Spencer/bugfix 171 docker pg credentials

[spencertipping]

Fixes #171 by parsing credentials from POSTGRES_URI, making the check compatible with containerized deployments. This PR also adds some debugging statements and stderr logging to make it easier to track down connection issues.

I also pulled the files out of the dockerfile to make them easier to edit.

(My branch is misnamed: it should be bugfix-171, not bugfix-174.)

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Incorrect Password Parsing	High	postgresql://user:pass!@#word@host:5432/database	The script incorrectly parses passwords containing special characters, leading to authentication failures.
Incorrect Port Parsing	Medium	postgresql://user:password@host/database	The script sets the PORT variable to the HOST when the port is missing in the URI.
Incorrect Database Parsing	Medium	postgresql://user:password@host:5432	The script sets the DB variable to the HOST:PORT when the database is missing in the URI.

_{Comments? Email us.}

[CLAassistant]

All committers have signed the CLA.

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Incorrect PostgreSQL port parsing	High	POSTGRES_URI=postgresql://user:password@host/database	When the POSTGRES_URI does not contain a port, the docker-entrypoint.sh script incorrectly assigns the hostname to the PORT variable. This causes connection errors when trying to connect to the database.

_{Comments? Email us.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Incorrect parsing of POSTGRES_URI	Critical	POSTGRES_URI="postgresql://user:password@host:5432/db"	The awk script in docker/docker-entrypoint.sh does not correctly parse the username, password, and host from the POSTGRES_URI environment variable. This can lead to authentication failures and prevent the application from connecting to the database.

_{Comments? Email us.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Incorrect PostgreSQL URI Parsing	Critical	postgresql://user:password@host:5432/database	The parse-postgres-uri.sh script fails to correctly parse connection parameters from the POSTGRES_URI.
Query Parameter Handling Issue	Critical	postgresql://user:password@host:5432/database?sslmode=require	The parse-postgres-uri.sh script fails to correctly parse connection parameters when URI contains query parameters.
Special Character Handling	Critical	postgresql://user%40test:password@host:5432/database	The parse-postgres-uri.sh script fails to correctly parse usernames containing special characters.

_{Comments? Email us.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
PostgreSQL URI parsing failure with special characters	Critical	postgresql://user%40example:pass%23word@host:port/db	The script parse-postgres-uri.sh fails to correctly parse the username and password when they contain URL-encoded special characters (e.g., %40 for @, %23 for #). This prevents users from using passwords with common special characters.

_{Comments? Email us.}

[spencertipping]

@jazzberry-ai that is a lie.

[jazzberry-ai]

Bug Report

Name: URI escape injection
Severity: Critical
Example test case: postgresql://user:pass@host:port/db%0Arm -rf /
Description: The script decodes URI escapes without validating the decoded characters. This could allow an attacker to inject arbitrary commands into the environment variables by using the newline character (%0A).

_{Comments? Email us.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Command Injection in URI Parsing	Critical	POSTGRES_URI="postgresql://user:pass\rm -rf /tmp/*`@host:port/db"`	The parse-postgres-uri.sh script uses awk and eval to parse the PostgreSQL URI. A malicious URI can inject arbitrary commands, leading to potential data loss or system compromise. The fix is to sanitize the URI components before using them in eval. For example, escape shell-sensitive characters in the user, pass, host, port, and db variables.

_{Comments? Email us.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Incorrectly parses postgres URI with encoded characters	Critical	source /root/morphik-core/docker/parse-postgres-uri.sh "postgresql://user%40example:pass%25word@host%2Fname:5432/db%2Bname"	The script incorrectly parses postgres URIs that contain encoded characters, such as %40, %25, and %2F. This can lead to the application connecting to the wrong database, or failing to connect to the database at all. This can have serious security implications, as it can allow unauthorized access to sensitive data.

_{Comments? Email us.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Potentially unavailable perl dependency	Medium	Run the docker image on a system without Perl installed.	The parse-postgres-uri.sh script relies on perl for URL decoding, which might not be available in all environments.
Incorrect default values in case of parse failure	Low	Set POSTGRES_URI to an invalid value and check that the application exits with an error.	The parse-postgres-uri.sh script defines default values for the postgres variables, but the docker-entrypoint.sh script continues execution with the default values when parsing fails. The application should exit with an error in this case.
Potential npm package version incompatibility	Low	Check the changelog for @morphik/ui between versions 0.2.22 and 0.2.24 for any breaking changes or known bugs.	The npm package version update might introduce new bugs or break compatibility with existing code.

_{Comments? Email us.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Incorrect parsing of query parameters	High	export POSTGRES_URI='postgresql://user:pass@host:port/db?password=secret' && /root/morphik-core/docker/parse-postgres-uri.py "$POSTGRES_URI"	The script doesn't correctly parse the password if it's passed as a query parameter in the URI. This can lead to the password not being set and could expose the password in logs or environment variables.

_{Comments? Email us.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Missing default values for HOST and PORT	Medium	Run the Docker container without setting POSTGRES_URI.	If POSTGRES_URI is not defined, the HOST and PORT variables will be empty, causing issues when starting the application.
Incorrect regex for parsing postgres URI	High	Use an invalid URI like postgresql://:password@host:5432/db	The regex pattern in parse-postgres-uri.py doesn't correctly validate the URI format, allowing invalid URIs to be parsed, which can lead to connection errors.

_{Comments? Email us.}

[spencertipping]

Not ready to merge yet; I'm fixing up some integrations with the docker builder action.

[jazzberry-ai]

Bug Report

| Name | Severity | Example test case | Description |\n|---|---|---|---|\n| Shell Injection in Postgres URI | Critical | postgresql://\touch /tmp/shell_injection`@localhost/db` | Backticks are not properly escaped in the username/password, leading to arbitrary shell command execution. |\n

_{Comments? Email us.}

[spencertipping]

OK, now everything should work (see https://github.com/ribera-ai/morphik-core/tree/feat/issue-158-publish-docker-image)

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Potential Race Condition during Docker Build	Medium	Run the docker build workflow.	The application container may start before the database and Redis are fully initialized, leading to intermittent test failures. The /ping endpoint may become available before the app is fully ready. This is a race condition.

_{Comments? Email us.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Shell Injection Vulnerability in POSTGRES_URI Parsing	Critical	postgresql://user:'pass; rm -rf /tmp/*'@host:5432/db	The parse-postgres-uri.py script does not properly escape shell metacharacters in the parsed URI components, allowing for arbitrary shell commands to be executed via the eval command in docker-entrypoint.sh.

_{Comments? Email us.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
PostgreSQL URI Parsing Failure Leads to Incorrect Uvicorn Binding	Medium	Set POSTGRES_URI to an invalid value (e.g., 'malformed_uri').	When the PostgreSQL URI parsing fails, the PG_HOST and PG_PORT variables are not set. The docker-entrypoint.sh script then uses these unset variables for the uvicorn command, causing uvicorn to bind to localhost:8000 instead of the intended 0.0.0.0:8000, making the application inaccessible from outside the container.

_{Comments? Email us.}