Merge branch 'main' into vscode-1.56

Author: Akash Satheesan

.github/workflows/ci.yaml

@@ -43,10 +43,6 @@ jobs:
         if: steps.cache-yarn.outputs.cache-hit != 'true'
         run: yarn --frozen-lockfile
 
-      - name: Audit for vulnerabilities
-        run: yarn _audit
-        if: success()
-
       - name: Run yarn fmt
         run: yarn fmt
         if: success()
@@ -63,6 +59,34 @@ jobs:
         run: yarn coverage
         if: success()
 
+  audit-ci:
+    name: Run audit-ci
+    needs: prebuild
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+
+      - name: Install Node.js v12
+        uses: actions/setup-node@v2
+        with:
+          node-version: "12"
+
+      - name: Fetch dependencies from cache
+        id: cache-yarn
+        uses: actions/cache@v2
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+
+      - name: Install dependencies
+        if: steps.cache-yarn.outputs.cache-hit != 'true'
+        run: yarn --frozen-lockfile
+
+      - name: Audit for vulnerabilities
+        run: yarn _audit
+        if: success()
+
   build:
     name: Build
     needs: prebuild

docs/SECURITY.md

@@ -1,12 +1,28 @@
 # Security Policy
 
+The code-server team (and Coder, the organization) care a lot about keeping the project secure and safe for end-users.
+
+## Tools
+
+We use a combination of tools to help us stay on top of vulnerabilities.
+
+- [dependabot](https://dependabot.com/)
+  - Submits pull requests to upgrade dependencies. We use dependabot's version upgrades as well as security updates.
+- code-scanning
+  - [CodeQL](https://securitylab.github.com/tools/codeql/)
+    - Semantic code analysis engine that runs on a regular schedule (see `codeql-analysis.yml`)
+  - [trivy](https://github.com/aquasecurity/trivy)
+    - Comprehensive vulnerability scanner that runs on PRs into the default branch and scans both our container image and repository code (see `trivy-scan-repo` and `trivy-scan-image` jobs in `ci.yaml`)
+- [`audit-ci`](https://github.com/IBM/audit-ci)
+  - Audits npm and Yarn dependencies in CI (see "Audit for vulnerabilities" step in `ci.yaml`) on PRs into the default branch and fails CI if moderate or higher vulnerabilities(see the `audit.sh` script) are present.
+
 ## Supported Versions
 
 Coder sponsors development and maintenance of the code-server project. We will fix security issues within 90 days of receiving a report, and publish the fix in a subsequent release. The code-server project does not provide backports or patch releases for security issues at this time.
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 3.9.3   | :white_check_mark: |
+| Version                                               | Supported          |
+| ----------------------------------------------------- | ------------------ |
+| [Latest](https://github.com/cdr/code-server/releases) | :white_check_mark: |
 
 ## Reporting a Vulnerability
 

lib/vscode/package.json

@@ -195,7 +195,7 @@
     "tsec": "0.1.4",
     "typescript": "^4.3.0-dev.20210426",
     "typescript-formatter": "7.1.0",
-    "underscore": "^1.8.2",
+    "underscore": "^1.12.1",
     "vinyl": "^2.0.0",
     "vinyl-fs": "^3.0.0",
     "vscode-debugprotocol": "1.47.0",

lib/vscode/yarn.lock

@@ -8915,16 +8915,11 @@ unc-path-regex@^0.1.2:
   resolved "https://registry.yarnpkg.com/unc-path-regex/-/unc-path-regex-0.1.2.tgz#e73dd3d7b0d7c5ed86fbac6b0ae7d8c6a69d50fa"
   integrity sha1-5z3T17DXxe2G+6xrCufYxqadUPo=
 
-underscore@^1.8.2:
+underscore@^1.8.2, underscore@~1.8.3:
   version "1.13.1"
   resolved "https://registry.yarnpkg.com/underscore/-/underscore-1.13.1.tgz#0c1c6bd2df54b6b69f2314066d65b6cde6fcf9d1"
   integrity sha512-hzSoAVtJF+3ZtiFX0VgfFPHEDRm7Y/QPjGyNo4TVdnDTdft3tr8hEkD25a1jC+TjTuE7tkHGKkhwCgs9dgBB2g==
 
