fix: CVE-2023-38545 curl vulnerability [INS-3204] #49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build-lint-test | |
| on: | |
| pull_request: | |
| env: | |
| LIBCURL_RELEASE: 'LATEST' | |
| concurrency: | |
| group: ${{ github.head_ref }} | |
| cancel-in-progress: true | |
| # all jobs here must have a matrix identical to the ones inside build-and-release.yaml | |
| jobs: | |
| build-and-test-nodejs: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: | |
| - macos-latest | |
| - ubuntu-latest | |
| libcurl-release: | |
| - 8.4.0 | |
| node-libcurl-cpp-std: | |
| - c++17 | |
| node: | |
| - 18.16.1 | |
| include: | |
| # Lint | |
| - os: ubuntu-latest | |
| node: 18.16.1 | |
| node-libcurl-cpp-std: c++17 | |
| libcurl-release: 8.4.0 | |
| run-lint-and-tsc: true | |
| env: | |
| LIBCURL_RELEASE: ${{ matrix.libcurl-release }} | |
| LATEST_LIBCURL_RELEASE: ${{ matrix.libcurl-release }} | |
| NODE_LIBCURL_CPP_STD: ${{ matrix.node-libcurl-cpp-std }} | |
| steps: | |
| - id: timestamp | |
| run: echo "timestamp=$(timestamp +%s)" >> $GITHUB_OUTPUT | |
| - name: Restore the previous run result | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| run_result | |
| key: ${{ github.run_id }}-${{ github.job }}-${{ steps.timestamp.outputs.timestamp }} | |
| restore-keys: | | |
| ${{ github.run_id }}-${{ github.job }}- | |
| - id: run_result | |
| run: cat run_result 2>/dev/null || echo 'default' | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Setup Node.js ${{ matrix.node }} | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| - if: runner.os == 'macOS' | |
| name: Install Needed packages on macOS | |
| run: brew install coreutils wget automake libtool cmake gnu-sed m4 | |
| # not using brew for that one as we need 2.69 | |
| - if: runner.os == 'macOS' | |
| name: Install autoconf | |
| run: | | |
| curl -O -L http://ftpmirror.gnu.org/autoconf/autoconf-2.69.tar.gz | |
| tar -xzf autoconf-2.69.tar.gz | |
| cd autoconf-* | |
| ./configure | |
| make | |
| make install | |
| autoconf --version | |
| ln -s /usr/local/bin/glibtoolize /usr/local/bin/libtoolize | |
| - if: runner.os == 'Linux' | |
| name: Install Needed packages on Linux | |
| run: sudo apt-get install -y cmake | |
| - name: Output yarn cache dir | |
| id: yarn-cache-dir | |
| run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT | |
| - name: Restore Yarn Cache | |
| uses: actions/cache@v1 | |
| id: yarn-cache | |
| with: | |
| path: ${{ steps.yarn-cache-dir.outputs.dir }} | |
| key: v1-${{ runner.os }}-yarn-cache-${{ github.ref }}-${{ hashFiles('**/yarn.lock') }} | |
| restore-keys: | | |
| v1-${{ runner.os }}-yarn-cache-${{ github.ref }}- | |
| v1-${{ runner.os }}-yarn-cache- | |
| - name: Restore libcurl deps cache | |
| uses: actions/cache@v3 | |
| id: libcurl-deps-cache | |
| with: | |
| path: | | |
| ~/.node-gyp | |
| ~/deps | |
| key: v4-build-lint-test-${{ runner.os }}-libcurl-deps-cache-node-${{ matrix.node }} | |
| restore-keys: | | |
| v4-build-lint-test-${{ runner.os }}-libcurl-deps-cache-node-${{ matrix.node }} | |
| - name: 'Build node-libcurl' | |
| if: steps.run_result.outputs.run_result != 'success' | |
| run: | | |
| RUN_TESTS=false \ | |
| RUN_PREGYP_CLEAN=false \ | |
| PUBLISH_BINARY=false \ | |
| ./scripts/ci/build.sh | |
| - name: 'Run lint' | |
| if: matrix.run-lint-and-tsc && steps.run_result.outputs.run_result != 'success' | |
