From 485710538dd692dacff70cf14a61e03f6da0fe2a Mon Sep 17 00:00:00 2001 From: Brian Gough Date: Mon, 27 May 2024 10:00:48 +0100 Subject: [PATCH] [CE/SP] Hotfix 5.0.4 (#18434) * [CE/SP] Hotfix 5.0.4 Remove unused packages with vulnerable dependencies. Upgrade sanitize-html in scripts directory to get security updates. Upgrade swagger-tools dependencies to get security updates. * add note about overrides to server pro release checklist * remove unused services/web/scripts/translations directory from server-pro * include #18393 and #18444 in server pro hotfix 5.0.4 * clean up after patching package-lock apply package-lock patch at start of hotfix build run npm audit at end of hotfix build GitOrigin-RevId: a253def01d481961cd16f4374e2ccffa00417c1f --- server-ce/hotfix/5.0.4/Dockerfile | 30 +++++++ server-ce/hotfix/5.0.4/pr_18393.patch | 111 ++++++++++++++++++++++++++ server-ce/hotfix/5.0.4/pr_18433.patch | 63 +++++++++++++++ server-ce/hotfix/5.0.4/pr_18444.patch | 41 ++++++++++ 4 files changed, 245 insertions(+) create mode 100644 server-ce/hotfix/5.0.4/Dockerfile create mode 100644 server-ce/hotfix/5.0.4/pr_18393.patch create mode 100644 server-ce/hotfix/5.0.4/pr_18433.patch create mode 100644 server-ce/hotfix/5.0.4/pr_18444.patch diff --git a/server-ce/hotfix/5.0.4/Dockerfile b/server-ce/hotfix/5.0.4/Dockerfile new file mode 100644 index 0000000000..e5def9d8a4 --- /dev/null +++ b/server-ce/hotfix/5.0.4/Dockerfile @@ -0,0 +1,30 @@ +FROM sharelatex/sharelatex:5.0.3 + +# apply an override to the swagger-tools package to force security updates to multer and qs +# from https://github.com/overleaf/internal/pull/18433 +COPY pr_18433.patch . +RUN patch -p1 < pr_18433.patch && rm pr_18433.patch +RUN npm install --include-workspace-root -w services/history-v1 swagger-tools@0.10.4 && rm -rf /root/.cache /root/.npm $(find /tmp/ -mindepth 1 -maxdepth 1) + +# remove google-cloud packages which are unused in server-pro have a vulnerable dependency +RUN npm uninstall -w libraries/logger @google-cloud/logging-bunyan +RUN npm uninstall -w libraries/metrics @google-cloud/opentelemetry-cloud-trace-exporter @google-cloud/profiler + +# the passport-twitter package has been removed from the monorepo +RUN npm uninstall -w services/web passport-twitter + +# remove the unused services/web/scripts/translations directory +RUN rm -r services/web/scripts/translations + +# Validate URL protocol before opening from Visual Editor tooltip +# from https://github.com/overleaf/internal/pull/18393 +COPY pr_18393.patch . +RUN patch -p1 < pr_18393.patch && rm pr_18393.patch + +# Set isEvalSupported to false when loading a PDF document +# from https://github.com/overleaf/internal/pull/18444 +COPY pr_18444.patch . +RUN patch -p1 < pr_18444.patch && rm pr_18444.patch + +# ensure that the vulnerability audit is run after all changes +RUN npm audit --audit-level=high diff --git a/server-ce/hotfix/5.0.4/pr_18393.patch b/server-ce/hotfix/5.0.4/pr_18393.patch new file mode 100644 index 0000000000..13da910e98 --- /dev/null +++ b/server-ce/hotfix/5.0.4/pr_18393.patch @@ -0,0 +1,111 @@ +diff --git a/services/web/frontend/js/features/source-editor/components/command-tooltip/href-tooltip.tsx b/services/web/frontend/js/features/source-editor/components/command-tooltip/href-tooltip.tsx +index a0d681d9cb5..2f9a4333cd6 100644 +--- a/services/web/frontend/js/features/source-editor/components/command-tooltip/href-tooltip.tsx ++++ b/services/web/frontend/js/features/source-editor/components/command-tooltip/href-tooltip.tsx +@@ -17,6 +17,7 @@ import { + import { Button, ControlLabel, FormControl, FormGroup } from 'react-bootstrap' + import Icon from '../../../../shared/components/icon' + import { EditorState } from '@codemirror/state' ++import { openURL } from '@/features/source-editor/utils/url' + + export const HrefTooltipContent: FC = () => { + const state = useCodeMirrorStateContext() +@@ -108,7 +109,7 @@ export const HrefTooltipContent: FC = () => { + className="ol-cm-command-tooltip-link" + onClick={() => { + // TODO: unescape content +- window.open(url, '_blank') ++ openURL(url) + }} + > + +diff --git