Skip to content

Commit

Permalink
Improve Security (#333)
Browse files Browse the repository at this point in the history
  • Loading branch information
antoinejaussoin authored Jan 19, 2022
1 parent ed09c5a commit 75d3bb0
Show file tree
Hide file tree
Showing 156 changed files with 17,881 additions and 16,631 deletions.
26 changes: 3 additions & 23 deletions .github/workflows/alpha.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: 'Alpha Build'

on:
push:
branches: [v491/gdpr]
branches: [hotfix/vuln-5]

jobs:
build:
Expand Down Expand Up @@ -35,22 +35,12 @@ jobs:
username: ${{ secrets.DOCKER_NEW_USERNAME }}
password: ${{ secrets.DOCKER_NEW_PASSWORD }}

- name: Build and push Documentation
uses: docker/build-push-action@v2
with:
builder: ${{ steps.buildx.outputs.name }}
file: docs/Dockerfile
context: docs
tags: retrospected/docs:alpha
platforms: linux/amd64
push: true

- name: Build and push Backend
uses: docker/build-push-action@v2
with:
builder: ${{ steps.buildx.outputs.name }}
file: backend/Dockerfile
context: .
context: backend
tags: retrospected/backend:alpha
platforms: linux/amd64
push: true
Expand All @@ -60,17 +50,7 @@ jobs:
with:
builder: ${{ steps.buildx.outputs.name }}
file: frontend/Dockerfile
context: .
context: frontend
tags: retrospected/frontend:alpha
platforms: linux/amd64
push: true

- name: Build and push Maintenance
uses: docker/build-push-action@v2
with:
builder: ${{ steps.buildx.outputs.name }}
file: maintenance/Dockerfile
context: maintenance
tags: retrospected/maintenance:alpha
platforms: linux/amd64
push: true
4 changes: 2 additions & 2 deletions .github/workflows/canary.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ jobs:
with:
builder: ${{ steps.buildx.outputs.name }}
file: backend/Dockerfile
context: .
context: backend
tags: retrospected/backend:canary
platforms: linux/amd64,linux/arm64,linux/arm/v7
push: true
Expand All @@ -60,7 +60,7 @@ jobs:
with:
builder: ${{ steps.buildx.outputs.name }}
file: frontend/Dockerfile
context: .
context: frontend
tags: retrospected/frontend:canary
platforms: linux/amd64,linux/arm64,linux/arm/v7
push: true
Expand Down
19 changes: 18 additions & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,25 @@ on:
branches: []

jobs:
test:
test-frontend:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./frontend
steps:
- uses: actions/checkout@v1
- uses: actions/setup-node@v1
with:
node-version: 16
- run: yarn
- run: yarn ci-test
- run: yarn lint
- run: yarn build
test-backend:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./backend
steps:
- uses: actions/checkout@v1
- uses: actions/setup-node@v1
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/master-old.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ jobs:
with:
builder: ${{ steps.buildx.outputs.name }}
file: backend/Dockerfile
context: .
context: backend
tags: antoinejaussoin/retro-board-backend:latest,antoinejaussoin/retro-board-backend:${{ steps.package.outputs.current-version }}
platforms: linux/amd64,linux/arm64,linux/arm/v7
push: true
Expand All @@ -60,7 +60,7 @@ jobs:
with:
builder: ${{ steps.buildx.outputs.name }}
file: frontend/Dockerfile
context: .
context: frontend
tags: antoinejaussoin/retro-board-frontend:latest,antoinejaussoin/retro-board-frontend:${{ steps.package.outputs.current-version }}
platforms: linux/amd64,linux/arm64,linux/arm/v7
push: true
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/master.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ jobs:
with:
builder: ${{ steps.buildx.outputs.name }}
file: backend/Dockerfile
context: .
context: backend
tags: retrospected/backend:latest,retrospected/backend:${{ steps.package.outputs.current-version }}
platforms: linux/amd64,linux/arm64,linux/arm/v7
push: true
Expand All @@ -60,7 +60,7 @@ jobs:
with:
builder: ${{ steps.buildx.outputs.name }}
file: frontend/Dockerfile
context: .
context: frontend
tags: retrospected/frontend:latest,retrospected/frontend:${{ steps.package.outputs.current-version }}
platforms: linux/amd64,linux/arm64,linux/arm/v7
push: true
Expand Down
17 changes: 13 additions & 4 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,19 @@ setup:
build:
docker buildx inspect --bootstrap
docker buildx build --cache-from=retrospected/maintenance:${PACKAGE_VERSION} --pull --platform ${TARGET_ARCHS} -f ./maintenance/Dockerfile -t retrospected/maintenance:${PACKAGE_VERSION} ./maintenance
docker buildx build --cache-from=retrospected/backend:${PACKAGE_VERSION} --pull --platform ${TARGET_ARCHS} -f ./backend/Dockerfile -t retrospected/backend:${PACKAGE_VERSION} .
docker buildx build --cache-from=retrospected/frontend:${PACKAGE_VERSION} --pull --platform ${TARGET_ARCHS} -f ./frontend/Dockerfile -t retrospected/frontend:${PACKAGE_VERSION} .
docker buildx build --cache-from=retrospected/backend:${PACKAGE_VERSION} --pull --platform ${TARGET_ARCHS} -f ./backend/Dockerfile -t retrospected/backend:${PACKAGE_VERSION} ./backend
docker buildx build --cache-from=retrospected/frontend:${PACKAGE_VERSION} --pull --platform ${TARGET_ARCHS} -f ./frontend/Dockerfile -t retrospected/frontend:${PACKAGE_VERSION} ./frontend