| run: yarn lint | |
| - name: 'Run tsc' | |
| if: matrix.run-lint-and-tsc && steps.run_result.outputs.run_result != 'success' | |
| run: yarn build:dist | |
| # we do run tests in all matrix jobs | |
| - name: 'Run tests' | |
| if: steps.run_result.outputs.run_result != 'success' | |
| run: yarn test:coverage | |
| # but coverage is only sent for the run-lint-and-tsc job | |
| - name: Upload coverage to Codecov | |
| if: matrix.run-lint-and-tsc && steps.run_result.outputs.run_result != 'success' | |
| uses: codecov/codecov-action@v1 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| file: ./coverage/** | |
| fail_ci_if_error: false | |
| - name: Upload artifacts | |
| if: always() && steps.run_result.outputs.run_result != 'success' | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: build-logs-${{ matrix.os }}-${{ matrix.libcurl-release }}-${{ matrix.node }} | |
| path: ./logs/ | |
| retention-days: 3 | |
| # TODO(Filipe) - fix this set-output | |
| - run: echo "::set-output name=run_result::success" > run_result | |
| build-and-test-electron: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: | |
| - macos-latest | |
| - ubuntu-latest | |
| libcurl-release: | |
| - 8.4.0 | |
| node: | |
| - 18.16.1 | |
| electron-version: | |
| - 26.0.0 | |
| env: | |
| LIBCURL_RELEASE: ${{ matrix.libcurl-release }} | |
| LATEST_LIBCURL_RELEASE: ${{ matrix.libcurl-release }} | |
| ELECTRON_VERSION: ${{ matrix.electron-version }} | |
| NODE_LIBCURL_CPP_STD: c++17 | |
| steps: | |
| - id: timestamp | |
| run: echo "timestamp=$(timestamp +%s)" >> $GITHUB_OUTPUT | |
| - name: Restore the previous run result | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| run_result | |
| key: ${{ github.run_id }}-${{ github.job }}-${{ steps.timestamp.outputs.timestamp }} | |
| restore-keys: | | |
| ${{ github.run_id }}-${{ github.job }}- | |
| - id: run_result | |
| run: cat run_result 2>/dev/null || echo 'default' | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Setup Node.js ${{ matrix.node }} | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| - name: Set up Homebrew | |
| id: set-up-homebrew | |
| uses: Homebrew/actions/setup-homebrew@master | |
| - name: Install Needed packages | |
| run: brew install coreutils wget automake libtool cmake gnu-sed m4 | |
| # not using brew for that one as we need 2.69 | |
| - if: runner.os == 'macOS' | |
| name: Install autoconf | |
| run: | | |
| curl -O -L http://ftpmirror.gnu.org/autoconf/autoconf-2.69.tar.gz | |
| tar -xzf autoconf-2.69.tar.gz | |
| cd autoconf-* | |
| ./configure | |
| make | |
| make install | |
| autoconf --version | |
| ln -s /usr/local/bin/glibtoolize /usr/local/bin/libtoolize | |
| - name: Output yarn cache dir | |
| id: yarn-cache-dir | |
| run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT | |
| - name: Restore Yarn Cache | |
| uses: actions/cache@v3 | |
| id: yarn-cache | |
| with: | |
| path: ${{ steps.yarn-cache-dir.outputs.dir }} | |
| key: v1-${{ runner.os }}-yarn-cache-${{ github.ref }}-${{ hashFiles('**/yarn.lock') }} | |
| restore-keys: | | |
| v1-${{ runner.os }}-yarn-cache-${{ github.ref }}- | |
| v1-${{ runner.os }}-yarn-cache- | |
| - name: Restore Electron Cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/Library/Caches/electron | |
| key: v1-${{ runner.os }}-electron-cache-${{ matrix.electron-version }} | |
