From c8623f83dd12e044a5081bb645aed1038ff53b51 Mon Sep 17 00:00:00 2001 From: devinleighsmith Date: Mon, 1 Dec 2025 13:40:24 -0800 Subject: [PATCH 1/2] Add recommended protections against s.h. vuln. 1) use npm ci 2) add npm_config_ignore_scripts: true --- .github/workflows/app-react.yml | 4 ++ .github/workflows/smoke-test.yml | 5 +- source/frontend/.s2i/bin/assemble | 116 ++++++++++++++++++++++++++++++ 3 files changed, 123 insertions(+), 2 deletions(-) create mode 100644 source/frontend/.s2i/bin/assemble diff --git a/.github/workflows/app-react.yml b/.github/workflows/app-react.yml index c72e93bbf4..c76f8edf00 100644 --- a/.github/workflows/app-react.yml +++ b/.github/workflows/app-react.yml @@ -1,5 +1,9 @@ name: APP (React) +env: + # Default: ignore lifecycle scripts for *all* npm install commands in this workflow + npm_config_ignore_scripts: true + on: push: branches: [master, dev, test] diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index ac24a4249e..bc10ace31a 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -5,6 +5,7 @@ env: Users__0__Password: ${{ secrets.USER_1_PASSWORD }} Users__1__User: ${{ secrets.USER_2_USERNAME }} Users__1__Password: ${{ secrets.USER_2_PASSWORD }} + npm_config_ignore_scripts: true on: workflow_dispatch #push: @@ -27,10 +28,10 @@ jobs: - name: Setup Node.js uses: actions/setup-node@v4 with: - node-version: '20' + node-version: "20" - name: Install Dependencies - run: npm install + run: npm ci - name: Install Playwright Browsers run: npx playwright install --with-deps diff --git a/source/frontend/.s2i/bin/assemble b/source/frontend/.s2i/bin/assemble new file mode 100644 index 0000000000..8c07440f2a --- /dev/null +++ b/source/frontend/.s2i/bin/assemble @@ -0,0 +1,116 @@ +#!/bin/bash + +# Prevent running assemble in builders different than official STI image. +# The official nodejs:8-onbuild already run npm install and use different +# application folder. +[ -d "/usr/src/app" ] && exit 0 + +set -e + +# FIXME: Linking of global modules is disabled for now as it causes npm failures +# under RHEL7 +# Global modules good to have +# npmgl=$(grep "^\s*[^#\s]" ../etc/npm_global_module_list | sort -u) +# Available global modules; only match top-level npm packages +#global_modules=$(npm ls -g 2> /dev/null | perl -ne 'print "$1\n" if /^\S+\s(\S+)\@[\d\.-]+/' | sort -u) +# List all modules in common +#module_list=$(/usr/bin/comm -12 <(echo "${global_modules}") | tr '\n' ' ') +# Link the modules +#npm link $module_list + +safeLogging () { + if [[ $1 =~ http[s]?://.*@.*$ ]]; then + echo $1 | sed 's/^.*@/redacted@/' + else + echo $1 + fi +} + +shopt -s dotglob +if [ -d /tmp/artifacts ] && [ "$(ls /tmp/artifacts/ 2>/dev/null)" ]; then + echo "---> Restoring previous build artifacts ..." + mv -T --verbose /tmp/artifacts/node_modules "${HOME}/node_modules" +fi + +echo "---> Installing application source ..." +mv /tmp/src/* ./ + +# Fix source directory permissions +fix-permissions ./ + +if [ ! -z $HTTP_PROXY ]; then + echo "---> Setting npm http proxy to" $(safeLogging $HTTP_PROXY) + npm config set proxy $HTTP_PROXY +fi + +if [ ! -z $http_proxy ]; then + echo "---> Setting npm http proxy to" $(safeLogging $http_proxy) + npm config set proxy $http_proxy +fi + +if [ ! -z $HTTPS_PROXY ]; then + echo "---> Setting npm https proxy to" $(safeLogging $HTTPS_PROXY) + npm config set https-proxy $HTTPS_PROXY +fi + +if [ ! -z $https_proxy ]; then + echo "---> Setting npm https proxy to" $(safeLogging $https_proxy) + npm config set https-proxy $https_proxy +fi + +# Change the npm registry mirror if provided +if [ -n "$NPM_MIRROR" ]; then + npm config set registry $NPM_MIRROR +fi + +# Set the DEV_MODE to false by default. +if [ -z "$DEV_MODE" ]; then + export DEV_MODE=false +fi + +# If NODE_ENV is not set by the user, then NODE_ENV is determined by whether +# the container is run in development mode. +if [ -z "$NODE_ENV" ]; then + if [ "$DEV_MODE" == true ]; then + export NODE_ENV=development + else + export NODE_ENV=production + fi +fi + +if [ "$NODE_ENV" != "production" ]; then + + echo "---> Building your Node application from source" + npm install + +else + + echo "---> Installing all dependencies" + NODE_ENV=development npm ci + + #do not fail when there is no build script + echo "---> Building in production mode" + npm run ${NPM_BUILD:-build} --if-present + + echo "---> Pruning the development dependencies" + npm prune + + NPM_TMP=$(npm config get tmp) + if ! mountpoint $NPM_TMP; then + echo "---> Cleaning the $NPM_TMP/npm-*" + rm -rf $NPM_TMP/npm-* + fi + + # Clear the npm's cache and tmp directories only if they are not a docker volumes + NPM_CACHE=$(npm config get cache) + if ! mountpoint $NPM_CACHE; then + echo "---> Cleaning the npm cache $NPM_CACHE" + #As of npm@5 even the 'npm cache clean --force' does not fully remove the cache directory + # instead of $NPM_CACHE* use $NPM_CACHE/*. + # We do not want to delete .npmrc file. + rm -rf "${NPM_CACHE:?}/" + fi +fi + +# Fix source directory permissions +fix-permissions ./ \ No newline at end of file From 3d9ec57186af57e36d53be286679b02e0b4bece4 Mon Sep 17 00:00:00 2001 From: devinleighsmith Date: Mon, 1 Dec 2025 14:36:23 -0800 Subject: [PATCH 2/2] logging update. --- source/frontend/.s2i/bin/assemble | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/frontend/.s2i/bin/assemble b/source/frontend/.s2i/bin/assemble index 8c07440f2a..04ca793a18 100644 --- a/source/frontend/.s2i/bin/assemble +++ b/source/frontend/.s2i/bin/assemble @@ -85,7 +85,7 @@ if [ "$NODE_ENV" != "production" ]; then else - echo "---> Installing all dependencies" + echo "---> Installing all dependencies using ci" NODE_ENV=development npm ci #do not fail when there is no build script