
-    && mkdir -p -m 0755 /etc/apt/keyrings \
-    && curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
-    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null \
-    && apt-get update \
-    && apt-get install -y docker-ce-cli \
-    # 2. Arduino CLI Installation
     && curl -fsSL https://raw.githubusercontent.com/arduino/arduino-cli/master/install.sh | BINDIR=/usr/local/bin sh \
-    && arduino-cli config init \
-    && arduino-cli core update-index \
-    && arduino-cli core install arduino:avr \
+    && mkdir -p /home/node/.arduino15 \
+    && chown -R node:node /home/node/.arduino15 \
+    && su node -c 'HOME=/home/node arduino-cli config init' \
+    && su node -c 'HOME=/home/node arduino-cli core update-index' \
+    && su node -c 'HOME=/home/node arduino-cli core install arduino:avr' \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* \
     && mkdir -p /app/server/arduino-cache /app/storage/binaries /app/temp
@@ -46,7 +46,8 @@ COPY --from=builder /app/dist ./dist
 # Copy package metadata and install dependencies
 COPY package.json package-lock.json ./
 RUN npm install --legacy-peer-deps --production=false \
-    && chown -R node:node /app
+    && chown -R node:node /app \
+    && usermod -aG root node
 
 # Run as non-root user for production
 # node:slim already provides a 'node' user at UID 1000

docker-compose.yml

@@ -10,16 +10,16 @@ services:
     restart: unless-stopped
     environment:
       - NODE_ENV=production
-      - ARDUINO_CACHE_DIR=/app/arduino-cache
-      - UNOSIM_SHARED_TEMP_DIR=/app/temp
+      - ARDUINO_CACHE_DIR=${PWD}/server/arduino-cache
+      - UNOSIM_SHARED_TEMP_DIR=${PWD}/temp
       - DOCKER_HOST=unix:///var/run/docker.sock
       - DOCKER_SANDBOX_IMAGE=unosim-sandbox:latest
     ports:
       - "3000:3000"
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./server/arduino-cache:/app/arduino-cache
-      - ./temp:/app/temp
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${PWD}/server/arduino-cache:${PWD}/server/arduino-cache
+      - ${PWD}/temp:${PWD}/temp
       - ./storage:/app/storage
     healthcheck:
       test: ["CMD", "wget", "-qO-", "http://localhost:3000/health"]

docs/EXTERNAL_API.md

@@ -12,6 +12,25 @@ The simulator only processes messages whose `event.origin` exactly matches the d
 When the simulator runs top-level (not in an iframe) the effective allowed origin is `"*"` (any).  
 Messages from all other origins are silently discarded.
 
+> Important: iframe embedding is controlled by the simulator page's own CSP header, not by the parent page.
+
+For local development, the simulator allows embedding from common local test hosts by default:
+- `'self'`
+- `http://localhost:3000`
+- `http://127.0.0.1:3000`
+- `http://localhost:5173`
+- `http://127.0.0.1:5173`
+
+If your test application runs on `http://localhost:5173`, the simulator origin must explicitly allow that host in its `frame-ancestors` CSP directive.
+
+If you need to allow additional parent origins, set the environment variable `SIMULATOR_ALLOWED_PARENT_ORIGINS` with a comma-separated list of origins before starting the simulator. For example:
+
+```bash
+SIMULATOR_ALLOWED_PARENT_ORIGINS=http://localhost:3000
+```
+
+This is required when your test website is hosted on a different origin than the simulator.
+
 ---
 
 ## Inbound Messages (Website → Simulator)

run-tests.sh

@@ -183,6 +183,12 @@ run_task "Unit-Tests" "NODE_OPTIONS='--no-warnings' npm run test:fast -- --repor
 parse_test_results "Tests.*passed"
 
