code-server 3.9.3 vulnerabilities

[Jose-Matsuda]

Hi there,

I think this is #2860 but for a different package.
My team uses code-server in docker images and before pushing it to our repo we run a trivy scan and get the hit (below)

Written by John Gilmore and Jay Fenlason.
trivy
Scanning for vulnerabilties...
╔══════════════════════╤═════════════════╤═════════════════╤════════════════════════════════════════════════════╤══════════════════════╗
║ VULNERABILITY ID     │ PACKAGE NAME    │ SEVERITY        │ DESCRIPTION                                        │ TARGET               ║
╟──────────────────────┼─────────────────┼─────────────────┼────────────────────────────────────────────────────┼──────────────────────╢
║ CVE-2021-28918       │ netmask         │ CRITICAL        │ Improper input validation of octal strings in      │ usr/lib/code-server/ ║
║                      │                 │                 │ netmask npm package v1.0.6 and below allows        │ lib/vscode/yarn.lock ║
║                      │                 │                 │ unauthenticated remote attackers to perform        │                      ║
║                      │                 │                 │ indeterminate SSRF, RFI, and LFI attacks on many   │                      ║
║                      │                 │                 │ of the dependent packages. A remote                │                      ║
║                      │                 │                 │ unauthenticated attacker can bypass packages       │                      ║
║                      │                 │                 │ relying on netmask to filter IPs and reach         │                      ║
║                      │                 │                 │ critical VPN or LAN hosts.                         │                      ║
╟──────────────────────┼─────────────────┼─────────────────┼────────────────────────────────────────────────────┼──────────────────────╢
║ CVE-2021-28918       │ netmask         │ CRITICAL        │ Improper input validation of octal strings in      │ usr/lib/code-server/ ║
║                      │                 │                 │ netmask npm package v1.0.6 and below allows        │ yarn.lock            ║
║                      │                 │                 │ unauthenticated remote attackers to perform        │                      ║
║                      │                 │                 │ indeterminate SSRF, RFI, and LFI attacks on many   │                      ║
║                      │                 │                 │ of the dependent packages. A remote                │                      ║
║                      │                 │                 │ unauthenticated attacker can bypass packages       │                      ║
║                      │                 │                 │ relying on netmask to filter IPs and reach         │                      ║
║                      │                 │                 │ critical VPN or LAN hosts.                         │                      ║
╚══════════════════════╧═════════════════╧═════════════════╧════════════════════════════════════════════════════╧══════════════════════╝

GHSA-4c7m-wxvm-r7gc

OS/Web Information

• Web Browser: Chrome
• Local OS: Ubuntu
• Remote OS: Ubuntu
• Remote Architecture: Docker image
• code-server --version: 3.9.3

This issue can be reproduced in VS Code: No

Thanks

[jsjoeio]

Thanks for opening this issue! @jawnsy just opened an issue to run these scans more periodically:

• Scan built docker images using trivy or grype #3177

We'll take care of this before the next release

[oxy]

I had a quick look at why netmask is installed; chain is proxy-agent -> pac-proxy-agent -> pac-resolver -> netmask

netmask is only used by isInNet in pac-resolver, which isn't used elsewhere in pac-resolver or anywhere else in the dependency chain. We're updating it, but current release does not pose any security risk, as netmask is just dead code.

Will still push a fix!

[jsjoeio]

Closing via #3187