single-build:
docker build -f ./maintenance/Dockerfile -t retrospected/maintenance:${PACKAGE_VERSION} ./maintenance
docker build -f ./backend/Dockerfile -t retrospected/backend:${PACKAGE_VERSION} .
docker build -f ./frontend/Dockerfile -t retrospected/frontend:${PACKAGE_VERSION} .
docker build -f ./backend/Dockerfile -t retrospected/backend:${PACKAGE_VERSION} ./backend
docker build -f ./frontend/Dockerfile -t retrospected/frontend:${PACKAGE_VERSION} ./frontend

install-trivy:
brew install trivy

trivy:
docker build -f ./backend/Dockerfile -t retrospected/backend:trivy ./backend
docker build -f ./frontend/Dockerfile -t retrospected/frontend:trivy ./frontend
trivy retrospected/backend:trivy
trivy retrospected/frontend:trivy
8 changes: 7 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ It features the following technologies:
- [React 17](https://github.com/facebook/react)
- [React Hooks](https://reactjs.org/docs/hooks-intro.html)
- [React Router 4](https://github.com/ReactTraining/react-router)
- [Mono Repo / Yarn Workspaces](https://yarnpkg.com/lang/en/docs/workspaces)
- [TypeScript 4](https://www.typescriptlang.org/)
- [Recoil.js](https://recoiljs.org), as the global state management library
- [Socket IO](http://socket.io)
Expand Down Expand Up @@ -85,6 +84,13 @@ This will run a demo version, which you can turn into a fully licenced version b

## Versions History

### Version 4.11.0

- Remove Yarn Workspaces to limit dependency sharing
- Upgrade most dependencies for security reasons
- Upgrade Nginx image to fix security issues
- Force secure cookies

### Version 4.10.0

- Add better GDPR compliance, with the right to be forgotten: allows a user to delete all of their data
Expand Down
5 changes: 5 additions & 0 deletions backend/.dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
node_modules
npm-debug.log
persist
Dockerfile*
dist
7 changes: 2 additions & 5 deletions backend/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,12 @@ ENV NODE_ENV production

COPY ./yarn.lock ./
COPY ./package.json ./
COPY ./backend/package.json ./backend/
COPY ./common/package.json ./common/

