# SPDX-License-Identifier: Apache-2.0
# Copyright 2025 Damn Vulnerable Go Application

FROM golang:1.21-alpine AS builder

# Install build dependencies
RUN apk add --no-cache gcc musl-dev sqlite-dev

WORKDIR /app

# Copy go mod files
COPY go.mod go.sum ./

# Download dependencies
RUN go mod download

# Copy source code
COPY . .

# Build the application
RUN CGO_ENABLED=1 GOOS=linux go build -a -installsuffix cgo -o vulnerable_app .

# Final stage
FROM alpine:latest

# Install runtime dependencies
RUN apk --no-cache add ca-certificates sqlite

WORKDIR /root/

# Copy the binary from builder stage
COPY --from=builder /app/vulnerable_app .
COPY --from=builder /app/VULNERABILITIES.md .

# Create uploads directory with insecure permissions (intentionally vulnerable)
RUN mkdir -p uploads && chmod 777 uploads

# Expose port
EXPOSE 8080

# Add warning labels
LABEL warning="This container contains intentional security vulnerabilities"
LABEL purpose="Educational and security training only"
LABEL security="DO NOT USE IN PRODUCTION"

# Run the vulnerable application
CMD ["./vulnerable_app"]