From 6549442c0b61b62e1fe32ce2ebdbdf364d0e453b Mon Sep 17 00:00:00 2001
From: Syed Muhammad Dawoud Sheraz Ali
 <40599381+DawoudSheraz@users.noreply.github.com>
Date: Fri, 26 Jul 2024 18:03:28 +0500
Subject: [PATCH 1/2] security: add upstream security patch in Open edX image
 (#1100)

---
 .../20240725_221432_dawoud.sheraz_july_25_security_patch.md  | 1 +
 tutor/templates/build/openedx/Dockerfile                     | 5 +++++
 2 files changed, 6 insertions(+)
 create mode 100644 changelog.d/20240725_221432_dawoud.sheraz_july_25_security_patch.md

diff --git a/changelog.d/20240725_221432_dawoud.sheraz_july_25_security_patch.md b/changelog.d/20240725_221432_dawoud.sheraz_july_25_security_patch.md
new file mode 100644
index 0000000000..39a3c8e83c
--- /dev/null
+++ b/changelog.d/20240725_221432_dawoud.sheraz_july_25_security_patch.md
@@ -0,0 +1 @@
+- [Security] Add upstream security fix as patch in Open edX image (by @dawoudsheraz)
diff --git a/tutor/templates/build/openedx/Dockerfile b/tutor/templates/build/openedx/Dockerfile
index c9c933266d..f89277bbee 100644
--- a/tutor/templates/build/openedx/Dockerfile
+++ b/tutor/templates/build/openedx/Dockerfile
@@ -53,6 +53,11 @@ RUN git config --global user.email "tutor@overhang.io" \
 # Patches in nightly node
 {%- else %}
 # Patches in non-nightly mode
+# Security patch around content library permissions
+# https://discuss.openedx.org/t/security-upcoming-security-release-for-edx-platform-2024-07-25/13473
+# https://github.com/openedx/edx-platform/pull/35180
+RUN curl -fsSL https://github.com/openedx/edx-platform/commit/3160ff68ca4a4516375af3307fe84f22cd5e5b36.patch | git am
+
 {%- endif %}
 
 {# Example: RUN curl -fsSL https://github.com/openedx/edx-platform/commit/<GITSHA1>.patch | git am #}

From deaa6116da62b359c5863823c56fc9c29d2602f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mois=C3=A9s=20Gonz=C3=A1lez?= <moises.gonzalez@edunext.co>
Date: Fri, 5 Jul 2024 13:06:16 -0400
Subject: [PATCH 2/2] fix: add `mode` to RUN mount cache.

---
 tutor/templates/build/openedx/Dockerfile | 34 ++++++++++++------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/tutor/templates/build/openedx/Dockerfile b/tutor/templates/build/openedx/Dockerfile
index f89277bbee..f76d9f3015 100644
--- a/tutor/templates/build/openedx/Dockerfile
+++ b/tutor/templates/build/openedx/Dockerfile
@@ -4,8 +4,8 @@ FROM docker.io/ubuntu:20.04 AS minimal
 LABEL maintainer="Overhang.io <contact@overhang.io>"
 
 ENV DEBIAN_FRONTEND=noninteractive
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+RUN --mount=type=cache,mode=0755,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,mode=0755,target=/var/lib/apt,sharing=locked \
     apt update && \
     apt install -y build-essential curl git language-pack-en
 ENV LC_ALL=en_US.UTF-8
@@ -14,8 +14,8 @@ ENV LC_ALL=en_US.UTF-8
 ###### Install python with pyenv in /opt/pyenv and create virtualenv in /openedx/venv
 FROM minimal AS python
 # https://github.com/pyenv/pyenv/wiki/Common-build-problems#prerequisites
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+RUN --mount=type=cache,mode=0755,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,mode=0755,target=/var/lib/apt,sharing=locked \
     apt update && \
     apt install -y libssl-dev zlib1g-dev libbz2-dev \
     libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev \
@@ -80,13 +80,13 @@ ENV PATH=/openedx/venv/bin:${PATH}
 ENV VIRTUAL_ENV=/openedx/venv/
 ENV XDG_CACHE_HOME=/openedx/.cache
 