a/services/web/frontend/js/features/source-editor/components/command-tooltip/url-tooltip.tsx b/services/web/frontend/js/features/source-editor/components/command-tooltip/url-tooltip.tsx +index c51b497de01..632d71dd031 100644 +--- a/services/web/frontend/js/features/source-editor/components/command-tooltip/url-tooltip.tsx ++++ b/services/web/frontend/js/features/source-editor/components/command-tooltip/url-tooltip.tsx +@@ -9,6 +9,7 @@ import { + } from '../../lezer-latex/latex.terms.mjs' + import Icon from '../../../../shared/components/icon' + import { EditorState } from '@codemirror/state' ++import { openURL } from '@/features/source-editor/utils/url' + + export const UrlTooltipContent: FC = () => { + const { t } = useTranslation() +@@ -23,7 +24,7 @@ export const UrlTooltipContent: FC = () => { + onClick={() => { + const url = readUrl(state) + if (url) { +- window.open(url, '_blank') ++ openURL(url) + } + }} + > +diff --git a/services/web/frontend/js/features/source-editor/utils/url.ts b/services/web/frontend/js/features/source-editor/utils/url.ts +new file mode 100644 +index 00000000000..8bfc9bdeab8 +--- /dev/null ++++ b/services/web/frontend/js/features/source-editor/utils/url.ts +@@ -0,0 +1,11 @@ ++const ALLOWED_PROTOCOLS = ['https:', 'http:'] ++ ++export const openURL = (content: string) => { ++ const url = new URL(content, document.location.href) ++ ++ if (!ALLOWED_PROTOCOLS.includes(url.protocol)) { ++ throw new Error(`Not opening URL with protocol ${url.protocol}`) ++ } ++ ++ window.open(url, '_blank') ++} +diff --git a/services/web/test/frontend/features/source-editor/components/codemirror-editor-visual-command-tooltip.spec.tsx b/services/web/test/frontend/features/source-editor/components/codemirror-editor-visual-command-tooltip.spec.tsx +index 837f90a64ab..d46b522a116 100644 +--- a/services/web/test/frontend/features/source-editor/components/codemirror-editor-visual-command-tooltip.spec.tsx ++++ b/services/web/test/frontend/features/source-editor/components/codemirror-editor-visual-command-tooltip.spec.tsx +@@ -54,8 +54,8 @@ describe(' command tooltip in Visual mode', function () { + // open the link + cy.findByRole('button', { name: 'Go to page' }).click() + cy.get('@window-open').should( +- 'have.been.calledOnceWithExactly', +- 'https://example.com', ++ 'have.been.calledWithMatch', ++ Cypress.sinon.match.has('href', 'https://example.com/'), + '_blank' + ) + +@@ -112,8 +112,8 @@ describe(' command tooltip in Visual mode', function () { + // open the link + cy.findByRole('button', { name: 'Go to page' }).click() + cy.get('@window-open').should( +- 'have.been.calledOnceWithExactly', +- 'https://example.com', ++ 'have.been.calledWithMatch', ++ Cypress.sinon.match.has('href', 'https://example.com/'), + '_blank' + ) + }) +diff --git a/services/web/test/frontend/features/source-editor/components/codemirror-editor-visual-tooltips.spec.tsx b/services/web/test/frontend/features/source-editor/components/codemirror-editor-visual-tooltips.spec.tsx +index c6e28f9eeeb..106a80ba187 100644 +--- a/services/web/test/frontend/features/source-editor/components/codemirror-editor-visual-tooltips.spec.tsx ++++ b/services/web/test/frontend/features/source-editor/components/codemirror-editor-visual-tooltips.spec.tsx +@@ -42,8 +42,8 @@ describe(' tooltips in Visual mode', function () { + }) + cy.findByRole('button', { name: 'Go to page' }).click() + cy.get('@open-window').should( +- 'have.been.calledOnceWithExactly', +- 'https://example.com/foo', ++ 'have.been.calledWithMatch', ++ Cypress.sinon.match.has('href', 'https://example.com/foo'), + '_blank' + ) + cy.findByRole('button', { name: 'Remove link' }).click() +@@ -62,8 +62,8 @@ describe(' tooltips in Visual mode', function () { + }) + cy.findByRole('button', { name: 'Go to page' }).click() + cy.get('@open-window').should( +- 'have.been.calledOnceWithExactly', +- 'https://example.com', ++ 'have.been.calledWithMatch', ++ Cypress.sinon.match.has('href', 'https://example.com/'), + '_blank' + ) + }) diff --git a/server-ce/hotfix/5.0.4/pr_18433.patch b/server-ce/hotfix/5.0.4/pr_18433.patch new file mode 100644 index 