solved security vulnerabilities (#751)

* solved security vulnerabilities

* bump

* disable e2e test

Author: roi-codefresh

codefresh.yml

@@ -59,12 +59,15 @@ steps:
         commands:
           - yarn test
 
-      e2e_tests:
-        title: 'Running e2e tests'
-        image: codefresh/build-cli
-        commands:
-          - "echo Running e2e on account: ${{CF_ACCOUNT}}"
-          - CF_API_KEY=${{CF_E2E_API_KEY}} yarn e2e
+      # Disabled e2e tests because of flakyness
+      # need to fix flakyness before enabling again.
+      #
+      # e2e_tests:
+      #   title: 'Running e2e tests'
+      #   image: codefresh/build-cli
+      #   commands:
+      #     - "echo Running e2e on account: ${{CF_ACCOUNT}}"
+      #     - CF_API_KEY=${{CF_E2E_API_KEY}} yarn e2e
     when:
       branch:
         ignore: [ master ]

lib/binary/downloader.js

@@ -1,24 +1,73 @@
 const Promise = require('bluebird');
 const _ = require('lodash');
-const decompress = require('decompress');
-const decompressTargz = require('decompress-targz');
-const decompressUnzip = require('decompress-unzip');
 const rp = require('request-promise');
 const request = require('request');
 const compareVersions = require('compare-versions');
+const zip = require('zip');
+const tarStream = require('tar-stream');
 const {
     resolve, join,
 } = require('path');
 const {
     homedir, arch,
 } = require('os');
 const {
-    existsSync, mkdirSync, readFileSync, createWriteStream, writeFile,
+    existsSync, mkdirSync, readFileSync, createWriteStream, writeFile, readFile,
+    createReadStream,
 } = require('fs');
-const { to } = require('./../logic/cli-config/errors/awaitTo');
+const { createGunzip } = require('zlib');
+const { promisify } = require('util');
+let { pipeline } = require('stream');
+const { to } = require('../logic/cli-config/errors/awaitTo');
+
+pipeline = promisify(pipeline);
 
 const CODEFRESH_PATH = resolve(homedir(), '.Codefresh');
 
+async function unzipFile(zipPath, outputPath) {
+    const zipBuffer = await Promise.fromCallback((cb) => readFile(zipPath, cb));
+    const zr = zip.Reader(zipBuffer);
+
+    const fileWrites = [];
+    zr.forEach((entry) => {
+        if (!entry.isFile()) {
+            return;
+        }
+
+        const outputFilePath = join(outputPath, entry.getName());
+        fileWrites.push(Promise.fromCallback((cb) => writeFile(outputFilePath, entry.getData(), { mode: entry.getMode() }, cb)));
+    });
+
+    return Promise.all(fileWrites);
+}
+
+async function untarFile(tarPath, outputPath) {
+    const zipFile = createReadStream(tarPath);
+    const unzipStream = createGunzip();
+    const extract = tarStream.extract();
+
+    extract.on('entry', async (headers, stream, next) => {
+        if (headers.type !== 'file') {
+            return next();
+        }
+
+        try {
+            const outputFilePath = join(outputPath, headers.name);
+            const outputFile = createWriteStream(outputFilePath, { mode: headers.mode });
+            await pipeline(stream, outputFile);
+            return next();
+        } catch (error) {
+            return next(error);
+        }
+    });
+
+    return await pipeline(
+        zipFile,
+        unzipStream,
+        extract,
+    );
+}
+
 function _ensureDirectory(location) {
     if (existsSync(location)) {
         return Promise.resolve();
@@ -79,13 +128,13 @@ function _buildLocalOSProperties() {
 async function _writeFiles({
     zipPath, location, version, versionPath,
 }) {
-    await to(decompress(zipPath, location, {
-        plugins: [
-            decompressTargz(),
-            decompressUnzip(),
-        ],
-    }));
-    return Promise.fromCallback(cb => writeFile(versionPath, version, cb));
+    if (zipPath.endsWith('.zip')) {
+        await unzipFile(zipPath, location);
+    } else {
+        await untarFile(zipPath, location);
+    }
+
+    return Promise.fromCallback((cb) => writeFile(versionPath, version, cb));
 }
 
 class Downloader {
@@ -144,7 +193,6 @@ class Downloader {
             });
         }
 
