fix: Fail fast when VNC password file creation fails instead of starting without auth#214
fix: Fail fast when VNC password file creation fails instead of starting without auth#214cubic-dev-ai[bot] wants to merge 1 commit intofeat/add-webcontainersfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
CodeCapy Review ₍ᐢ•(ܫ)•ᐢ₎
Codebase SummaryZapDev is an AI-powered development platform that allows users to create web applications via a chat-driven interface in real-time sandboxes. It features code generation with AI agents, real-time updates, and a sophisticated UI for file exploration, messaging, and project management, built with Next.js, React, and Tailwind CSS. PR ChangesThis pull request changes the expo-android start script to enforce security for the VNC server. The script now attempts to create the VNC password file with proper directory creation (using mkdir -p) and explicitly exits with an error if the creation fails or if the file is missing. Previously, the script would fall back to starting the VNC server without authentication. The change introduces a 'fail closed' approach to prevent unauthorized access. Setup Instructions
Generated Test Cases1: Successful VNC Password File Creation and VNC Server Start ❗️❗️❗️Description: Tests that when the environment allows for creation of the VNC password file, the script logs the correct messages and starts the VNC server with authentication. Prerequisites:
Steps:
Expected Result: The script logs '[INFO] Creating VNC password file...', successfully creates the VNC password file, verifies its existence, and then logs '[INFO] Starting VNC server on port 5900...'. The VNC server is started using the x11vnc command with the -rfbauth flag. 2: Fail Fast When VNC Password File Creation Fails Due to Directory Permission Issues ❗️❗️❗️Description: Tests that if the script cannot create the VNC password file because of permission issues (or a non-writable /home/user), it logs an error and exits without starting the VNC server. Prerequisites:
Steps:
Expected Result: The script logs '[INFO] Creating VNC password file...' followed by '[ERROR] Failed to create VNC password file. Exiting to prevent unauthenticated VNC access.' and then exits, ensuring that the VNC server is not started. 3: Pre-existing VNC Password File Skips Creation and Starts VNC Server with Authentication ❗️❗️Description: Tests that when a valid VNC password file pre-exists, the script does not attempt to recreate it and proceeds to start the VNC server with the existing file for authentication. Prerequisites:
Steps:
Expected Result: The script detects the pre-existing VNC password file (skipping the creation block) and confirms its existence. It then logs '[INFO] Starting VNC server on port 5900...' and starts the VNC server with the -rfbauth option using the existing file. 4: Error Handling for Missing VNC Password File After Creation Attempt ❗️❗️Description: Ensures that if, for any unexpected reason, the VNC password file is missing immediately after the creation attempt, the script logs an error and exits without starting the VNC server. Prerequisites:
Steps:
Expected Result: The script logs an error '[ERROR] VNC password file not found at /home/user/.vnc_passwd. Refusing to start VNC without authentication.' and exits without starting the VNC server. Raw Changes AnalyzedFile: sandbox-templates/expo-android/start_android.sh
Changes:
@@ -15,17 +15,24 @@ fluxbox &
# Generate VNC password if not exists
VNC_PASSWD_FILE="/home/user/.vnc_passwd"
if [ ! -f "$VNC_PASSWD_FILE" ]; then
- echo "vncpasswd" | head -1 > "$VNC_PASSWD_FILE" 2>/dev/null || true
+ echo "[INFO] Creating VNC password file..."
+ mkdir -p /home/user
+ echo "vncpasswd" | head -1 > "$VNC_PASSWD_FILE" 2>/dev/null
+ if [ $? -ne 0 ] || [ ! -f "$VNC_PASSWD_FILE" ]; then
+ echo "[ERROR] Failed to create VNC password file. Exiting to prevent unauthenticated VNC access."
+ exit 1
+ fi
+fi
+
+# Verify VNC password file exists before starting server
+if [ ! -f "$VNC_PASSWD_FILE" ]; then
+ echo "[ERROR] VNC password file not found at $VNC_PASSWD_FILE. Refusing to start VNC without authentication."
+ exit 1
fi
# Start VNC server with password authentication
echo "[INFO] Starting VNC server on port 5900..."
-if [ -f "$VNC_PASSWD_FILE" ]; then
- x11vnc -display :99 -forever -shared -rfbport 5900 -rfbauth "$VNC_PASSWD_FILE" &
-else
- echo "[WARN] VNC password file not found, starting without authentication"
- x11vnc -display :99 -forever -shared -rfbport 5900 &
-fi
+x11vnc -display :99 -forever -shared -rfbport 5900 -rfbauth "$VNC_PASSWD_FILE" &
# Wait for display services
sleep 2
|
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
|
🚀 Launching Scrapybara desktop... |
|
❌ Something went wrong: |
Deployment failedThis pull request failed while building automatically on Stormkit. You can preview the logs using the following link. |
Summary
Changes
mkdir -pto ensure parent directory exists before password file creation-rfbauthflagSecurity Impact
Previously, if the password file creation failed (e.g., due to permissions issues), the script would log a warning and start VNC without authentication, exposing the display to anyone who could reach port 5900.
Now, the script follows a "fail closed" approach - if authentication cannot be properly configured, the service refuses to start.
🤖 Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com
Summary by cubic
Prevents unauthenticated VNC by failing fast if the password file can’t be created in the expo-android start script. The script now verifies the file and exits instead of starting without auth.
Written for commit 68dc8be. Summary will update on new commits.