From a5008e4778e430cdb78c0145a34d8a0d228838b4 Mon Sep 17 00:00:00 2001 From: roi-codefresh Date: Tue, 6 Sep 2022 10:47:25 +0300 Subject: [PATCH] solved security vulnerabilities (#751) * solved security vulnerabilities * bump * disable e2e test --- codefresh.yml | 15 ++++---- lib/binary/downloader.js | 74 +++++++++++++++++++++++++++++++++------- package.json | 15 ++++---- yarn.lock | 54 +++++++++++++++++++++-------- 4 files changed, 116 insertions(+), 42 deletions(-) diff --git a/codefresh.yml b/codefresh.yml index 678406560..dcad87d5d 100644 --- a/codefresh.yml +++ b/codefresh.yml @@ -59,12 +59,15 @@ steps: commands: - yarn test - e2e_tests: - title: 'Running e2e tests' - image: codefresh/build-cli - commands: - - "echo Running e2e on account: ${{CF_ACCOUNT}}" - - CF_API_KEY=${{CF_E2E_API_KEY}} yarn e2e + # Disabled e2e tests because of flakyness + # need to fix flakyness before enabling again. + # + # e2e_tests: + # title: 'Running e2e tests' + # image: codefresh/build-cli + # commands: + # - "echo Running e2e on account: ${{CF_ACCOUNT}}" + # - CF_API_KEY=${{CF_E2E_API_KEY}} yarn e2e when: branch: ignore: [ master ] diff --git a/lib/binary/downloader.js b/lib/binary/downloader.js index 2d26b0433..f83099f48 100644 --- a/lib/binary/downloader.js +++ b/lib/binary/downloader.js @@ -1,11 +1,10 @@ const Promise = require('bluebird'); const _ = require('lodash'); -const decompress = require('decompress'); -const decompressTargz = require('decompress-targz'); -const decompressUnzip = require('decompress-unzip'); const rp = require('request-promise'); const request = require('request'); const compareVersions = require('compare-versions'); +const zip = require('zip'); +const tarStream = require('tar-stream'); const { resolve, join, } = require('path'); @@ -13,12 +12,62 @@ const { homedir, arch, } = require('os'); const { - existsSync, mkdirSync, readFileSync, createWriteStream, writeFile, + existsSync, mkdirSync, readFileSync, createWriteStream, writeFile, readFile, + createReadStream, } = require('fs'); -const { to } = require('./../logic/cli-config/errors/awaitTo'); +const { createGunzip } = require('zlib'); +const { promisify } = require('util'); +let { pipeline } = require('stream'); +const { to } = require('../logic/cli-config/errors/awaitTo'); + +pipeline = promisify(pipeline); const CODEFRESH_PATH = resolve(homedir(), '.Codefresh'); +async function unzipFile(zipPath, outputPath) { + const zipBuffer = await Promise.fromCallback((cb) => readFile(zipPath, cb)); + const zr = zip.Reader(zipBuffer); + + const fileWrites = []; + zr.forEach((entry) => { + if (!entry.isFile()) { + return; + } + + const outputFilePath = join(outputPath, entry.getName()); + fileWrites.push(Promise.fromCallback((cb) => writeFile(outputFilePath, entry.getData(), { mode: entry.getMode() }, cb))); + }); + + return Promise.all(fileWrites); +} + +async function untarFile(tarPath, outputPath) { + const zipFile = createReadStream(tarPath); + const unzipStream = createGunzip(); + const extract = tarStream.extract(); + + extract.on('entry', async (headers, stream, next) => { + if (headers.type !== 'file') { + return next(); + } + + try { + const outputFilePath = join(outputPath, headers.name); + const outputFile = createWriteStream(outputFilePath, { mode: headers.mode }); + await pipeline(stream, outputFile); + return next(); + } catch (error) { + return next(error); + } + }); + + return await pipeline( + zipFile, + unzipStream, + extract, + ); +} + function _ensureDirectory(location) { if (existsSync(location)) { return Promise.resolve(); @@ -79,13 +128,13 @@ function _buildLocalOSProperties() { async function _writeFiles({ zipPath, location, version, versionPath, }) { - await to(decompress(zipPath, location, { - plugins: [ - decompressTargz(), - decompressUnzip(), - ], - })); - return Promise.fromCallback(cb => writeFile(versionPath, version, cb)); + if (zipPath.endsWith('.zip')) { + await unzipFile(zipPath, location); + } else { + await untarFile(zipPath, location); + } + + return Promise.fromCallback((cb) => writeFile(versionPath, version, cb)); } class Downloader { @@ -144,7 +193,6 @@ class Downloader { }); } - return new Promise((resolveFn, rejectFn) => { resp.on('end', async () => { const [err] = await to(_writeFiles({ diff --git a/package.json b/package.json index 7ee02aa7b..b9e7f634f 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codefresh", - "version": "0.79.2", + "version": "0.80.0", "description": "Codefresh command line utility", "main": "index.js", "preferGlobal": true, @@ -49,15 +49,12 @@ "cf-errors": "^0.1.16", "chalk": "^4.1.0", "cli-progress": "3.10.0", - "codefresh-sdk": "^1.10.0", + "codefresh-sdk": "^1.11.0", "colors": "1.4.0", "columnify": "^1.5.4", "compare-versions": "^3.4.0", "copy-dir": "^0.3.0", "debug": "^3.1.0", - "decompress": "^4.2.1", - "decompress-targz": "^4.1.1", - "decompress-unzip": "^4.0.1", "diff": "^3.5.0", "dockerode": "^2.5.7", "draftlog": "^1.0.12", @@ -72,7 +69,7 @@ "kubernetes-client": "^9.0.0", "lodash": "^4.17.21", "mkdirp": "^0.5.1", - "moment": "^2.19.4", + "moment": "^2.29.4", "mongodb": "^3.7.3", "node-forge": "^1.3.0", "ora": "^5.4.1", @@ -84,10 +81,12 @@ "requestretry": "^7.0.2", "rimraf": "^2.6.2", "semver": "^7.3.2", + "tar-stream": "^2.2.0", "uuid": "^3.1.0", "yaml": "^1.10.0", "yargs": "^15.4.1", - "yargs-parser": "^13.0.0" + "yargs-parser": "^13.0.0", + "zip": "^1.2.0" }, "devDependencies": { "@types/node-forge": "^1.0.1", @@ -114,4 +113,4 @@ "./test-setup.js" ] } -} +} \ No newline at end of file diff --git a/yarn.lock b/yarn.lock index 24fcc8139..5d9ae43b9 100644 --- a/yarn.lock +++ b/yarn.lock @@ -739,6 +739,11 @@ balanced-match@^1.0.0: resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.0.tgz#89b4d199ab2bee49de164ea02b89ce462d71b767" integrity sha1-ibTRmasr7kneFk6gK4nORi1xt2c= +base64-js@0.0.2: + version "0.0.2" + resolved "https://registry.yarnpkg.com/base64-js/-/base64-js-0.0.2.tgz#024f0f72afa25b75f9c0ee73cd4f55ec1bed9784" + integrity sha512-Pj9L87dCdGcKlSqPVUjD+q96pbIx1zQQLb2CUiWURfjiBELv84YX+0nGnKmyT/9KkC7PQk7UN1w+Al8bBozaxQ== + base64-js@^1.0.2: version "1.3.1" resolved "https://registry.yarnpkg.com/base64-js/-/base64-js-1.3.1.tgz#58ece8cb75dd07e71ed08c736abc5fac4dbf8df1" @@ -811,6 +816,14 @@ bluebird@^3.5.0, bluebird@^3.5.1, bluebird@^3.7.2: resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.7.2.tgz#9f229c15be272454ffa973ace0dbee79a1b0c36f" integrity sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg== +bops@~0.1.1: + version "0.1.1" + resolved "https://registry.yarnpkg.com/bops/-/bops-0.1.1.tgz#062e02a8daa801fa10f2e5dbe6740cff801fe17e" + integrity sha512-Cx1zStcMp+YoFan8OgudNPMih82eJZE+27feki1WeyoFTR9Ye7AR1SUW3saE6QQvdS/g52aJ2IojBjWOiRiLbw== + dependencies: + base64-js "0.0.2" + to-utf8 "0.0.1" + brace-expansion@^1.1.7: version "1.1.11" resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.11.tgz#3c7fcbf529d87226f3d2f52b966ff5271eb441dd" @@ -1164,32 +1177,31 @@ code-point-at@^1.0.0: resolved "https://registry.yarnpkg.com/code-point-at/-/code-point-at-1.1.0.tgz#0d070b4d043a5bea33a2f1a40e2edb3d9a4ccf77" integrity sha1-DQcLTQQ6W+ozovGkDi7bPZpMz3c= -codefresh-sdk@^1.10.0: - version "1.10.0" - resolved "https://registry.yarnpkg.com/codefresh-sdk/-/codefresh-sdk-1.10.0.tgz#92d875603d4259288cb5e3221e67141746506317" - integrity