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+RUN --mount=type=cache,mode=0755,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,mode=0755,target=/var/lib/apt,sharing=locked \
     apt update \
     && apt install -y software-properties-common libmysqlclient-dev libxmlsec1-dev libgeos-dev
 
 # Install the right version of pip/setuptools
-RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
+RUN --mount=type=cache,mode=0755,target=/openedx/.cache/pip,sharing=shared \
     pip install \
     # https://pypi.org/project/setuptools/
     # https://pypi.org/project/pip/
@@ -95,11 +95,11 @@ RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
 
 # Install base requirements
 RUN --mount=type=bind,from=edx-platform,source=/requirements/edx/base.txt,target=/openedx/edx-platform/requirements/edx/base.txt \
-    --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
+    --mount=type=cache,mode=0755,target=/openedx/.cache/pip,sharing=shared \
     pip install -r /openedx/edx-platform/requirements/edx/base.txt
 
 # Install extra requirements
-RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
+RUN --mount=type=cache,mode=0755,target=/openedx/.cache/pip,sharing=shared \
     pip install \
     # Use redis as a django cache https://pypi.org/project/django-redis/
     django-redis==5.4.0 \
@@ -112,7 +112,7 @@ RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
 RUN pip install "openedx-scorm-xblock>=18.0.0,<19.0.0"
 
 {% for extra_requirements in OPENEDX_EXTRA_PIP_REQUIREMENTS %}
-RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
+RUN --mount=type=cache,mode=0755,target=/openedx/.cache/pip,sharing=shared \
     pip install '{{ extra_requirements }}'
 {% endfor %}
 
@@ -131,15 +131,15 @@ WORKDIR /openedx/edx-platform
 RUN --mount=type=bind,from=edx-platform,source=/package.json,target=/openedx/edx-platform/package.json \
     --mount=type=bind,from=edx-platform,source=/package-lock.json,target=/openedx/edx-platform/package-lock.json \
     --mount=type=bind,from=edx-platform,source=/scripts/copy-node-modules.sh,target=/openedx/edx-platform/scripts/copy-node-modules.sh \
-    --mount=type=cache,target=/root/.npm,sharing=shared \
+    --mount=type=cache,mode=0755,target=/root/.npm,sharing=shared \
     npm clean-install --no-audit --registry=$NPM_REGISTRY
 
 ###### Production image with system and python requirements
 FROM minimal AS production
 
 # Install system requirements
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+RUN --mount=type=cache,mode=0755,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,mode=0755,target=/var/lib/apt,sharing=locked \
     apt update \
     && apt install -y gettext gfortran graphviz graphviz-dev libffi-dev libfreetype6-dev libgeos-dev libjpeg8-dev liblapack-dev libmysqlclient-dev libpng-dev libsqlite3-dev libxmlsec1-dev lynx mysql-client ntp pkg-config rdfind
 
@@ -257,18 +257,18 @@ FROM production AS development
 
 # Install useful system requirements (as root)
 USER root
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+RUN --mount=type=cache,mode=0755,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,mode=0755,target=/var/lib/apt,sharing=locked \
     apt update && \
     apt install -y vim iputils-ping dnsutils telnet
 USER app
 
 # Install dev python requirements
-RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
+RUN --mount=type=cache,mode=0755,target=/openedx/.cache/pip,sharing=shared \
     pip install -r requirements/edx/development.txt
 # https://pypi.org/project/ipdb/
 # https://pypi.org/project/ipython (>=Python 3.10 started with 8.20)
-RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
+RUN --mount=type=cache,mode=0755,target=/openedx/.cache/pip,sharing=shared \
     pip install ipdb==0.13.13 ipython==8.24.0
 
 {# Re-install mounted requirements, otherwise they will be superseded by upstream reqs #}