code-server 3.9.1 uses nodejs packages with vulnerabilities

[PatrickDerichs]

We use code-server in docker images with reverse proxy and when you scan the image afterwards with trivy, we get a couple of hits in vulnerabilities:

+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| tar     | CVE-2018-20834   | HIGH     | 2.2.1             | 4.4.2, 2.2.2  | nodejs-tar: Arbitrary file            |
|         |                  |          |                   |               | overwrites when extracting            |
|         |                  |          |                   |               | tarballs containing a hard-link       |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-20834 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+

usr/lib/code-server/yarn.lock
=============================
Total: 2 (HIGH: 2, CRITICAL: 0)

+------------+------------------+----------+-------------------+---------------+--------------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ini        | CVE-2020-7788    | HIGH     | 1.3.5             | 1.3.6         | nodejs-ini: prototype pollution      |
|            |                  |          |                   |               | via malicious INI file               |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-7788 |
+------------+------------------+          +-------------------+---------------+--------------------------------------+
| node-forge | CVE-2020-7720    |          | 0.7.6             | 0.10.0        | nodejs-node-forge:                   |
|            |                  |          |                   |               | prototype pollution via              |
|            |                  |          |                   |               | the util.setPath function            |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-7720 |
+------------+------------------+----------+-------------------+---------------+--------------------------------------+

These seem to be part of the yarn.locks/package.jsons from the code-server base. I have tried to patch said packages by using resolutions in the package.jsons, but updating these packages seem to break code-server as it won't load vscode properly anymore.

• Web Browser: Chrome
• Local OS: Ubuntu
• Remote OS: Ubuntu
• Remote Architecture: Docker image
• code-server --version: 3.9.1 e0203f2

[oxy]

Hey, so for each of those packages, looking at yarn.lock

I think I can update tar in the vscode yarn.lock, and ini in the code-server one, but node-forge is pulled in by parcel-bundler, which hasn't seen an update in over a year.

I'll see what I can do in the next hour.

[oxy]

Hey, so I meant to open a PR and everything but I fricked up and ended up committing directly to main...

da65b8e
Oops.

[PatrickDerichs]

Thanks for solving it so quickly though!