-underscore@~1.8.3:
-  version "1.8.3"
-  resolved "https://registry.yarnpkg.com/underscore/-/underscore-1.8.3.tgz#4f3fb53b106e6097fcf9cb4109f2a5e9bdfa5022"
-  integrity sha1-Tz+1OxBuYJf8+ctBCfKl6b36UCI=
-
 undertaker-registry@^1.0.0:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/undertaker-registry/-/undertaker-registry-1.0.1.tgz#5e4bda308e4a8a2ae584f9b9a4359a499825cc50"

package.json

@@ -144,7 +144,7 @@
       "clover"
     ],
     "coveragePathIgnorePatterns": [
-      "out"
+      "/out"
     ],
     "coverageThreshold": {
       "global": {

src/node/cli.ts

@@ -6,6 +6,11 @@ import * as path from "path"
 import { Args as VsArgs } from "../../typings/ipc"
 import { canConnect, generateCertificate, generatePassword, humanPath, paths } from "./util"
 
+export enum Feature {
+  /** Web socket compression. */
+  PermessageDeflate = "permessage-deflate",
+}
+
 export enum AuthType {
   Password = "password",
   None = "none",
@@ -35,6 +40,7 @@ export interface Args extends VsArgs {
   "cert-key"?: string
   "disable-telemetry"?: boolean
   "disable-update-check"?: boolean
+  enable?: string[]
   help?: boolean
   host?: string
   json?: boolean
@@ -128,6 +134,9 @@ const options: Options<Required<Args>> = {
       "Disable update check. Without this flag, code-server checks every 6 hours against the latest github release and \n" +
       "then notifies you once every week that a new release is available.",
   },
+  // --enable can be used to enable experimental features. These features
+  // provide no guarantees.
+  enable: { type: "string[]" },
   help: { type: "boolean", short: "h", description: "Show this output." },
   json: { type: "boolean" },
   open: { type: "boolean", description: "Open in browser on startup. Does not work remotely." },

src/node/constants.ts

@@ -20,3 +20,4 @@ export const version = pkg.version || "development"
 export const commit = pkg.commit || "development"
 export const rootPath = path.resolve(__dirname, "../..")
 export const tmpdir = path.join(os.tmpdir(), "code-server")
+export const isDevMode = commit === "development"

src/node/entry.ts

@@ -1,163 +1,17 @@
-import { field, logger } from "@coder/logger"
-import * as cp from "child_process"
-import http from "http"
-import * as path from "path"
-import { CliMessage, OpenCommandPipeArgs } from "../../typings/ipc"
-import { plural } from "../common/util"
-import { createApp, ensureAddress } from "./app"
+import { logger } from "@coder/logger"
 import {
-  AuthType,
-  DefaultedArgs,
   optionDescriptions,
   parse,
   readConfigFile,
   setDefaults,
   shouldOpenInExistingInstance,
   shouldRunVsCodeCli,
 } from "./cli"
-import { coderCloudBind } from "./coder_cloud"
 import { commit, version } from "./constants"
+import { openInExistingInstance, runCodeServer, runVsCodeCli } from "./main"
 import * as proxyAgent from "./proxy_agent"
-import { register } from "./routes"
-import { humanPath, isFile, open } from "./util"
 import { isChild, wrapper } from "./wrapper"
 