-
         return new Promise((resolveFn, rejectFn) => {
             resp.on('end', async () => {
                 const [err] = await to(_writeFiles({

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codefresh",
-  "version": "0.79.2",
+  "version": "0.80.0",
   "description": "Codefresh command line utility",
   "main": "index.js",
   "preferGlobal": true,
@@ -49,15 +49,12 @@
     "cf-errors": "^0.1.16",
     "chalk": "^4.1.0",
     "cli-progress": "3.10.0",
-    "codefresh-sdk": "^1.10.0",
+    "codefresh-sdk": "^1.11.0",
     "colors": "1.4.0",
     "columnify": "^1.5.4",
     "compare-versions": "^3.4.0",
     "copy-dir": "^0.3.0",
     "debug": "^3.1.0",
-    "decompress": "^4.2.1",
-    "decompress-targz": "^4.1.1",
-    "decompress-unzip": "^4.0.1",
     "diff": "^3.5.0",
     "dockerode": "^2.5.7",
     "draftlog": "^1.0.12",
@@ -72,7 +69,7 @@
     "kubernetes-client": "^9.0.0",
     "lodash": "^4.17.21",
     "mkdirp": "^0.5.1",
-    "moment": "^2.19.4",
+    "moment": "^2.29.4",
     "mongodb": "^3.7.3",
     "node-forge": "^1.3.0",
     "ora": "^5.4.1",
@@ -84,10 +81,12 @@
     "requestretry": "^7.0.2",
     "rimraf": "^2.6.2",
     "semver": "^7.3.2",
+    "tar-stream": "^2.2.0",
     "uuid": "^3.1.0",
     "yaml": "^1.10.0",
     "yargs": "^15.4.1",
-    "yargs-parser": "^13.0.0"
+    "yargs-parser": "^13.0.0",
+    "zip": "^1.2.0"
   },
   "devDependencies": {
     "@types/node-forge": "^1.0.1",
@@ -114,4 +113,4 @@
       "./test-setup.js"
     ]
   }
-}
+}

yarn.lock

@@ -739,6 +739,11 @@ balanced-match@^1.0.0:
   resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.0.tgz#89b4d199ab2bee49de164ea02b89ce462d71b767"
   integrity sha1-ibTRmasr7kneFk6gK4nORi1xt2c=
 
+[email protected]:
+  version "0.0.2"
+  resolved "https://registry.yarnpkg.com/base64-js/-/base64-js-0.0.2.tgz#024f0f72afa25b75f9c0ee73cd4f55ec1bed9784"
+  integrity sha512-Pj9L87dCdGcKlSqPVUjD+q96pbIx1zQQLb2CUiWURfjiBELv84YX+0nGnKmyT/9KkC7PQk7UN1w+Al8bBozaxQ==
+
 base64-js@^1.0.2:
   version "1.3.1"
   resolved "https://registry.yarnpkg.com/base64-js/-/base64-js-1.3.1.tgz#58ece8cb75dd07e71ed08c736abc5fac4dbf8df1"
@@ -811,6 +816,14 @@ bluebird@^3.5.0, bluebird@^3.5.1, bluebird@^3.7.2:
   resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.7.2.tgz#9f229c15be272454ffa973ace0dbee79a1b0c36f"
   integrity sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg==
 
