[universal] Conda: patch Python due to CVE-2023-32681 and GHSA-5cpq-8wj7-hf2v (devcontainers#627)

* [universal] Conda: patch Python due to CVE-2023-32681 and GHSA-5cpq-8wj7-hf2v

- Reorganize features installation queue;
- Introduce patch-conda feature;

* Review comment: Update features schema and container schema

* Restart checks

* Revert "Review comment: Update features schema and container schema"

This reverts commit 046b94c.

* Review comment: Update features schema and container schema

* Review comment: Add tests

* Set up `installsAfter` for features

* Define `installsAfter` for `patch-conda` feature

* Lock packages version

* Add tests for conda

* Rework patch

* Bump `cryptography` version

* Bump `cryptography` version

* Restart checks

* Add tests

* Revert "Add tests"

This reverts commit a74d406.

* Update test-utils.sh

* Restart checks

* Restart checks

Author: alexander-smolyakov

src/universal/.devcontainer/devcontainer.json

@@ -72,7 +72,8 @@
         "./local-features/jekyll": "latest",
         "ghcr.io/devcontainers/features/oryx:1": "latest",
         "./local-features/setup-user": "latest",
-        "./local-features/patch-python": "latest"
+        "./local-features/patch-python": {},
+        "./local-features/patch-conda": {}
     },
     "overrideFeatureInstallOrder": [
         "ghcr.io/devcontainers/features/common-utils",
@@ -81,11 +82,12 @@
         "ghcr.io/devcontainers/features/hugo",
         "ghcr.io/devcontainers/features/node",
         "./local-features/nvs",
+        "ghcr.io/devcontainers/features/conda",
+        "./local-features/patch-conda",
         "ghcr.io/devcontainers/features/python",
         "./local-features/patch-python",
         "./local-features/machine-learning-packages",
         "ghcr.io/devcontainers/features/php",
-        "ghcr.io/devcontainers/features/conda",
         "ghcr.io/devcontainers/features/ruby",
         "ghcr.io/devcontainers/features/java",
         "ghcr.io/devcontainers/features/sshd",

src/universal/.devcontainer/local-features/machine-learning-packages/devcontainer-feature.json

@@ -4,4 +4,4 @@
 	"installsAfter": [
 		"ghcr.io/devcontainers/features/python"
 	]
-}
+}

src/universal/.devcontainer/local-features/patch-conda/devcontainer-feature.json

@@ -0,0 +1,7 @@
+{
+    "id": "patch-conda",
+    "name": "Patch Conda Packages",
+	"installsAfter": [
+		"ghcr.io/devcontainers/features/conda"
+	]
+}

src/universal/.devcontainer/local-features/patch-conda/install.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+#-------------------------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information.
+#-------------------------------------------------------------------------------------------------------------
+
+USERNAME=${USERNAME:-"codespace"}
+
+set -eux
+
+if [ "$(id -u)" -ne 0 ]; then
+    echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.'
+    exit 1
+fi
+
+# Ensure that login shells get the correct path if the user updated the PATH using ENV.
+rm -f /etc/profile.d/00-restore-env.sh
+echo "export PATH=${PATH//$(sh -lc 'echo $PATH')/\$PATH}" > /etc/profile.d/00-restore-env.sh
+chmod +x /etc/profile.d/00-restore-env.sh
+
+export DEBIAN_FRONTEND=noninteractive
+
+sudo_if() {
+    COMMAND="$*"
+    if [ "$(id -u)" -eq 0 ] && [ "$USERNAME" != "root" ]; then
+        su - "$USERNAME" -c "$COMMAND"
+    else
+        "$COMMAND"
+    fi
+}
+
+update_python_package() {
+    PYTHON_PATH=$1
+    PACKAGE=$2
+    VERSION=$3
+
+    sudo_if "$PYTHON_PATH -m pip uninstall --yes $PACKAGE"
+    sudo_if "$PYTHON_PATH -m pip install --upgrade --no-cache-dir $PACKAGE==$VERSION"
+}
+
+update_conda_package() {
+    PACKAGE=$1
+    VERSION=$2
+
+    sudo_if "conda install $PACKAGE=$VERSION"
+}
+
+sudo_if /opt/conda/bin/python3 -m pip install --upgrade pip
+
+# Temporary: Upgrade python packages due to security vulnerabilities
+# They are installed by the conda feature and Conda distribution does not have the patches.
+
+# https://github.com/advisories/GHSA-5cpq-8wj7-hf2v
+update_conda_package pyopenssl "23.2.0"
+update_conda_package cryptography "41.0.2"
+
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32681
+update_conda_package requests "2.31.0"

