Skip to content

Commit 1fa712e

Browse files
Javascript-node & universal: Update 'decode-uri-component' due to CVE-2022-38900 (#245)
* patch * add check * Patch for universal * update check-version-ge * update: javascript * update universal * update test * check without --save * debug * remove debug * add checks * Remove unwanted check! * remove unwanted checks
1 parent ddeca8d commit 1fa712e

File tree

9 files changed

+80
-11
lines changed

9 files changed

+80
-11
lines changed

build/README.md

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,12 +55,18 @@ Once you have your build configuration setup, you can use the `vscdc` CLI to tes
5555
docker run -it --init --privileged --rm mcr.microsoft.com/devcontainers/<expected-repository>:dev-<expected tag> bash
5656
```
5757

58-
3. Finally, test manifest/markdown generation by running:
58+
3. Test manifest generation by running:
5959

6060
```bash
61-
build/vscdc cg --registry mcr.microsoft.com --registry-path devcontainers --release main <you-image-name-here>
61+
build/vscdc cg --registry mcr.microsoft.com --registry-path devcontainers --release main <your-image-name-here>
6262
```
6363

64+
4. Test markdown image history by running:
65+
66+
```bash
67+
build/vscdc info --build --markdown --overwrite --registry mcr.microsoft.com --registry-path devcontainers --release main <your-image-name-here>
68+
```
69+
6470
## Creating a `Dockerfile`
6571

6672
In some cases you may want to include some special instructions for developers. In this case, you can add a custom stub Dockerfile by creating the following files:

build/src/prep.js

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,9 +83,10 @@ async function prepDockerFile(devContainerDockerfilePath, definitionId, repo, re
8383
prepResult.devContainerDockerfileModified = replaceFrom(prepResult.devContainerDockerfileModified, `FROM ${prepResult.flattenedBaseImageTag}`);
8484
}
8585

86-
// Add variant as an argument to the dockerfile
86+
// Add variant & image_variant as an argument to the dockerfile
8787
if (variant) {
8888
replaceVariantArg(prepResult);
89+
replaceImageVariantEnv(prepResult);
8990
}
9091

9192
// Generate list of other arguments if applicable and add to the dockefile
@@ -247,6 +248,13 @@ function addBuildArguments(prepResult) {
247248
return prepResult.devContainerDockerfileModified;
248249
}
249250

251+
function replaceImageVariantEnv(prepResult) {
252+
const variantArg = `ENV IMAGE_VARIANT="${prepResult.meta.variant}"\n`;
253+
254+
prepResult.devContainerDockerfileModified = (prepResult.devContainerDockerfileModified).replace(new RegExp(".*ENV IMAGE_VARIANT=.*"), variantArg);
255+
return prepResult.devContainerDockerfileModified;
256+
}
257+
250258
module.exports = {
251259
createStub: createStub,
252260
updateStub: updateStub,

src/javascript-node/.devcontainer/Dockerfile

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,12 @@
11
# [Choice] Node.js version (use -bullseye variants on local arm64/Apple Silicon): 18, 16, 14, 18-bullseye, 16-bullseye, 14-bullseye, 18-buster, 16-buster, 14-buster
2-
ARG VARIANT=16-bullseye
2+
ARG VARIANT=18-bullseye
33
FROM node:${VARIANT}
44

5+
ENV IMAGE_VARIANT="18-bullseye"
6+
7+
COPY library-scripts/add-patch.sh /tmp/library-scripts/
8+
RUN bash /tmp/library-scripts/add-patch.sh "${IMAGE_VARIANT}" && rm -rf /tmp/library-scripts
9+
510
ARG USERNAME=node
611
ARG NPM_GLOBAL=/usr/local/share/npm-global
712

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
#!/bin/bash
2+
3+
IMAGE_VARIANT=$1
4+
5+
# Temporary: Upgrade 'decode-uri-component' due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38900
6+
