Accepting request 1177399 from home:ateixeira:branches:security:sensor

- Patches changes: * Change CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch to update the follow-redirects package instead of patching directly. * Added CVE-2022-25883-npm-watch-semver-deps.patch (bsc#1212572) - Add a package-lock.json to the package OBS-URL: https://build.opensuse.org/request/show/1177399 OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=76
2024-05-29 18:06:32 +00:00 · 2024-05-29 18:06:32 +00:00 · 61b53625a0
commit 61b53625a0
parent f4ebb447db
7 changed files with 20313 additions and 827 deletions
--- a/CVE-2022-25883-npm-watch-semver-deps.patch
+++ b/CVE-2022-25883-npm-watch-semver-deps.patch
@ -0,0 +1,24 @@
+From 76e999d0976ad6559574c92b79fe7432596d2d6c Mon Sep 17 00:00:00 2001
+From: snyk-bot <snyk-bot@snyk.io>
+Date: Sat, 27 Apr 2024 00:20:54 +0000
+Subject: [PATCH] fix: gui/velociraptor/package.json to reduce vulnerabilities
+
+The following vulnerabilities are fixed with an upgrade:
+- https://snyk.io/vuln/SNYK-JS-SEMVER-3247795
+---
+ gui/velociraptor/package.json | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: b/gui/velociraptor/package.json
+===================================================================
+--- a/gui/velociraptor/package.json
+++ b/gui/velociraptor/package.json
+@@ -31,7 +31,7 @@
+         "lodash": "^4.17.21",
+         "moment": "^2.29.4",
+         "moment-timezone": "0.5.43",
+-        "npm-watch": "^0.11.0",
+        "npm-watch": "^0.12.0",
+         "prop-types": "^15.8.1",
+         "qs": "^6.11.2",
+         "query-string": "^6.14.1",
--- a/CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
+++ b/CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
@ -1,23 +1,30 @@
-From c4f847f85176991f95ab9c88af63b1294de8649b Mon Sep 17 00:00:00 2001
-From: Ruben Verborgh <ruben@verborgh.org>
-Date: Thu, 14 Mar 2024 17:36:10 +0100
-Subject: [PATCH] Drop Proxy-Authorization across hosts.
-
---
- index.js     | 2 +-
- 1 files changed, 1 insertions(+), 1 deletion(-)
-
-diff --git a/gui/velociraptor/node_modules/follow-redirects/index.js b/gui/velociraptor/node_modules/follow-redirects/index.js
-index f58b933..c649cab 100644
--- a/gui/velociraptor/node_modules/follow-redirects/index.js
-+++ b/gui/velociraptor/node_modules/follow-redirects/index.js
-@@ -430,7 +430,7 @@ RedirectableRequest.prototype._processResponse = function (response) {
-      redirectUrlParts.protocol !== "https:" ||
-      redirectUrlParts.host !== currentHost &&
-      !isSubdomain(redirectUrlParts.host, currentHost)) {
-    removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
-+    removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
-   }
- 
-   // Evaluate the beforeRedirect callback
-
+diff --git a/gui/velociraptor/package-lock.json b/gui/velociraptor/package-lock.json
+index e6c46c00..2a6c8114 100644
+--- a/gui/velociraptor/package-lock.json
+++ b/gui/velociraptor/package-lock.json
+@@ -4750,9 +4750,9 @@
+             }
+         },
+         "node_modules/follow-redirects": {
+-            "version": "1.15.2",
+-            "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz",
+-            "integrity": "sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==",
+            "version": "1.15.6",
+            "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz",
+            "integrity": "sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==",
+             "funding": [
+                 {
+                     "type": "individual",
+@@ -14720,9 +14720,9 @@
+             }
+         },
+         "follow-redirects": {
+-            "version": "1.15.2",
+-            "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz",
+-            "integrity": "sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA=="
+            "version": "1.15.6",
+            "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz",
+            "integrity": "sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA=="
+         },
+         "for-each": {
+             "version": "0.3.3",
--- a/package-lock.json
+++ b/package-lock.json
--- a/velociraptor-node_modules.obscpio
+++ b/velociraptor-node_modules.obscpio
--- a/velociraptor-nodejs.spec.inc
+++ b/velociraptor-nodejs.spec.inc
--- a/velociraptor.changes
+++ b/velociraptor.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue May 28 16:45:51 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>
+
+- Patches changes:
+  * Change CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
+    to update the follow-redirects package instead of patching directly.
+  * Added CVE-2022-25883-npm-watch-semver-deps.patch (bsc#1212572)
+- Add a package-lock.json to the package
+
 -------------------------------------------------------------------
 Sat Apr 27 16:11:14 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>

--- a/velociraptor.spec
+++ b/velociraptor.spec
@ -93,14 +93,17 @@ Source8:        sysconfig.velociraptor-client
 Source9:        %{projname}.obsinfo
 Source10:       system-user-velociraptor.sysusers
 Source11:       velociraptor-nodejs.spec.inc
+Source12:       package-lock.json

 %include %{_sourcedir}/velociraptor-nodejs.spec.inc

 Patch1:         vendor-build-fixes-for-SLE12.patch
 Patch2:         sdjournal-build-fix-for-SLE12.patch
 Patch3:         velociraptor-reproducible-timestamp.diff
-# CVE-2024-28849 - bsc#1221456 - follow-redirects: Drop Proxy-Athorization across hosts
+# PATCH-FIX-UPSTREAM CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch bsc#1221456 -- follow-redirects: Drop Proxy-Athorization across hosts
 Patch4:         CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
+# PATCH-FIX-UPSTREAM CVE-2022-25883-npm-watch-semver-deps.patch bsc#1212572 -- upgrade npm-watch
+Patch5:         CVE-2022-25883-npm-watch-semver-deps.patch
 BuildRequires:  fileb0x
 %if 0%{?suse_version}
 BuildRequires:  systemd-rpm-macros
@ -243,6 +246,8 @@ console, please install the 'velociraptor' package.
 %patch -P 1 -p1
 %patch -P 2 -p1
 %patch -P 3 -p1
+%patch -P 4 -p1
+%patch -P 5 -p1

 # Set the version to something more specific than <next-tag>-dev
 sed -ie "s/\([[:space:]]VERSION *= \).*/\1 \"%{VERSION}\"/" constants/constants.go
@ -263,13 +268,11 @@ cp vmlinux.h-%{vmlinux_h_version}/vmlinux-${arch}.h \
 # Note: There are dependencies on these that need to be resolved before
 # removing them outright.
 # rm -rf artifacts/definitions/Windows
-
 %if %{build_server}
 pushd gui/velociraptor
 rm -f package-lock.json
-local-npm-registry %{_sourcedir} install
+local-npm-registry %{_sourcedir} install --include=dev --legacy-peer-deps
 popd
-%patch -P 4 -p1
 %endif

 %build