mirror of
https://github.com/status-im/sourcecred.git
synced 2025-01-16 23:51:31 +00:00
5727a831a9
Note, unless you used the SourceCred Docker image's bundled npm or yarn to install your own package.json dependencies, you were not vulnerable. Otherwise the same risk applies as [in this NPM blog][1]. You can patch the vulnerability by using the latest Docker image using `docker pull sourcecred/sourcecred` as soon as this commit is included in the latest release. ## Commit details In a [recent security issue][1] found in NPM and Yarn, handling binary file installation has changed. Quoting from there: > The bin script linking libraries in use in npm v6.13.4 were > updated such that, when installing binary entries of top-level > globally installed packages, they will only overwrite existing > binary files if they are currently installed on behalf of the > same package being installed. For example, npm install –global > foo could overwrite /usr/local/bin/foo if and only if > /usr/local/bin/foo is currently a link to a previously installed > version of foo. In our case, we specifically want this behavior in our Dockerfile. The node:12 base image comes with an NPM and Yarn version installed. We're using npm i -g yarn@<version> to upgrade the yarn installation to a predictable minimum, should we have an older version from the base image. But since they're from different installation sources, it causes an error as it would overwrite the yarn binary that wasn't previously owned by npm install. Our own package.json or yarn.lock did not appear to have any risk of exploitation. However since we bundle our image with npm and yarn, people using our image could in theory use it to install their own packages. Meaning we should include the fixed npm and yarn versions to protect users in such a scenario. [1]: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
22 lines
508 B
Docker
22 lines
508 B
Docker
FROM node:12
|
|
# docker build -t sourcecred .
|
|
|
|
# Set up working directory.
|
|
RUN mkdir -p /code
|
|
WORKDIR /code
|
|
|
|
# Install global and local dependencies first so they can be cached.
|
|
RUN npm install -gf yarn@^1.21.1
|
|
COPY package.json yarn.lock /code/
|
|
RUN yarn
|
|
|
|
# Declare data directory.
|
|
ARG SOURCECRED_DEFAULT_DIRECTORY=/data
|
|
ENV SOURCECRED_DIRECTORY ${SOURCECRED_DEFAULT_DIRECTORY}
|
|
|
|
# Install the remainder of our code.
|
|
COPY . /code
|
|
RUN yarn backend
|
|
|
|
ENTRYPOINT ["/bin/bash", "/code/scripts/docker-entrypoint.sh"]
|