# 'decode-uri-component' is installed by the base image (node) for `node:14` which does not have the patch.
7+
if [[ "${IMAGE_VARIANT}" =~ "14" ]] ; then
8+
cd /usr/local/lib/node_modules/npm
9+
npm update --save
10+
fi

src/javascript-node/test-project/test-utils.sh

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,23 @@ check() {
2727
fi
2828
}
2929

30+
check-version-ge() {
31+
LABEL=$1
32+
CURRENT_VERSION=$2
33+
REQUIRED_VERSION=$3
34+
shift
35+
echo -e "\n🧪 Testing $LABEL: '$CURRENT_VERSION' is >= '$REQUIRED_VERSION'"
36+
local GREATER_VERSION=$((echo ${CURRENT_VERSION}; echo ${REQUIRED_VERSION}) | sort -V | tail -1)
37+
if [ "${CURRENT_VERSION}" == "${GREATER_VERSION}" ]; then
38+
echo "✅ Passed!"
39+
return 0
40+
else
41+
echoStderr "❌ $LABEL check failed."
42+
FAILED+=("$LABEL")
43+
return 1
44+
fi
45+
}
46+
3047
checkMultiple() {
3148
PASSED=0
3249
LABEL="$1"

src/javascript-node/test-project/test.sh

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -19,14 +19,9 @@ check "nvm" bash -c ". /usr/local/share/nvm/nvm.sh && nvm install 8"
1919
check "nvm-node" bash -c ". /usr/local/share/nvm/nvm.sh && node --version"
2020
sudo rm -rf node_modules
2121

22-
check "git" git --version
22+
git_version=$(git --version)
23+
check-version-ge "git-requirement" "${git_version}" "git version 2.38.1"
2324

24-
git_version_satisfied=false
25-
if (echo a version 2.38.1; git --version) | sort -Vk3 | tail -1 | grep -q git; then
26-
git_version_satisfied=true
27-
fi
28-
29-
check "git version satisfies requirement" echo $git_version_satisfied | grep "true"
3025

3126
# Report result
3227
reportResults

src/universal/.devcontainer/local-features/setup-user/install.sh

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,13 @@ chmod +x /etc/profile.d/00-restore-env.sh
2020

2121
export DEBIAN_FRONTEND=noninteractive
2222

23+
# Temporary: Upgrade NPM packages due to mentioned CVEs.
24+
# decode-uri-component: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38900
25+
NPM_PACKAGES_LIST="decode-uri-component"
26+
27+
cd /usr/local/share/nvm/versions/node/v14.21.1/lib/node_modules/npm
28+
npm install ${NPM_PACKAGES_LIST}
29+
2330
# Enables the oryx tool to generate manifest-dir which is needed for running the postcreate tool
2431
DEBIAN_FLAVOR="focal-scm"
2532
mkdir -p /opt/oryx && echo "vso-focal" > /opt/oryx/.imagetype

src/universal/test-project/test-utils.sh

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,23 @@ check() {
2727
fi
2828
}
2929

30+
check-version-ge() {
31+
LABEL=$1
32+
CURRENT_VERSION=$2
33+
REQUIRED_VERSION=$3
34+
shift
35+
echo -e "\n🧪 Testing $LABEL: '$CURRENT_VERSION' is >= '$REQUIRED_VERSION'"
36+
local GREATER_VERSION=$((echo ${CURRENT_VERSION}; echo ${REQUIRED_VERSION}) | sort -V | tail -1)
37+
if [ "${CURRENT_VERSION}" == "${GREATER_VERSION}" ]; then
38+
echo "✅ Passed!"
39+
return 0
40+
else
41+
echoStderr "❌ $LABEL check failed."
42+
FAILED+=("$LABEL")
43+
return 1
44+
fi
45+
}
46+
3047
checkMultiple() {
3148
PASSED=0
3249
LABEL="$1"

src/universal/test-project/test.sh

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -170,6 +170,10 @@ check "oryx-install-java-12.0.2" oryx prep --skip-detection --platforms-and-vers
170170
check "java-12.0.2-installed-by-oryx" ls /opt/java/ | grep 12.0.2
171171
check "java-version-on-path-is-12.0.2" java --version | grep 12.0.2
172172

173+
cd /usr/local/share/nvm/versions/node/v14.21.1/lib/node_modules/npm
174+
decodeVersion=$(npm ls --depth 1 --json | jq -r '.dependencies."decode-uri-component".version')
175+
check-version-ge "decode-uri-component" "${decodeVersion}" "0.2.1"
176+
173177
ls -la /home/codespace
174178

175179
# Report result

0 commit comments

Comments
 (0)