RUN yarn --network-timeout 1000000 install

COPY ./backend ./backend
COPY ./common ./common
COPY ./ ./

RUN yarn build-backend
RUN yarn build

EXPOSE ${BACKEND_PORT}
CMD [ "yarn", "backend-production" ]
162 changes: 82 additions & 80 deletions backend/package.json
Original file line number Diff line number Diff line change
@@ -1,99 +1,101 @@
{
"name": "@retrospected/backend",
"version": "4.10.0",
"version": "4.11.0",
"license": "GNU GPLv3",
"private": true,
"scripts": {
"build": "rimraf dist && tsc --build",
"start": "nodemon --exec 'yarn fix & ts-node' --files ./src/index.ts",
"create-migration": "ts-node ./src/init.ts --ts && ts-node ../node_modules/typeorm/cli.js migration:generate -n ",
"migrate": "node ./dist/src/init.js && node ../node_modules/typeorm/cli.js migration:run",
"revert": "node ./dist/src/init.js && node ../node_modules/typeorm/cli.js migration:revert",
"backend-production": "yarn migrate && cd ./dist/src && node index.js",
"create-migration": "ts-node ./src/init.ts --ts && ts-node ./node_modules/typeorm/cli.js migration:generate -n ",
"migrate": "node ./dist/src/init.js && node ./node_modules/typeorm/cli.js migration:run",
"revert": "node ./dist/src/init.js && node ./node_modules/typeorm/cli.js migration:revert",
"lint": "eslint 'src/**/*.ts'",
"test": "yarn jest",
"ci-test": "CI=true yarn test",
"fix": "eslint 'src/**/*.ts' --fix"
},
"dependencies": {
"@retrospected/common": "*",
"@sendgrid/mail": "^7.4.7",
"@sentry/node": "^6.13.3",
"@types/bcryptjs": "^2.4.2",
"@types/connect-redis": "0.0.17",
"@types/crypto-js": "^4.0.2",
"@types/csurf": "^1.11.2",
"@types/express": "^4.17.13",
"@types/express-mung": "^0.5.2",
"@types/express-rate-limit": "^5.1.3",
"@types/express-serve-static-core": "^4.17.24",
"@types/express-session": "^1.17.4",
"@types/jest": "^27.0.2",
"@types/lodash": "^4.14.175",
"@types/md5": "^2.3.1",
"@types/node": "^16.11.0",
"@types/node-fetch": "^2.5.12",
"@types/passport": "^1.0.7",
"@types/passport-github2": "^1.2.5",
"@types/passport-google-oauth20": "^2.0.10",
"@types/passport-local": "^1.0.34",
"@types/passport-microsoft": "^0.0.0",
"@types/passport-twitter": "^1.0.37",
"@types/random-words": "^1.1.2",
"@types/redis": "2.8.32",
"@types/shortid": "^0.0.29",
"@types/socket.io-redis": "1.0.27",
"@types/uuid": "^8.3.1",
"@typescript-eslint/eslint-plugin": "^5.0.0",
"@typescript-eslint/parser": "^5.0.0",
"bcryptjs": "^2.4.3",
"body-parser": "^1.19.0",
"chalk": "^4.1.2",
"@sendgrid/mail": "7.6.0",
"@sentry/node": "6.16.1",
"@types/bcryptjs": "2.4.2",
"@types/connect-redis": "0.0.18",
"@types/crypto-js": "4.1.0",
"@types/csurf": "1.11.2",
"@types/express": "4.17.13",
"@types/express-mung": "0.5.2",
"@types/express-rate-limit": "6.0.0",
"@types/express-serve-static-core": "4.17.28",
"@types/express-session": "1.17.4",
"@types/jest": "27.4.0",
"@types/lodash": "4.14.178",
"@types/md5": "2.3.1",
"@types/node": "17.0.10",
"@types/node-fetch": "2.5.12",
"@types/passport": "1.0.7",
"@types/passport-github2": "1.2.5",
"@types/passport-google-oauth20": "2.0.11",
"@types/passport-local": "1.0.34",
"@types/passport-microsoft": "0.0.0",
"@types/passport-twitter": "1.0.37",
