# Vulnerable Drupal Core 11.3.9 (PostgreSQL-only SQLi, CVE-2026-9082).
# Base image carries the unmodified vulnerable Drupal 11.3.9 source.
# We ONLY add operational tooling (drush + psql client) and an entrypoint;
# we never patch core. Pinned by exact tag per the affected version; overridable
# for the patched control build (11.3.10) via the DRUPAL_TAG build arg.
ARG DRUPAL_TAG=11.3.9
FROM drupal:${DRUPAL_TAG}

# Install the PostgreSQL client (for the entrypoint's fresh-secret-on-boot SQL)
# and a few utilities. This touches the OS layer, not Drupal core source.
RUN set -eux; \
    apt-get update; \
    apt-get install -y --no-install-recommends postgresql-client; \
    rm -rf /var/lib/apt/lists/*

# Add Drush as a project dependency so the entrypoint can install the site
# and create content non-interactively. Adding a dev/ops dependency via
# composer does NOT alter Drupal core's PHP source files.
RUN set -eux; \
    cd /opt/drupal; \
    composer require --no-interaction drush/drush:^13; \
    ln -sf /opt/drupal/vendor/bin/drush /usr/local/bin/drush

COPY config/entrypoint.sh /usr/local/bin/lab-entrypoint.sh
RUN chmod +x /usr/local/bin/lab-entrypoint.sh

ENTRYPOINT ["/usr/local/bin/lab-entrypoint.sh"]
CMD ["apache2-foreground"]