fix: CTF Makefile audit — 3 critical · 4 high · 8 medium findings across 18 lab Makefiles

[t0kubetsu]

Summary

A review of all 18 CTF lab Makefiles (03_container_layer/docker/_ctf/) found 3 critical, 4 high, 8 medium, and 3 low issues. All files share a single template (blank_template/Makefile) — structural bugs are present in every file simultaneously.

---

CRITICAL

C1 — clean destroys entire host Docker environment (all 18 files, lines 66–72)

clean:
	docker system prune -a --volumes -f          # wipes entire host
	-docker stop $(shell docker ps -aq)           # stops ALL host containers
	-docker rm -f $(shell docker ps -aq)          # removes ALL host containers
	-docker rmi -f $(shell docker images -q)      # removes ALL host images
	-docker volume rm -f $(shell docker volume ls -q)  # removes ALL host volumes
	-docker network prune -f

docker ps -aq, docker images -q, and docker volume ls -q are host-wide queries. make clean destroys every container/image/volume on the machine, not just the current lab's. Fix: replace with docker compose down --rmi all --volumes --remove-orphans.

C2 — Wrong SERVICE in CVE-2024-6387/Makefile:5

SERVICE = openssh-cve-2018-15473   # should be openssh-cve-2024-6387

Every make up/down/build/term silently targets the wrong lab container.

C3 — Wrong SERVICE in CVE-2019-11043/Makefile:5

SERVICE = apache-cve-2021-42013    # should be php-cve-2019-11043

Copied from the Apache Makefile without updating SERVICE or the ISSUE header.

---

HIGH

H1 — $(shell docker ps -aq) expands at parse time on every make invocation (all 18 files, lines 68–71)

GNU Make expands $(shell ...) during the parse phase before any target runs — Docker is queried on every make up, make build, make term, etc.

H2 — stop-debug-build hardcodes debug literal instead of $(DEBUG_SERVICE) (all 18 files, line 42)

docker compose rm -sf debug   # should be $(DEBUG_SERVICE)

The rm step silently no-ops — debug containers are never actually removed.

H3 — build/build-up/rebuild/rebuild-up not scoped to $(SERVICE) (all 18 files, lines 46–62)

docker compose build and docker compose up -d without a service argument build/start all services in the compose file.

H4 — docker system prune missing - prefix; aborts clean on first failure (all 18 files, line 67)

Inconsistent with every other line in the clean block. Moot after C1 fix.

---

MEDIUM

ID	Issue	Scope
M1	No .PHONY declarations — targets silently no-op if a same-named file exists	All 18
M2	make print advertised in help but target does not exist	All 18
M3	CVE-2023-34092/Makefile:5: SERVICE = vite-cve-2022-44615 — stale after CVE rename (commit f316e58); compose.yml also needs updating	1 file + compose
M4	5-line dead commented-out block in term-debug-build	All 18
M5	stop-debug-build comment says "stop only" but also removes the container	All 18
M6	blank_template/Makefile:5: SERVICE = tomcat-cve-2025-24813 — template should use SERVICE = REPLACE_ME	Template
M7	lpe-01/Makefile:25: duplicate make term help entry hides real make term-user target	1 file
M8	clean ordering: prune before stop/rm — moot after C1 fix	All 18

---

LOW

ID	Issue
L1	Inconsistent ISSUE header formats; ISSUE 41 and 95 claimed by two exercises each
L2	vite CVEs use /bin/sh; all others use /bin/bash
L3	Trailing whitespace on target definition lines