| restore-keys: | | |
| v1-${{ runner.os }}-electron-cache-${{ matrix.electron-version }} | |
| v1-${{ runner.os }}-electron-cache- | |
| - name: Restore libcurl deps cache | |
| uses: actions/cache@v3 | |
| id: libcurl-deps-cache | |
| with: | |
| path: | | |
| ~/.node-gyp | |
| ~/deps | |
| key: v4-build-lint-test-${{ runner.os }}-libcurl-deps-cache-electron-${{ matrix.electron-version }} | |
| restore-keys: | | |
| v4-build-lint-test-${{ runner.os }}-libcurl-deps-cache-electron-${{ matrix.electron-version }} | |
| - name: 'Set GIT_TAG' | |
| if: startsWith(github.ref, 'refs/tags') | |
| run: echo "GIT_TAG=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV | |
| - name: 'Build node-libcurl' | |
| if: steps.run_result.outputs.run_result != 'success' | |
| run: | | |
| RUN_TESTS=true \ | |
| RUN_PREGYP_CLEAN=false \ | |
| PUBLISH_BINARY=false \ | |
| ./scripts/ci/build.sh | |
| - name: Upload artifacts | |
| if: always() && steps.run_result.outputs.run_result != 'success' | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: build-logs-${{ matrix.os }}-${{ matrix.libcurl-release }}-${{ matrix.electron-version }} | |
| path: ./logs/ | |
| retention-days: 5 | |
| # TODO(Filipe) - fix this set-output | |
| - run: echo "::set-output name=run_result::success" > run_result | |
| build-and-test-nodejs-windows: | |
| runs-on: windows-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node: | |
| - 18.16.1 | |
| env: | |
| npm_config_msvs_version: 2022 | |
| npm_config_build_from_source: true | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| submodules: recursive | |
| - name: Setup Node.js ${{ matrix.node }} | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| - name: Install dependencies | |
| run: | | |
| choco install nasm -y | |
| $env:PATH=$env:PROGRAMFILES + "\NASM;" + $env:Path | |
| python deps\curl-for-windows\configure.py | |
| - name: Build | |
| run: | | |
| $env:PATH=$env:PROGRAMFILES + "\NASM;" + $env:Path | |
| yarn install --frozen-lockfile | |
| - name: Test | |
| run: | | |
| yarn ts-node -e "console.log(require('./lib').Curl.getVersionInfoString())" | |
| yarn test | |
| if ($LASTEXITCODE -eq 0) { | |
| $host.SetShouldExit(0) | |
| } | |
| build-and-test-electron-windows: | |
| runs-on: windows-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node: | |
| - 18.16.1 | |
| electron-version: | |
| - 26.0.0 | |
| env: | |
| ELECTRON_VERSION: ${{ matrix.electron-version }} | |
| npm_config_msvs_version: 2022 | |
| npm_config_build_from_source: true | |
| npm_config_runtime: 'electron' | |
| npm_config_dist_url: 'https://electronjs.org/headers' | |
| npm_config_target: ${{ matrix.electron-version }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| submodules: recursive | |
| - name: Setup Node.js ${{ matrix.node }} | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| - name: Install dependencies | |
| run: | | |
| choco install nasm -y | |
| $env:PATH=$env:PROGRAMFILES + "\NASM;" + $env:Path | |
| python deps\curl-for-windows\configure.py | |
| yarn global add electron@${env:ELECTRON_VERSION} | |
| - name: Build | |
| run: | | |
| $env:PATH=$env:PROGRAMFILES + "\NASM;" + $env:Path | |
| yarn install --frozen-lockfile | |
| - name: Test | |
| run: | | |
| yarn test:electron | |
| if ($LASTEXITCODE -eq 0) { | |
| $host.SetShouldExit(0) | |
| } |