-export const runVsCodeCli = (args: DefaultedArgs): void => {
-  logger.debug("forking vs code cli...")
-  const vscode = cp.fork(path.resolve(__dirname, "../../lib/vscode/out/vs/server/fork"), [], {
-    env: {
-      ...process.env,
-      CODE_SERVER_PARENT_PID: process.pid.toString(),
-    },
-  })
-  vscode.once("message", (message: any) => {
-    logger.debug("got message from VS Code", field("message", message))
-    if (message.type !== "ready") {
-      logger.error("Unexpected response waiting for ready response", field("type", message.type))
-      process.exit(1)
-    }
-    const send: CliMessage = { type: "cli", args }
-    vscode.send(send)
-  })
-  vscode.once("error", (error) => {
-    logger.error("Got error from VS Code", field("error", error))
-    process.exit(1)
-  })
-  vscode.on("exit", (code) => process.exit(code || 0))
-}
-
-export const openInExistingInstance = async (args: DefaultedArgs, socketPath: string): Promise<void> => {
-  const pipeArgs: OpenCommandPipeArgs & { fileURIs: string[] } = {
-    type: "open",
-    folderURIs: [],
-    fileURIs: [],
-    forceReuseWindow: args["reuse-window"],
-    forceNewWindow: args["new-window"],
-  }
-
-  for (let i = 0; i < args._.length; i++) {
-    const fp = path.resolve(args._[i])
-    if (await isFile(fp)) {
-      pipeArgs.fileURIs.push(fp)
-    } else {
-      pipeArgs.folderURIs.push(fp)
-    }
-  }
-
-  if (pipeArgs.forceNewWindow && pipeArgs.fileURIs.length > 0) {
-    logger.error("--new-window can only be used with folder paths")
-    process.exit(1)
-  }
-
-  if (pipeArgs.folderURIs.length === 0 && pipeArgs.fileURIs.length === 0) {
-    logger.error("Please specify at least one file or folder")
-    process.exit(1)
-  }
-
-  const vscode = http.request(
-    {
-      path: "/",
-      method: "POST",
-      socketPath,
-    },
-    (response) => {
-      response.on("data", (message) => {
-        logger.debug("got message from VS Code", field("message", message.toString()))
-      })
-    },
-  )
-  vscode.on("error", (error: unknown) => {
-    logger.error("got error from VS Code", field("error", error))
-  })
-  vscode.write(JSON.stringify(pipeArgs))
-  vscode.end()
-}
-
-const main = async (args: DefaultedArgs): Promise<void> => {
-  logger.info(`code-server ${version} ${commit}`)
-
-  logger.info(`Using user-data-dir ${humanPath(args["user-data-dir"])}`)
-  logger.trace(`Using extensions-dir ${humanPath(args["extensions-dir"])}`)
-
-  if (args.auth === AuthType.Password && !args.password && !args["hashed-password"]) {
-    throw new Error(
-      "Please pass in a password via the config file or environment variable ($PASSWORD or $HASHED_PASSWORD)",
-    )
-  }
-
-  const [app, wsApp, server] = await createApp(args)
-  const serverAddress = ensureAddress(server)
-  await register(app, wsApp, server, args)
-
-  logger.info(`Using config file ${humanPath(args.config)}`)
-  logger.info(`HTTP server listening on ${serverAddress} ${args.link ? "(randomized by --link)" : ""}`)
-
-  if (args.auth === AuthType.Password) {
-    logger.info("  - Authentication is enabled")
-    if (args.usingEnvPassword) {
-      logger.info("    - Using password from $PASSWORD")
-    } else if (args.usingEnvHashedPassword) {
-      logger.info("    - Using password from $HASHED_PASSWORD")
-    } else {
-      logger.info(`    - Using password from ${humanPath(args.config)}`)
-    }
-  } else {
-    logger.info(`  - Authentication is disabled ${args.link ? "(disabled by --link)" : ""}`)
-  }
-
-  if (args.cert) {
-    logger.info(`  - Using certificate for HTTPS: ${humanPath(args.cert.value)}`)
-  } else {
-    logger.info(`  - Not serving HTTPS ${args.link ? "(disabled by --link)" : ""}`)
-  }
-
-  if (args["proxy-domain"].length > 0) {
-    logger.info(`  - ${plural(args["proxy-domain"].length, "Proxying the following domain")}:`)
-    args["proxy-domain"].forEach((domain) => logger.info(`    - *.${domain}`))
-  }
-
-  if (args.link) {
-    try {
-      await coderCloudBind(serverAddress.replace(/^https?:\/\//, ""), args.link.value)
-      logger.info("  - Connected to cloud agent")
-    } catch (err) {
-      logger.error(err.message)
-      wrapper.exit(1)
-    }
-  }
-
-  if (!args.socket && args.open) {
-    // The web socket doesn't seem to work if browsing with 0.0.0.0.
-    const openAddress = serverAddress.replace("://0.0.0.0", "://localhost")
-    try {
-      await open(openAddress)
-      logger.info(`Opened ${openAddress}`)
-    } catch (error) {
-      logger.error("Failed to open", field("address", openAddress), field("error", error))
-    }
-  }
-}
-
 async function entry(): Promise<void> {
   proxyAgent.monkeyPatch(false)
 
@@ -170,7 +24,8 @@ async function entry(): Promise<void> {
   if (isChild(wrapper)) {
     const args = await wrapper.handshake()
     wrapper.preventExit()
-    return main(args)
+    await runCodeServer(args)
+    return
   }
 
   const cliArgs = parse(process.argv.slice(2))