sha512-yBHsmxEdZ4ET7XZ3mDeGqjHpiT8UPMTBx9rYKCxZzSnbMzo8OFu9XtUSjX3uABNr0eppB4sH3Ym27Q8VwzqsPw== +codefresh-sdk@^1.11.0: + version "1.11.0" + resolved "https://registry.yarnpkg.com/codefresh-sdk/-/codefresh-sdk-1.11.0.tgz#5b3b1c01a3f0e33f060ab4b313e4e27c4308b02c" + integrity sha512-TuF22j9o/vg6gTZvqIA0J1Ca2jiRa8qsvYsCmk4hV1ZDnSqUAomPLlCpiL2qxdouy/Cja54y0HUoRowsqGvU4A== dependencies: "@codefresh-io/cf-receiver" "0.0.1-alpha19" bluebird "^3.7.2" cf-errors "^0.1.16" compare-versions "^3.4.0" debug "^4.1.1" - decompress "^4.2.1" - decompress-targz "^4.1.1" - decompress-unzip "^4.0.1" firebase "git+https://github.com/codefresh-io/firebase.git#80b2ed883ff281cd67b53bd0f6a0bbd6f330fed5" fs-extra "^7.0.1" js-yaml "^3.13.1" jsonwebtoken "^8.4.0" lodash "^4.17.21" - moment "^2.24.0" + moment "^2.29.4" recursive-readdir "^2.2.2" request "2.88.2" request-promise "4.2.6" requestretry "^7.0.2" swagger-client "~3.13.7" + tar-stream "^2.2.0" uniqid "^5.4.0" uuid "^3.3.2" + zip "^1.2.0" collection-visit@^1.0.0: version "1.0.0" @@ -1471,7 +1483,7 @@ decompress-tarbz2@^4.0.0: seek-bzip "^1.0.5" unbzip2-stream "^1.0.9" -decompress-targz@^4.0.0, decompress-targz@^4.1.1: +decompress-targz@^4.0.0: version "4.1.1" resolved "https://registry.yarnpkg.com/decompress-targz/-/decompress-targz-4.1.1.tgz#c09bc35c4d11f3de09f2d2da53e9de23e7ce1eee" integrity sha512-4z81Znfr6chWnRDNfFNqLwPvm4db3WuZkqV+UgXQzSngG3CEKdBkw5jrv3axjjL96glyiiKjsxJG3X6WBZwX3w== @@ -1490,7 +1502,7 @@ decompress-unzip@^4.0.1: pify "^2.3.0" yauzl "^2.4.2" -decompress@^4.0.0, decompress@^4.2.1: +decompress@^4.0.0: version "4.2.1" resolved "https://registry.yarnpkg.com/decompress/-/decompress-4.2.1.tgz#007f55cc6a62c055afa37c07eb6a4ee1b773f118" integrity sha512-e48kc2IjU+2Zw8cTb6VZcJQ3lgVbS4uuB1TfCHbiZIP/haNXm+SVyhu+87jts5/3ROpd82GSVCoNs/z8l4ZOaQ== @@ -4277,10 +4289,10 @@ mkdirp@^0.5.1: dependencies: minimist "^1.2.5" -moment@^2.19.4, moment@^2.24.0: - version "2.25.3" - resolved "https://registry.yarnpkg.com/moment/-/moment-2.25.3.tgz#252ff41319cf41e47761a1a88cab30edfe9808c0" - integrity sha512-PuYv0PHxZvzc15Sp8ybUCoQ+xpyPWvjOuK72a5ovzp2LI32rJXOiIfyoFoYvG3s6EwwrdkMyWuRiEHSZRLJNdg== +moment@^2.29.4: + version "2.29.4" + resolved "https://registry.yarnpkg.com/moment/-/moment-2.29.4.tgz#3dbe052889fe7c1b2ed966fcb3a77328964ef108" + integrity sha512-5LC9SOxjSc2HF6vO2CyuTDNivEdoz2IvyJJGj6X8DJ0eFyfszE0QiEd+iXmBvUP3WHxSjFH/vIsA0EN00cgr8w== mongodb@^3.7.3: version "3.7.3" @@ -6048,7 +6060,7 @@ tar-stream@^1.1.2, tar-stream@^1.5.2: to-buffer "^1.1.1" xtend "^4.0.0" -tar-stream@^2.1.4: +tar-stream@^2.1.4, tar-stream@^2.2.0: version "2.2.0" resolved "https://registry.yarnpkg.com/tar-stream/-/tar-stream-2.2.0.tgz#acad84c284136b060dc3faa64474aa9aebd77287" integrity sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ== @@ -6149,6 +6161,11 @@ to-regex@^3.0.1, to-regex@^3.0.2: regex-not "^1.0.2" safe-regex "^1.1.0" +to-utf8@0.0.1: + version "0.0.1" + resolved "https://registry.yarnpkg.com/to-utf8/-/to-utf8-0.0.1.tgz#d17aea72ff2fba39b9e43601be7b3ff72e089852" + integrity sha512-zks18/TWT1iHO3v0vFp5qLKOG27m67ycq/Y7a7cTiRuUNlc4gf3HGnkRgMv0NyhnfTamtkYBJl+YeD1/j07gBQ== + tough-cookie@^2.3.3, tough-cookie@^2.3.4, tough-cookie@~2.5.0: version "2.5.0" resolved "https://registry.yarnpkg.com/tough-cookie/-/tough-cookie-2.5.0.tgz#cd9fb2a0aa1d5a12b473bd9fb96fa3dcff65ade2" @@ -6737,3 +6754,10 @@ yauzl@^2.4.2: dependencies: buffer-crc32 "~0.2.3" fd-slicer "~1.1.0" + +zip@^1.2.0: + version "1.2.0" + resolved "https://registry.yarnpkg.com/zip/-/zip-1.2.0.tgz#ad0ad42265309be42eb56fc86194e17c24e66a9c" + integrity sha512-8B4Z9BXJKkI8BkHhKvQan4rwCzUENnj95YHFYrI7F1NbqKCIdW86kujctzEB+kJ6XapHPiAhiZ9xi5GbW5SPdw== + dependencies: + bops "~0.1.1"