 # 3+4. Sandbox Image Build & Docker-Tests (optional, wenn Docker verfügbar)
+# Docker nach den Unit-Tests erneut prüfen: Heavy-Load kann den Daemon kurz einfrieren.
+if [ "$DOCKER_AVAILABLE" -eq 1 ] && ! docker info >/dev/null 2>&1; then
+    echo -e "  ${WARN} Docker nach Unit-Tests nicht mehr erreichbar – Docker-Tests werden übersprungen"
+    DOCKER_AVAILABLE=0
+fi
+
 if [ "$DOCKER_AVAILABLE" -eq 1 ]; then
     # Sandbox Image nur bauen wenn es noch nicht existiert
     if ! docker image inspect "$DOCKER_SANDBOX_IMAGE" > /dev/null 2>&1; then

server/index.ts

@@ -10,6 +10,28 @@ import { getCompilationPool } from "./services/compilation-worker-pool";
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
+function parseAllowedFrameAncestors(): string[] {
+  const envValue = process.env.SIMULATOR_ALLOWED_PARENT_ORIGINS ?? process.env.ALLOW_EMBED_ORIGINS;
+  const defaultOrigins = [
+    "'self'",
+    "http://localhost:3000",
+    "http://127.0.0.1:3000",
+    "http://localhost:5173",
+    "http://127.0.0.1:5173",
+  ];
+
+  if (!envValue) {
+    return defaultOrigins;
+  }
+
+  const customOrigins = envValue
+    .split(",")
+    .map((origin) => origin.trim())
+    .filter(Boolean);
+
+  return Array.from(new Set([...defaultOrigins, ...customOrigins]));
+}
+
 // Cleanup service: Delete old .cleanup.json files and .cleanup directories (> 5 minutes old)
 function startCleanupService() {
   const CLEANUP_INTERVAL_MS = 60 * 1000; // Check every minute
@@ -61,8 +83,13 @@ function startCleanupService() {
 const app = express();
 
 // Security: Helmet adds various HTTP headers for protection
+function getFrameAncestorsHeader(): string {
+  return `frame-ancestors ${parseAllowedFrameAncestors().join(" ")}`;
+}
+
 app.use(
   helmet({
+    frameguard: false, // Deactivate X-Frame-Options; we use CSP frame-ancestors instead
     contentSecurityPolicy: {
       directives: {
         defaultSrc: ["'self'"],
@@ -73,11 +100,17 @@ app.use(
         fontSrc: ["'self'", "data:", "https://fonts.gstatic.com"],
         workerSrc: ["'self'", "blob:", "data:"],
         childSrc: ["'self'", "blob:"], // Wichtig für ältere Browser/Playwright
+        frameAncestors: parseAllowedFrameAncestors(),
       },
     },
   }),
 );
 
+app.use((_, res, next) => {
+  res.setHeader("Content-Security-Policy", getFrameAncestorsHeader());
+  next();
+});
+
 // Security: Rate limiting to prevent DoS attacks
 // In test/development mode, use higher limits
 const isTestMode =

server/services/arduino-compiler.ts

@@ -730,9 +730,6 @@ export class ArduinoCompiler {
     if (config.buildPath) {
       args.push("--build-path", config.buildPath);
     }
-    if (config.buildCachePath) {
-      args.push("--build-cache-path", config.buildCachePath);
-    }
     args.push(sketchDir);
     return args;
   }

vite.config.ts

@@ -6,6 +6,23 @@ import { fileURLToPath } from "node:url";
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
+function getAllowedFrameAncestors(): string {
+  const envValue = process.env.SIMULATOR_ALLOWED_PARENT_ORIGINS ?? process.env.ALLOW_EMBED_ORIGINS;
+  const defaultOrigins = [
+    "'self'",
+    "http://localhost:3000",
+    "http://127.0.0.1:3000",
+    "http://localhost:5173",
+    "http://127.0.0.1:5173",
+  ];
+  const customOrigins = envValue
+    ? envValue.split(",").map((origin) => origin.trim()).filter(Boolean)
+    : [];
+
+  const origins = Array.from(new Set([...defaultOrigins, ...customOrigins]));
+  return `frame-ancestors ${origins.join(" ")}`;
+}
+
 export default defineConfig({
   plugins: [tsconfigPaths(), react()],
   resolve: {
@@ -42,6 +59,14 @@ export default defineConfig({
   server: {
     host: true,
     port: 3001, // Vite devserver Port
+    hmr: {
+      host: "localhost",
+      port: 3001,
+      protocol: "ws",
+    },
+    headers: {
+      "Content-Security-Policy": getAllowedFrameAncestors(),
+    },
     proxy: {
       // Leitet API-Aufrufe an Backend auf Port 3000 weiter
       "/api": {