Javascript-node & universal: Update 'decode-uri-component' due to CVE-2022-38900 (#245)

* patch

* add check

* Patch for universal

* update check-version-ge

* update: javascript

* update universal

* update test

* check without --save

* debug

* remove debug

* add checks

* Remove unwanted check!

* remove unwanted checks

Author: samruddhikhandale

build/README.md

@@ -55,12 +55,18 @@ Once you have your build configuration setup, you can use the `vscdc` CLI to tes
     docker run -it --init --privileged --rm mcr.microsoft.com/devcontainers/<expected-repository>:dev-<expected tag> bash
     ```
 
-3. Finally, test manifest/markdown generation by running:
+3. Test manifest generation by running:
 
    ```bash
-   build/vscdc cg --registry mcr.microsoft.com --registry-path devcontainers --release main <you-image-name-here>
+   build/vscdc cg --registry mcr.microsoft.com --registry-path devcontainers --release main <your-image-name-here>
    ```
 
+4. Test markdown image history by running:
+
+    ```bash
+        build/vscdc info --build --markdown --overwrite --registry mcr.microsoft.com --registry-path devcontainers --release main <your-image-name-here>
+    ```
+
 ## Creating a `Dockerfile`
 
 In some cases you may want to include some special instructions for developers. In this case, you can add a custom stub Dockerfile by creating the following files:

build/src/prep.js

@@ -83,9 +83,10 @@ async function prepDockerFile(devContainerDockerfilePath, definitionId, repo, re
             prepResult.devContainerDockerfileModified = replaceFrom(prepResult.devContainerDockerfileModified, `FROM ${prepResult.flattenedBaseImageTag}`);
         }
 
-        // Add variant as an argument to the dockerfile
+        // Add variant & image_variant as an argument to the dockerfile
         if (variant) {
             replaceVariantArg(prepResult);
+            replaceImageVariantEnv(prepResult);
         }
 
         // Generate list of other arguments if applicable and add to the dockefile
@@ -247,6 +248,13 @@ function addBuildArguments(prepResult) {
     return prepResult.devContainerDockerfileModified;
 }
 
+function replaceImageVariantEnv(prepResult) {
+    const variantArg = `ENV IMAGE_VARIANT="${prepResult.meta.variant}"\n`;
+
+    prepResult.devContainerDockerfileModified = (prepResult.devContainerDockerfileModified).replace(new RegExp(".*ENV IMAGE_VARIANT=.*"), variantArg);
+    return prepResult.devContainerDockerfileModified;
+}
+
 module.exports = {
     createStub: createStub,
     updateStub: updateStub,

src/javascript-node/.devcontainer/Dockerfile

@@ -1,7 +1,12 @@
 # [Choice] Node.js version (use -bullseye variants on local arm64/Apple Silicon): 18, 16, 14, 18-bullseye, 16-bullseye, 14-bullseye, 18-buster, 16-buster, 14-buster
-ARG VARIANT=16-bullseye
+ARG VARIANT=18-bullseye
 FROM node:${VARIANT}
 
+ENV IMAGE_VARIANT="18-bullseye"
+
+COPY library-scripts/add-patch.sh /tmp/library-scripts/
+RUN bash /tmp/library-scripts/add-patch.sh "${IMAGE_VARIANT}" && rm -rf /tmp/library-scripts
+
 ARG USERNAME=node
 ARG NPM_GLOBAL=/usr/local/share/npm-global
 

src/javascript-node/.devcontainer/library-scripts/add-patch.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+IMAGE_VARIANT=$1
+
+# Temporary: Upgrade 'decode-uri-component' due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38900
+# 'decode-uri-component' is installed by the base image (node) for `node:14` which does not have the patch.
+if [[ "${IMAGE_VARIANT}" =~ "14" ]] ; then
+    cd /usr/local/lib/node_modules/npm
+    npm update --save
+fi