0000000000..1e14f239ab --- /dev/null +++ b/server-ce/hotfix/5.0.4/pr_18433.patch @@ -0,0 +1,63 @@ +diff --git a/package-lock.json b/package-lock.json +index b9eba6086b..bb1a5cebaf 100644 +--- a/package-lock.json ++++ b/package-lock.json +@@ -70674,8 +70674,7 @@ + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==" + }, + "multer": { +- "version": "1.4.4", +- "resolved": "https://registry.npmjs.org/multer/-/multer-1.4.4.tgz", ++ "version": "https://registry.npmjs.org/multer/-/multer-1.4.4.tgz", + "integrity": "sha512-2wY2+xD4udX612aMqMcB8Ws2Voq6NIUPEtD1be6m411T4uDH/VtL9i//xvcyFlTVfRdaBsk7hV5tgrGQqhuBiw==", + "requires": { + "append-field": "^1.0.0", +@@ -76995,10 +76994,10 @@ + "js-yaml": "^3.3.1", + "json-refs": "^3.0.2", + "lodash": "^4.17.4", +- "multer": "^1.1.0", ++ "multer": "1.4.5-lts.1", + "parseurl": "^1.3.0", + "path-to-regexp": "^2.0.0", +- "qs": "^6.0.3", ++ "qs": "6.5.3", + "serve-static": "^1.10.0", + "spark-md5": "^3.0.0", + "superagent": "^3.5.2", +@@ -77035,7 +77034,7 @@ + "http-errors": "~1.6.2", + "iconv-lite": "0.4.19", + "on-finished": "~2.3.0", +- "qs": "6.5.1", ++ "qs": "6.5.3", + "raw-body": "2.3.2", + "type-is": "~1.6.15" + }, +@@ -77109,8 +77108,7 @@ + "integrity": "sha512-G6zHoVqC6GGTQkZwF4lkuEyMbVOjoBKAEybQUypI1WTkqinCOrq2x6U2+phkJ1XsEMTy4LjtwPI7HW+NVrRR2w==" + }, + "qs": { +- "version": "6.5.1", +- "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.1.tgz", ++ "version": "https://registry.npmjs.org/qs/-/qs-6.5.1.tgz", + "integrity": "sha512-eRzhrN1WSINYCDCbrz796z37LOe3m5tmW7RQf6oBntukAG1nmovJvhnwHHRMAfeoItc1m2Hk02WER2aQ/iqs+A==" + }, + "raw-body": { +diff --git a/package.json b/package.json +index f092472caf..329d4fc5ce 100644 +--- a/package.json ++++ b/package.json +@@ -1,6 +1,12 @@ + { + "name": "overleaf", + "private": true, ++ "overrides": { ++ "swagger-tools": { ++ "multer": "1.4.5-lts.1", ++ "qs": "6.5.3" ++ } ++ }, + "dependencies": { + "patch-package": "^8.0.0" + }, diff --git a/server-ce/hotfix/5.0.4/pr_18444.patch b/server-ce/hotfix/5.0.4/pr_18444.patch new file mode 100644 index 0000000000..6e3612955c --- /dev/null +++ b/server-ce/hotfix/5.0.4/pr_18444.patch @@ -0,0 +1,41 @@ +diff --git a/services/web/frontend/js/features/file-view/components/file-view-pdf.tsx b/services/web/frontend/js/features/file-view/components/file-view-pdf.tsx +index 4d3b80bb9a2..3efc61a2199 100644 +--- a/services/web/frontend/js/features/file-view/components/file-view-pdf.tsx ++++ b/services/web/frontend/js/features/file-view/components/file-view-pdf.tsx +@@ -33,7 +33,10 @@ const FileViewPdf: FC<{ + return + } + +- const pdf = await PDFJS.getDocument(preview.url).promise ++ const pdf = await PDFJS.getDocument({ ++ url: preview.url, ++ isEvalSupported: false, ++ }).promise + + // bail out if loading the PDF took too long + if (!mountedRef.current) { +diff --git a/services/web/frontend/js/features/pdf-preview/util/pdf-js-wrapper.js b/services/web/frontend/js/features/pdf-preview/util/pdf-js-wrapper.js +index 9b419b1397f..6a92630a215 100644 +--- a/services/web/frontend/js/features/pdf-preview/util/pdf-js-wrapper.js ++++ b/services/web/frontend/js/features/pdf-preview/util/pdf-js-wrapper.js +@@ -96,6 +96,7 @@ export default class PDFJSWrapper { + rangeChunkSize, + disableAutoFetch: true, + disableStream, ++ isEvalSupported: false, + textLayerMode: 2, // PDFJSViewer.TextLayerMode.ENABLE, + range: rangeTransport, + }) +diff --git a/services/web/frontend/js/features/source-editor/extensions/visual/visual-widgets/graphics.ts b/services/web/frontend/js/features/source-editor/extensions/visual/visual-widgets/graphics.ts +index 7321f9e02b5..f6c744aaec2 100644 +--- a/services/web/frontend/js/features/source-editor/extensions/visual/visual-widgets/graphics.ts ++++ b/services/web/frontend/js/features/source-editor/extensions/visual/visual-widgets/graphics.ts +@@ -143,7 +143,7 @@ export class GraphicsWidget extends WidgetType { + return + } + +- const pdf = await PDFJS.getDocument(url).promise ++ const pdf = await PDFJS.getDocument({ url, isEvalSupported: false }).promise + const page = await pdf.getPage(1) + + // bail out if loading the PDF took too long