Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security/patches #12632

Merged
merged 20 commits into from Feb 6, 2024
Merged

Security/patches #12632

merged 20 commits into from Feb 6, 2024

Conversation

shogunpurple
Copy link
Member

@shogunpurple shogunpurple commented Dec 19, 2023
edited by budibase-devops-bot

Description

Working through security patches for ironbank - the majority of this stuff is all version updates to patch dependencies, but I've made several updates as well.

vm2 - isolated VM

TL;DR The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to [isolated-vm](https://www.npmjs.com/package/isolated-vm).

I've migrated our usages of vm2 to isolated-vm. So we should be covered from the vulns in vm2 in future. isolated-vm is a more robust and safer library. It also provides nice options for memory limits per execution, preventing endless loops etc from blowing up BB.

QoL

A pet peeve I've always had is in the query UI, how you can't use the classic combo of Meta + Enter to run a query. I've added some key handlers for this, so when editing a query in the data section you can use that combination of keys to run your query.

NB: I'm aware this is a fairly high risk change. We don't have to merge it as I can continue to build the image for ironbank off this branch in the meantime. Just wanted to get a draft up for now

Feature branch env

Feature Branch Link

@shogunpurple shogunpurple added the do not merge PR is not ready to be merged - generally the PR description should say why label Dec 19, 2023
@shogunpurple shogunpurple marked this pull request as ready for review January 3, 2024 10:54
@shogunpurple shogunpurple requested a review from a team as a code owner January 3, 2024 10:54
@shogunpurple shogunpurple requested review from mike12345567 and removed request for a team January 3, 2024 10:54
@shogunpurple shogunpurple added feature-branch Release this PR code into a feature branch and removed feature-branch Release this PR code into a feature branch labels Jan 3, 2024
@samwho samwho removed the feature-branch Release this PR code into a feature branch label Jan 23, 2024
@shogunpurple shogunpurple changed the base branch from master to revert-12934-revert-12930-revert-12929-revert-12769-isolated-vm February 2, 2024 20:00
@shogunpurple
Copy link
Member Author

shogunpurple commented Feb 2, 2024
edited

Update: I've updated the ironbank image to node 20 and debian, so it's now using the latest master. Changed the base branch of this to point to revert-12934-revert-12930-revert-12929-revert-12769-isolated-vm since it's going to be merged first

@shogunpurple shogunpurple removed the do not merge PR is not ready to be merged - generally the PR description should say why label Feb 2, 2024
adrinr
adrinr approved these changes Feb 5, 2024
View reviewed changes
Copy link
Collaborator

@adrinr adrinr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice to see that the branch has become smaller :)
There are some changes on the submodules, the equivalent PRs will be required

@shogunpurple shogunpurple merged commit f089a0f into revert-12934-revert-12930-revert-12929-revert-12769-isolated-vm Feb 6, 2024
2 checks passed
@shogunpurple shogunpurple deleted the security/patches branch February 6, 2024 15:42
@adrinr adrinr mentioned this pull request Feb 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adrinr adrinr adrinr approved these changes

@mike12345567 mike12345567 Awaiting requested review from mike12345567 mike12345567 was automatically assigned from Budibase/backend

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@shogunpurple @adrinr @samwho