Skip to content

Disable npm lifecycle scripts and npx for security #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
jespino wants to merge 1 commit into from
Closed

Disable npm lifecycle scripts and npx for security #28

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions .devcontainer/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
FROM eu.gcr.io/gitpod-core-dev/dev/dev-environment:base

# leeway
ARG LEEWAY_VERSION=0.8.4
ENV LEEWAY_MAX_PROVENANCE_BUNDLE_SIZE=8388608
ENV LEEWAY_CACHE_DIR=/var/tmp/cache
ENV LEEWAY_BUILD_DIR=/var/tmp/build

RUN cd /usr/bin && curl -fsSL https://github.com/gitpod-io/leeway/releases/download/v${LEEWAY_VERSION}/leeway_${LEEWAY_VERSION}_Linux_x86_64.tar.gz | sudo tar xz

RUN cd /usr/bin && curl -fsSL https://github.com/mikefarah/yq/releases/download/v4.35.2/yq_linux_amd64 | sudo tee -a yq >/dev/null 2>&1 \
&& sudo chmod +x yq

### Google Cloud ###
# not installed via repository as then 'docker-credential-gcr' is not available
ARG GCS_DIR=/opt/google-cloud-sdk
ENV PATH=$GCS_DIR/bin:$PATH
RUN sudo chown gitpod: /opt \
&& mkdir $GCS_DIR \
&& curl -fsSL https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-445.0.0-linux-x86_64.tar.gz \
| tar -xzvC /opt \
&& /opt/google-cloud-sdk/install.sh --quiet --usage-reporting=false --bash-completion=true \
--additional-components gke-gcloud-auth-plugin docker-credential-gcr alpha beta \
# needed for access to our private registries
&& docker-credential-gcr configure-docker

RUN sudo install-packages python3-pip

RUN sudo python3 -m pip uninstall crcmod \
&& sudo python3 -m pip install --no-cache-dir -U crcmod

# Install pre-commit https://pre-commit.com/#install
RUN sudo install-packages shellcheck \
&& sudo python3 -m pip install pre-commit

RUN wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg \
&& echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list \
&& sudo install-packages packer

# Disable npm/yarn lifecycle scripts for security
RUN npm config set ignore-scripts true --location=user && \
echo 'ignore-scripts true' >> ~/.yarnrc

# Disable npx for security
RUN rm -f /usr/bin/npx /usr/local/bin/npx && \
echo '#!/bin/sh' > /usr/local/bin/npx && \
echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
echo 'exit 1' >> /usr/local/bin/npx && \
chmod +x /usr/local/bin/npx
6 changes: 6 additions & 0 deletions .devcontainer/devcontainer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"name": "Development",
"build": {
"dockerfile": "Dockerfile"
}
}