+bops@~0.1.1:
+  version "0.1.1"
+  resolved "https://registry.yarnpkg.com/bops/-/bops-0.1.1.tgz#062e02a8daa801fa10f2e5dbe6740cff801fe17e"
+  integrity sha512-Cx1zStcMp+YoFan8OgudNPMih82eJZE+27feki1WeyoFTR9Ye7AR1SUW3saE6QQvdS/g52aJ2IojBjWOiRiLbw==
+  dependencies:
+    base64-js "0.0.2"
+    to-utf8 "0.0.1"
+
 brace-expansion@^1.1.7:
   version "1.1.11"
   resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.11.tgz#3c7fcbf529d87226f3d2f52b966ff5271eb441dd"
@@ -1164,32 +1177,31 @@ code-point-at@^1.0.0:
   resolved "https://registry.yarnpkg.com/code-point-at/-/code-point-at-1.1.0.tgz#0d070b4d043a5bea33a2f1a40e2edb3d9a4ccf77"
   integrity sha1-DQcLTQQ6W+ozovGkDi7bPZpMz3c=
 
-codefresh-sdk@^1.10.0:
-  version "1.10.0"
-  resolved "https://registry.yarnpkg.com/codefresh-sdk/-/codefresh-sdk-1.10.0.tgz#92d875603d4259288cb5e3221e67141746506317"
-  integrity sha512-yBHsmxEdZ4ET7XZ3mDeGqjHpiT8UPMTBx9rYKCxZzSnbMzo8OFu9XtUSjX3uABNr0eppB4sH3Ym27Q8VwzqsPw==
+codefresh-sdk@^1.11.0:
+  version "1.11.0"
+  resolved "https://registry.yarnpkg.com/codefresh-sdk/-/codefresh-sdk-1.11.0.tgz#5b3b1c01a3f0e33f060ab4b313e4e27c4308b02c"
+  integrity sha512-TuF22j9o/vg6gTZvqIA0J1Ca2jiRa8qsvYsCmk4hV1ZDnSqUAomPLlCpiL2qxdouy/Cja54y0HUoRowsqGvU4A==
   dependencies:
     "@codefresh-io/cf-receiver" "0.0.1-alpha19"
     bluebird "^3.7.2"
     cf-errors "^0.1.16"
     compare-versions "^3.4.0"
     debug "^4.1.1"
-    decompress "^4.2.1"
-    decompress-targz "^4.1.1"
-    decompress-unzip "^4.0.1"
     firebase "git+https://github.com/codefresh-io/firebase.git#80b2ed883ff281cd67b53bd0f6a0bbd6f330fed5"
     fs-extra "^7.0.1"
     js-yaml "^3.13.1"
     jsonwebtoken "^8.4.0"
     lodash "^4.17.21"
-    moment "^2.24.0"
+    moment "^2.29.4"
     recursive-readdir "^2.2.2"
     request "2.88.2"
     request-promise "4.2.6"
     requestretry "^7.0.2"
     swagger-client "~3.13.7"
+    tar-stream "^2.2.0"
     uniqid "^5.4.0"
     uuid "^3.3.2"
+    zip "^1.2.0"
 
 collection-visit@^1.0.0:
   version "1.0.0"
@@ -1471,7 +1483,7 @@ decompress-tarbz2@^4.0.0:
     seek-bzip "^1.0.5"
     unbzip2-stream "^1.0.9"
 
-decompress-targz@^4.0.0, decompress-targz@^4.1.1:
+decompress-targz@^4.0.0:
   version "4.1.1"
   resolved "https://registry.yarnpkg.com/decompress-targz/-/decompress-targz-4.1.1.tgz#c09bc35c4d11f3de09f2d2da53e9de23e7ce1eee"
   integrity sha512-4z81Znfr6chWnRDNfFNqLwPvm4db3WuZkqV+UgXQzSngG3CEKdBkw5jrv3axjjL96glyiiKjsxJG3X6WBZwX3w==
@@ -1490,7 +1502,7 @@ decompress-unzip@^4.0.1:
     pify "^2.3.0"
     yauzl "^2.4.2"
 