"@types/random-words": "1.1.2",
"@types/shortid": "0.0.29",
"@types/socket.io-redis": "3.0.0",
"@types/uuid": "8.3.4",
"@typescript-eslint/eslint-plugin": "5.10.0",
"@typescript-eslint/parser": "5.10.0",
"bcryptjs": "2.4.3",
"body-parser": "1.19.1",
"chalk": "4.1.2",
"connect-redis": "6.0.0",
"cross-env": "7.0.3",
"crypto-js": "^4.1.1",
"csurf": "^1.11.0",
"date-fns": "^2.25.0",
"dotenv": "^10.0.0",
"eslint": "^8.0.1",
"eslint-config-prettier": "^8.3.0",
"eslint-plugin-prettier": "^4.0.0",
"express": "^4.17.1",
"express-mung": "^0.5.1",
"express-rate-limit": "^5.5.0",
"express-session": "^1.17.2",
"freemail": "^1.7.0",
"jest": "27.2.5",
"lexorank": "^1.0.4",
"lodash": "^4.17.21",
"md5": "^2.3.0",
"moment": "^2.29.1",
"node-fetch": "^2.6.1",
"nodemon": "^2.0.13",
"passport": "^0.5.0",
"passport-github2": "^0.1.12",
"passport-google-auth": "^1.0.2",
"passport-google-oauth20": "^2.0.0",
"passport-local": "^1.0.0",
"passport-microsoft": "^0.1.0",
"passport-okta-oauth20": "^1.0.1",
"passport-slack": "^0.0.7",
"passport-twitter": "^1.0.4",
"pg": "^8.7.1",
"prettier": "^2.4.1",
"random-words": "^1.1.1",
"rate-limiter-flexible": "^2.3.1",
"redis": "^3.1.2",
"rimraf": "^3.0.2",
"shortid": "^2.2.16",
"socket.io": "4.3.0",
"crypto-js": "4.1.1",
"csurf": "1.11.0",
"date-fns": "2.28.0",
"dotenv": "14.2.0",
"eslint": "8.7.0",
"eslint-config-prettier": "8.3.0",
"eslint-plugin-prettier": "4.0.0",
"express": "4.17.2",
"express-mung": "0.5.1",
"express-rate-limit": "6.1.0",
"express-session": "1.17.2",
"freemail": "1.7.0",
"jest": "27.4.7",
"lexorank": "1.0.4",
"lodash": "4.17.21",
"md5": "2.3.0",
"moment": "2.29.1",
"node-fetch": "2.6.1",
"nodemon": "2.0.15",
"passport": "0.5.0",
"passport-github2": "0.1.12",
"passport-google-auth": "1.0.2",
"passport-google-oauth20": "2.0.0",
"passport-local": "1.0.0",
"passport-microsoft": "0.1.0",
"passport-okta-oauth20": "1.0.1",
"passport-slack": "0.0.7",
"passport-twitter": "1.0.4",
"pg": "8.7.1",
"prettier": "2.5.1",
"random-words": "1.1.1",
"rate-limiter-flexible": "2.3.6",
"redis": "3.1.2",
"rimraf": "3.0.2",
"shortid": "2.2.16",
"socket.io": "4.4.1",
"socket.io-redis": "6.1.1",
"stripe": "^8.183.0",
"ts-jest": "^27.0.7",
"ts-node": "^10.3.0",
"typeorm": "^0.2.38",
"uuid": "^8.3.2",
"yargs": "^17.2.1"
"stripe": "8.197.0",
"ts-jest": "27.1.3",
"ts-node": "10.4.0",
"typeorm": "0.2.41",
"typescript": "4.5.4",
"uuid": "8.3.2",
"yargs": "17.3.1"
},
"resolutions": {
"@types/connect-redis": "0.0.17",
"@types/connect-redis": "0.0.18",
"@types/express-session": "1.17.3"
},
"nodemonConfig": {
Expand Down
5 changes: 1 addition & 4 deletions backend/src/admin/router.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,7 @@ import {
} from '../db/actions/users';
import config from '../config';
import { isLicenced } from '../security/is-licenced';
import {
AdminChangePasswordPayload,
BackendCapabilities,
} from '@retrospected/common';
import { AdminChangePasswordPayload, BackendCapabilities } from '../common';
import { getIdentityFromRequest, hashPassword } from '../utils';
import csurf from 'csurf';

Expand Down
Loading

0 comments on commit 75d3bb0

Please sign in to comment.