# CVE-2026-9082 — unauthenticated PostgreSQL-only SQL injection in Drupal Core.
# Rung 1 (docker-compose). Two stacks share the build but use isolated DBs:
#   - vulnerable: drupal:11.3.9  -> 127.0.0.1:8888
#   - patched (control, optional): drupal:11.3.10 -> 127.0.0.1:8889
# Ports bound to loopback only.

name: cve-2026-9082

services:
  postgres:
    image: postgres:16-alpine
    container_name: cve-2026-9082-postgres
    environment:
      POSTGRES_DB: drupal
      POSTGRES_USER: drupal
      POSTGRES_PASSWORD: drupal
    networks:
      - lab
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U drupal -d drupal"]
      interval: 5s
      timeout: 5s
      retries: 20
    # Not published to the host: the privileged read channel goes via
    # `docker exec` into this container, not a host port.

  drupal:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        DRUPAL_TAG: "11.3.9"
    image: cve-2026-9082-drupal:11.3.9
    container_name: cve-2026-9082-drupal
    depends_on:
      postgres:
        condition: service_healthy
    environment:
      DRUPAL_DB_HOST: postgres
      DRUPAL_DB_NAME: drupal
      DRUPAL_DB_USER: drupal
      DRUPAL_DB_PASSWORD: drupal
    ports:
      - "127.0.0.1:8888:80"
    networks:
      - lab
    healthcheck:
      test: ["CMD-SHELL", "curl -fsS http://localhost/jsonapi/node/article >/dev/null || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 30
      start_period: 180s

  # ---- Patched control (optional; profile 'control') ----
  postgres-patched:
    image: postgres:16-alpine
    container_name: cve-2026-9082-postgres-patched
    profiles: ["control"]
    environment:
      POSTGRES_DB: drupal
      POSTGRES_USER: drupal
      POSTGRES_PASSWORD: drupal
    networks:
      - lab
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U drupal -d drupal"]
      interval: 5s
      timeout: 5s
      retries: 20

  drupal-patched:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        DRUPAL_TAG: "11.3.10"
    image: cve-2026-9082-drupal:11.3.10
    container_name: cve-2026-9082-drupal-patched
    profiles: ["control"]
    depends_on:
      postgres-patched:
        condition: service_healthy
    environment:
      DRUPAL_DB_HOST: postgres-patched
      DRUPAL_DB_NAME: drupal
      DRUPAL_DB_USER: drupal
      DRUPAL_DB_PASSWORD: drupal
    ports:
      - "127.0.0.1:8889:80"
    networks:
      - lab
    healthcheck:
      test: ["CMD-SHELL", "curl -fsS http://localhost/jsonapi/node/article >/dev/null || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 30
      start_period: 180s

networks:
  lab:
    driver: bridge