src/javascript-node/test-project/test-utils.sh

@@ -27,6 +27,23 @@ check() {
     fi
 }
 
+check-version-ge() {
+    LABEL=$1
+    CURRENT_VERSION=$2
+    REQUIRED_VERSION=$3
+    shift
+    echo -e "\n🧪 Testing $LABEL: '$CURRENT_VERSION' is >= '$REQUIRED_VERSION'"
+    local GREATER_VERSION=$((echo ${CURRENT_VERSION}; echo ${REQUIRED_VERSION}) | sort -V | tail -1)
+    if [ "${CURRENT_VERSION}" == "${GREATER_VERSION}" ]; then
+        echo "✅  Passed!"
+        return 0
+    else
+        echoStderr "❌ $LABEL check failed."
+        FAILED+=("$LABEL")
+        return 1
+    fi
+}
+
 checkMultiple() {
     PASSED=0
     LABEL="$1"

src/javascript-node/test-project/test.sh

@@ -19,14 +19,9 @@ check "nvm" bash -c ". /usr/local/share/nvm/nvm.sh && nvm install 8"
 check "nvm-node" bash -c ". /usr/local/share/nvm/nvm.sh && node --version"
 sudo rm -rf node_modules
 
-check "git" git --version
+git_version=$(git --version)
+check-version-ge "git-requirement" "${git_version}" "git version 2.38.1"
 
-git_version_satisfied=false
-if (echo a version 2.38.1; git --version) | sort -Vk3 | tail -1 | grep -q git; then
-    git_version_satisfied=true
-fi
-
-check "git version satisfies requirement" echo $git_version_satisfied | grep "true"
 
 # Report result
 reportResults

src/universal/.devcontainer/local-features/setup-user/install.sh

@@ -20,6 +20,13 @@ chmod +x /etc/profile.d/00-restore-env.sh
 
 export DEBIAN_FRONTEND=noninteractive
 
+# Temporary: Upgrade NPM packages due to mentioned CVEs.
+# decode-uri-component: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38900
+NPM_PACKAGES_LIST="decode-uri-component"
+
+cd /usr/local/share/nvm/versions/node/v14.21.1/lib/node_modules/npm
+npm install ${NPM_PACKAGES_LIST}
+
 # Enables the oryx tool to generate manifest-dir which is needed for running the postcreate tool
 DEBIAN_FLAVOR="focal-scm"
 mkdir -p /opt/oryx && echo "vso-focal" > /opt/oryx/.imagetype

src/universal/test-project/test-utils.sh

@@ -27,6 +27,23 @@ check() {
     fi
 }
 
+check-version-ge() {
+    LABEL=$1
+    CURRENT_VERSION=$2
+    REQUIRED_VERSION=$3
+    shift
+    echo -e "\n🧪 Testing $LABEL: '$CURRENT_VERSION' is >= '$REQUIRED_VERSION'"
+    local GREATER_VERSION=$((echo ${CURRENT_VERSION}; echo ${REQUIRED_VERSION}) | sort -V | tail -1)
+    if [ "${CURRENT_VERSION}" == "${GREATER_VERSION}" ]; then
+        echo "✅  Passed!"
+        return 0
+    else
+        echoStderr "❌ $LABEL check failed."
+        FAILED+=("$LABEL")
+        return 1
+    fi
+}
+
 checkMultiple() {
     PASSED=0
     LABEL="$1"

src/universal/test-project/test.sh

@@ -170,6 +170,10 @@ check "oryx-install-java-12.0.2" oryx prep --skip-detection --platforms-and-vers
 check "java-12.0.2-installed-by-oryx" ls /opt/java/ | grep 12.0.2
 check "java-version-on-path-is-12.0.2" java --version | grep 12.0.2
 
+cd /usr/local/share/nvm/versions/node/v14.21.1/lib/node_modules/npm
+decodeVersion=$(npm ls --depth 1 --json | jq -r '.dependencies."decode-uri-component".version')
+check-version-ge "decode-uri-component" "${decodeVersion}" "0.2.1"
+
 ls -la /home/codespace
 
 # Report result