-decompress@^4.0.0, decompress@^4.2.1:
+decompress@^4.0.0:
   version "4.2.1"
   resolved "https://registry.yarnpkg.com/decompress/-/decompress-4.2.1.tgz#007f55cc6a62c055afa37c07eb6a4ee1b773f118"
   integrity sha512-e48kc2IjU+2Zw8cTb6VZcJQ3lgVbS4uuB1TfCHbiZIP/haNXm+SVyhu+87jts5/3ROpd82GSVCoNs/z8l4ZOaQ==
@@ -4277,10 +4289,10 @@ mkdirp@^0.5.1:
   dependencies:
     minimist "^1.2.5"
 
-moment@^2.19.4, moment@^2.24.0:
-  version "2.25.3"
-  resolved "https://registry.yarnpkg.com/moment/-/moment-2.25.3.tgz#252ff41319cf41e47761a1a88cab30edfe9808c0"
-  integrity sha512-PuYv0PHxZvzc15Sp8ybUCoQ+xpyPWvjOuK72a5ovzp2LI32rJXOiIfyoFoYvG3s6EwwrdkMyWuRiEHSZRLJNdg==
+moment@^2.29.4:
+  version "2.29.4"
+  resolved "https://registry.yarnpkg.com/moment/-/moment-2.29.4.tgz#3dbe052889fe7c1b2ed966fcb3a77328964ef108"
+  integrity sha512-5LC9SOxjSc2HF6vO2CyuTDNivEdoz2IvyJJGj6X8DJ0eFyfszE0QiEd+iXmBvUP3WHxSjFH/vIsA0EN00cgr8w==
 
 mongodb@^3.7.3:
   version "3.7.3"
@@ -6048,7 +6060,7 @@ tar-stream@^1.1.2, tar-stream@^1.5.2:
     to-buffer "^1.1.1"
     xtend "^4.0.0"
 
-tar-stream@^2.1.4:
+tar-stream@^2.1.4, tar-stream@^2.2.0:
   version "2.2.0"
   resolved "https://registry.yarnpkg.com/tar-stream/-/tar-stream-2.2.0.tgz#acad84c284136b060dc3faa64474aa9aebd77287"
   integrity sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ==
@@ -6149,6 +6161,11 @@ to-regex@^3.0.1, to-regex@^3.0.2:
     regex-not "^1.0.2"
     safe-regex "^1.1.0"
 
+[email protected]:
+  version "0.0.1"
+  resolved "https://registry.yarnpkg.com/to-utf8/-/to-utf8-0.0.1.tgz#d17aea72ff2fba39b9e43601be7b3ff72e089852"
+  integrity sha512-zks18/TWT1iHO3v0vFp5qLKOG27m67ycq/Y7a7cTiRuUNlc4gf3HGnkRgMv0NyhnfTamtkYBJl+YeD1/j07gBQ==
+
 tough-cookie@^2.3.3, tough-cookie@^2.3.4, tough-cookie@~2.5.0:
   version "2.5.0"
   resolved "https://registry.yarnpkg.com/tough-cookie/-/tough-cookie-2.5.0.tgz#cd9fb2a0aa1d5a12b473bd9fb96fa3dcff65ade2"
@@ -6737,3 +6754,10 @@ yauzl@^2.4.2:
   dependencies:
     buffer-crc32 "~0.2.3"
     fd-slicer "~1.1.0"
+
+zip@^1.2.0:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/zip/-/zip-1.2.0.tgz#ad0ad42265309be42eb56fc86194e17c24e66a9c"
+  integrity sha512-8B4Z9BXJKkI8BkHhKvQan4rwCzUENnj95YHFYrI7F1NbqKCIdW86kujctzEB+kJ6XapHPiAhiZ9xi5GbW5SPdw==
+  dependencies:
+    bops "~0.1.1"