src/universal/test-project/test-utils.sh

@@ -217,3 +217,21 @@ checkDirectoryOwnership() {
         return 1
     fi
 }
+
+checkPythonPackageVersion()
+{
+    PYTHON_PATH=$1
+    PACKAGE=$2
+    REQUIRED_VERSION=$3
+
+    current_version=$(${PYTHON_PATH} -c "import ${PACKAGE}; print(${PACKAGE}.__version__)")
+    check-version-ge "${PACKAGE}-requirement" "${current_version}" "${REQUIRED_VERSION}"
+}
+
+checkCondaPackageVersion()
+{
+    PACKAGE=$1
+    REQUIRED_VERSION=$2
+    current_version=$(conda list "${PACKAGE}" | grep -E "^${PACKAGE}\s" | awk '{print $2}')
+    check-version-ge "conda-${PACKAGE}-requirement" "${current_version}" "${REQUIRED_VERSION}"
+}

src/universal/test-project/test.sh

@@ -55,9 +55,6 @@ check "torch" python -c "import torch; print(torch.__version__)"
 check "requests" python -c "import requests; print(requests.__version__)"
 check "jupyterlab-git" bash -c "python3 -m pip list | grep jupyterlab-git"
 
-setuptools_version=$(python3 -c "import setuptools; print(setuptools.__version__)")
-check-version-ge "setuptools-requirement" "${setuptools_version}" "65.5.1"
-
 # Check JupyterLab
 check "jupyter-lab" jupyter-lab --version
 check "jupyter-lab config" grep ".*.allow_origin = '*'" /home/codespace/.jupyter/jupyter_server_config.py
@@ -187,16 +184,25 @@ check "java-version-on-path-is-12.0.2" java --version | grep 12.0.2
 MAVEN_PATH=$(cd /usr/local/sdkman/candidates/maven/3*/lib/ && pwd)
 check "commons-io-lib" bash -c "ls ${MAVEN_PATH} | grep commons-io-2.11.jar"
 
-wheel_version=$(python -c "import wheel; print(wheel.__version__)")
-check-version-ge "wheel-requirement" "${wheel_version}" "0.38.1"
-
 ls -la /home/codespace
 
-setuptools_version_py_current=$(python -c "import setuptools; print(setuptools.__version__)")
-check-version-ge "setuptools-requirement-python_current" "${setuptools_version_py_current}" "65.5.1"
+## Python - current
+checkPythonPackageVersion "python" "wheel" "0.38.1"
+checkPythonPackageVersion "python" "setuptools" "65.5.1"
+checkPythonPackageVersion "python" "requests" "2.31.0"
+
+## Python 3.9
+checkPythonPackageVersion "/usr/local/python/3.9.*/bin/python" "setuptools" "65.5.1"
+
+## Conda Python
+checkCondaPackageVersion "requests" "2.31.0"
+checkCondaPackageVersion "cryptography" "41.0.2"
+checkCondaPackageVersion "pyopenssl" "23.2.0"
 
-setuptools_version_py_39=$(/usr/local/python/3.9.*/bin/python -c "import setuptools; print(setuptools.__version__)")
-check-version-ge "setuptools-requirement-python_39" "${setuptools_version_py_39}" "65.5.1"
+## Test Conda
+check "conda-update-conda" bash -c "conda update -y conda"
+check "conda-install" bash -c "conda install -c conda-forge --yes tensorflow"
+check "conda-install" bash -c "conda install -c conda-forge --yes pytorch"
 
 # Report result
 reportResults