[Feat]: Vulnerable code-server dependencies #6392
Description
Hi code-server Team! Thank you so much for this great tool, I've been using it for some time and I'm big fan of.
What is your suggestion?
Update code-server dependencies to mitigate security vulnerabilities.
Why do you want this feature?
I'm trying to create custom docker image that will expose code-server alongside some other dependencies. As a part of CI pipeline, I'm running Twistlock scan and discovered there are some vulnerabilities present in the image. All of them seems to come from code-server.
I'm using RHEL 8 and the way I installed code-server is following (I'm using CODE_SERVER_VERSION=4.16.1):
RUN curl -sfOL https://github.com/coder/code-server/releases/download/v$CODE_SERVER_VERSION/code-server-$CODE_SERVER_VERSION-amd64.rpm \
&& rpm -i code-server-$CODE_SERVER_VERSION-amd64.rpm
code-server is installed into /usr/lib/code-server and it's working fine. I doubled checked /usr/lib/code-server/node_modules and make sure Twistlock correctly pointed out vulnerable dependencies, and it did.
Reported Twistlock vulnerabilities:
| CVE | CVSS | Description | PackageName | PackageVersion | RiskFactor | TwistlockSeverity | Status | Published | Fix available |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2023-36665 | 9.8 | protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about "Object.constructor.prototype. = ...;" whereas CVE-2022-25878 was about "Object.proto. = ...;" instead. | protobufjs | 6.11.3 | Attack complexity: lowAttack vector: networkDoS - HighHas fixRecent vulnerability | critical | fixed in 7.2.4 | 2023-07-0548 days | 2023-07-0845 days |
| CVE-2022-25883 | 7.5 | Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r | semver | 6.3.0 | Attack complexity: lowAttack vector: networkDoS - HighHas fixRecent vulnerability | high | fixed in 7.5.2 | 2023-06-2162 days | 2023-06-2261 days |
| CVE-2022-25883 | 7.5 | Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r | semver | 7.3.5 | Attack complexity: lowAttack vector: networkDoS - HighHas fixRecent vulnerability | high | fixed in 7.5.2 | 2023-06-2162 days | 2023-06-2261 days |
| CVE-2022-24999 | 7.5 | qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable). | qs | 6.7.0 | Attack complexity: lowAttack vector: networkDoS - HighExploit exists - POCHas fix | high | fixed in 6.10.3 | 2022-11-26269 days | 2022-11-26269 days |
Are there any workarounds to get this functionality today?
Possibly, but I'm not aware of them.
Are you interested in submitting a PR for this?
I'm not an JavaScript expert and cannot really bring any value here.