fix: avoid browser cloud-init heredocs

2026-05-05 19:01:56 +01:00 · 2026-05-05 19:01:56 +01:00 · c1eb1dd666
commit c1eb1dd666
parent d7c07cd946
5 changed files with 25 additions and 14 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -20,6 +20,7 @@
 - Fixed WebVNC portal status text and bridge commands so waiting/reset states explain the exact local bridge command to run.
 - Fixed Windows WebVNC credential handling so generated portal links preserve special characters and managed TightVNC sessions copy service passwords into the logged-in user's registry profile.
 - Fixed managed Linux browser setup so Chrome/Chromium launches skip first-run and default-browser prompts.
+- Fixed managed Linux browser cloud-init setup so Chrome/Chromium policy and wrapper generation cannot break YAML parsing.
 - Fixed WebVNC portal passwords with escaped special characters and kept the bridge alive across viewer resets and transient coordinator EOFs.

 ## 0.5.0 - 2026-05-04
--- a/internal/cli/bootstrap.go
+++ b/internal/cli/bootstrap.go
@ -564,14 +564,9 @@ func cloudInitOptionalBootstrap(cfg Config) string {
    if [ -n "$browser_path" ]; then
      browser_wrapper=/usr/local/bin/crabbox-browser
      install -d -m 0755 /etc/opt/chrome/policies/managed /etc/chromium/policies/managed
-      cat > /etc/opt/chrome/policies/managed/crabbox.json <<'EOF'
-{"DefaultBrowserSettingEnabled":false,"MetricsReportingEnabled":false,"PromotionalTabsEnabled":false}
-EOF
+      printf '%s\n' '{"DefaultBrowserSettingEnabled":false,"MetricsReportingEnabled":false,"PromotionalTabsEnabled":false}' > /etc/opt/chrome/policies/managed/crabbox.json
      cp /etc/opt/chrome/policies/managed/crabbox.json /etc/chromium/policies/managed/crabbox.json
-      cat > "$browser_wrapper" <<EOF
-#!/bin/sh
-exec "$browser_path" --no-first-run --no-default-browser-check --disable-default-apps "\$@"
-EOF
+      printf '%s\n' '#!/bin/sh' "exec \"$browser_path\" --no-first-run --no-default-browser-check --disable-default-apps \"\$@\"" > "$browser_wrapper"
      chmod 0755 "$browser_wrapper"
      printf 'CHROME_BIN=%s\nBROWSER=%s\n' "$browser_wrapper" "$browser_wrapper" > /var/lib/crabbox/browser.env
      chown crabbox:crabbox /var/lib/crabbox/browser.env
--- a/internal/cli/bootstrap_test.go
+++ b/internal/cli/bootstrap_test.go
@ -96,11 +96,22 @@ func TestCloudInitBrowserProfile(t *testing.T) {
 		"/var/lib/crabbox/browser.env",
 		"test -x \"$BROWSER\"",
 		"\"$BROWSER\" --version >/dev/null",
+		"printf '%s\\n' '{\"DefaultBrowserSettingEnabled\":false,\"MetricsReportingEnabled\":false,\"PromotionalTabsEnabled\":false}' > /etc/opt/chrome/policies/managed/crabbox.json",
+		"printf '%s\\n' '#!/bin/sh' \"exec \\\"$browser_path\\\" --no-first-run --no-default-browser-check --disable-default-apps \\\"\\$@\\\"\" > \"$browser_wrapper\"",
 	} {
 		if !strings.Contains(got, want) {
 			t.Fatalf("cloudInit(browser) missing %q", want)
 		}
 	}
+	for _, notWant := range []string{
+		"<<'EOF'",
+		"<<EOF",
+		"\nEOF",
+	} {
+		if strings.Contains(got, notWant) {
+			t.Fatalf("cloudInit(browser) contains browser heredoc content %q", notWant)
+		}
+	}
 }

 func TestCloudInitTailscaleProfile(t *testing.T) {
--- a/worker/src/bootstrap.ts
+++ b/worker/src/bootstrap.ts
@ -444,14 +444,9 @@ function optionalBootstrap(config: LeaseConfig): string {
    if [ -n "$browser_path" ]; then
      browser_wrapper=/usr/local/bin/crabbox-browser
      install -d -m 0755 /etc/opt/chrome/policies/managed /etc/chromium/policies/managed
-      cat > /etc/opt/chrome/policies/managed/crabbox.json <<'EOF'
-{"DefaultBrowserSettingEnabled":false,"MetricsReportingEnabled":false,"PromotionalTabsEnabled":false}
-EOF
+      printf '%s\\n' '{"DefaultBrowserSettingEnabled":false,"MetricsReportingEnabled":false,"PromotionalTabsEnabled":false}' > /etc/opt/chrome/policies/managed/crabbox.json
      cp /etc/opt/chrome/policies/managed/crabbox.json /etc/chromium/policies/managed/crabbox.json
-      cat > "$browser_wrapper" <<EOF
-#!/bin/sh
-exec "$browser_path" --no-first-run --no-default-browser-check --disable-default-apps "\\$@"
-EOF
+      printf '%s\\n' '#!/bin/sh' "exec \\"$browser_path\\" --no-first-run --no-default-browser-check --disable-default-apps \\"\\$@\\"" > "$browser_wrapper"
      chmod 0755 "$browser_wrapper"
      printf 'CHROME_BIN=%s\\nBROWSER=%s\\n' "$browser_wrapper" "$browser_wrapper" > /var/lib/crabbox/browser.env
      chown crabbox:crabbox /var/lib/crabbox/browser.env
--- a/worker/test/bootstrap.test.ts
+++ b/worker/test/bootstrap.test.ts
@ -117,6 +117,15 @@ describe("cloud-init bootstrap", () => {
    expect(got).toContain("/var/lib/crabbox/browser.env");
    expect(got).toContain('test -x "$BROWSER"');
    expect(got).toContain('"$BROWSER" --version >/dev/null');
+    expect(got).toContain(
+      `printf '%s\\n' '{"DefaultBrowserSettingEnabled":false,"MetricsReportingEnabled":false,"PromotionalTabsEnabled":false}' > /etc/opt/chrome/policies/managed/crabbox.json`,
+    );
+    expect(got).toContain(
+      `printf '%s\\n' '#!/bin/sh' "exec \\"$browser_path\\" --no-first-run --no-default-browser-check --disable-default-apps \\"\\$@\\"" > "$browser_wrapper"`,
+    );
+    expect(got).not.toContain("<<'EOF'");
+    expect(got).not.toContain("<<EOF");
+    expect(got).not.toContain("\nEOF");
  });

  it("adds Tailscale setup only when requested", () => {