Merge branch 'main' into upstream-server-fixes

Author: code-asher

ci/helm-chart/values.yaml

@@ -28,14 +28,6 @@ podAnnotations: {}
 podSecurityContext: {}
   # fsGroup: 2000
 
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-
 service:
   type: ClusterIP
   port: 8080
@@ -127,10 +119,6 @@ persistence:
   # existingClaim: ""
   # hostPath: /data
 
-serviceAccount:
-  create: true
-  name:
-
 ## Enable an Specify container in extraContainers.
 ## This is meant to allow adding code-server dependencies, like docker-dind.
 extraContainers: |

docs/README.md

@@ -14,6 +14,9 @@ access it in the browser.
 - Preserve battery life when you're on the go; all intensive tasks run on your
   server
 
+| 🔔 code-server is a free browser-based IDE while [Coder](https://coder.com/), is our enterprise developer workspace platform. For more information, visit [Coder.com](https://coder.com/docs/comparison)
+| ---
+
 ## Requirements
 
 See [requirements](requirements.md) for minimum specs, as well as instructions

package.json

@@ -94,7 +94,7 @@
     "proxy-agent": "^5.0.0",
     "proxy-from-env": "^1.1.0",
     "qs": "6.10.1",
-    "rotating-file-stream": "^2.1.1",
+    "rotating-file-stream": "^3.0.0",
     "safe-buffer": "^5.1.1",
     "safe-compare": "^1.1.4",
     "semver": "^7.1.3",

src/node/routes/errors.ts

@@ -6,7 +6,7 @@ import { WebsocketRequest } from "../../../typings/pluginapi"
 import { HttpCode } from "../../common/http"
 import { rootPath } from "../constants"
 import { replaceTemplates } from "../http"
-import { getMediaMime } from "../util"
+import { escapeHtml, getMediaMime } from "../util"
 
 const notFoundCodes = ["ENOENT", "EISDIR"]
 export const errorHandler: express.ErrorRequestHandler = async (err, req, res, next) => {
@@ -29,7 +29,7 @@ export const errorHandler: express.ErrorRequestHandler = async (err, req, res, n
       replaceTemplates(req, content)
         .replace(/{{ERROR_TITLE}}/g, status)
         .replace(/{{ERROR_HEADER}}/g, status)
-        .replace(/{{ERROR_BODY}}/g, err.message),
+        .replace(/{{ERROR_BODY}}/g, escapeHtml(err.message)),
     )
   } else {
     res.json({

test/unit/node/routes/errors.test.ts

@@ -0,0 +1,35 @@
+import express from "express"
+import { errorHandler } from "../../../../src/node/routes/errors"
+
+describe("error page is rendered for text/html requests", () => {
+  it("escapes any html in the error messages", async () => {
+    const next = jest.fn()
+    const err = {
+      code: "ENOENT",
+      statusCode: 404,
+      message: ";>hello<script>alert(1)</script>",
+    }
+    const req = createRequest()
+    const res = {
+      status: jest.fn().mockReturnValue(this),
+      send: jest.fn().mockReturnValue(this),
+      set: jest.fn().mockReturnValue(this),
+    } as unknown as express.Response
+
+    await errorHandler(err, req, res, next)
+    expect(res.status).toHaveBeenCalledWith(404)
+    expect(res.send).toHaveBeenCalledWith(expect.not.stringContaining("<script>"))
+  })
+})
+
+function createRequest(): express.Request {
+  return {
+    headers: {
+      accept: ["text/html"],
+    },
+    originalUrl: "http://example.com/test",
+    query: {
+      to: "test",
+    },
+  } as unknown as express.Request
+}

yarn.lock

@@ -3701,10 +3701,10 @@ rimraf@^3.0.2:
   dependencies:
     glob "^7.1.3"
 
-rotating-file-stream@^2.1.1:
-  version "2.1.5"
-  resolved "https://registry.yarnpkg.com/rotating-file-stream/-/rotating-file-stream-2.1.5.tgz#6490d0a09e11dd4d441aa5d4d3676debed4a44e4"
-  integrity sha512-wnYazkT8oD5HXTj44WhB030aKo74OyICrPz/QKCUah59QD7Np4OhdoTC0WNZfhMx1ClsZp4lYMlAdof+DIkZ1Q==
+rotating-file-stream@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/rotating-file-stream/-/rotating-file-stream-3.0.0.tgz#5193da921808dc98e1e60595fb2f32d33d622884"
+  integrity sha512-qKk1AAjrKxFYIqRU/GBSzwMLM7wqHYxztKXk7h55728n5EU2sKlPNlcXjqfbK11TiOUZChbtAHDCDIGCE6cg5g==
 
 [email protected]:
   version "2.0.0-alpha.1"