Universal: Patch for 'follow-redirect' - CVE-2022-0155 & CVE-2022-0536 (#270)

samruddhikhandale · web-flow · commit 31ee2934aac5 · 2022-12-19T09:28:00.000-08:00
diff --git a/src/universal/.devcontainer/local-features/setup-user/install.sh b/src/universal/.devcontainer/local-features/setup-user/install.sh
@@ -49,6 +49,11 @@ NPM_PACKAGES_LIST="decode-uri-component
 cd /usr/local/share/nvm/versions/node/v14*/lib/node_modules/npm
 npm install ${NPM_PACKAGES_LIST}
 
+# Temporary: Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536 & https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0155
+rm -rf /usr/local/nvs/deps/node_modules/follow-redirects/*
+curl -sSL https://github.com/follow-redirects/follow-redirects/archive/refs/tags/v1.15.2.tar.gz | tar -xzC /tmp 2>&1
+mv /tmp/follow-redirects-1.15.2/*  /usr/local/nvs/deps/node_modules/follow-redirects/
+
 # Enables the oryx tool to generate manifest-dir which is needed for running the postcreate tool
 DEBIAN_FLAVOR="focal-scm"
 mkdir -p /opt/oryx && echo "vso-focal" > /opt/oryx/.imagetype
