[AUTO-CHERRYPICK] Patched CVE-2024-37890, CVE-2023-42282, and CVE-2017-18214 in reaper. - branch main (#9807)

Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/reaper/CVE-2017-18214.patch

@@ -0,0 +1,117 @@
+From: Pawel Winogrodzki <pawelwi@microsoft.com>
+Date: Tue, 9 Jul 2024 21:55:46 +0000
+Subject: Patching CVE-2023-42282.
+
+Backported upstream patch:
+https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894?diff=split&w=0
+---
+ lib/ip.js | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 73 insertions(+), 4 deletions(-)
+
+diff --git a/tmp_local/n/versions/node/14.18.0/lib/node_modules/npm/node_modules/ip/lib/ip.js b/tmp_local/n/versions/node/14.18.0/lib/node_modules/npm/node_modules/ip/lib/ip.js
+index c1799a8..a0c920f 100644
+--- a/tmp_local/n/versions/node/14.18.0/lib/node_modules/npm/node_modules/ip/lib/ip.js
++++ b/tmp_local/n/versions/node/14.18.0/lib/node_modules/npm/node_modules/ip/lib/ip.js
+@@ -300,12 +300,26 @@ ip.isEqual = function(a, b) {
+ };
+ 
+ ip.isPrivate = function(addr) {
+-  return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i
+-      .test(addr) ||
++  // check loopback addresses first
++  if (ip.isLoopback(addr)) {
++    return true;
++  }
++
++  // ensure the ipv4 address is valid
++  if (!ip.isV6Format(addr)) {
++    const ipl = ip.normalizeToLong(addr);
++    if (ipl < 0) {
++      throw new Error('invalid ipv4 address');
++    }
++    // normalize the address for the private range checks that follow
++    addr = ip.fromLong(ipl);
++  }
++
++  // check private ranges
++  return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) ||
+     /^(::f{4}:)?192\.168\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) ||
+     /^(::f{4}:)?172\.(1[6-9]|2\d|30|31)\.([0-9]{1,3})\.([0-9]{1,3})$/i
+       .test(addr) ||
+-    /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) ||
+     /^(::f{4}:)?169\.254\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) ||
+     /^f[cd][0-9a-f]{2}:/i.test(addr) ||
+     /^fe80:/i.test(addr) ||
+@@ -318,9 +332,16 @@ ip.isPublic = function(addr) {
+ };
+ 
+ ip.isLoopback = function(addr) {
++  // If addr is an IPv4 address in long integer form (no dots and no colons), convert it
++  if (!/\./.test(addr) && !/:/.test(addr)) {
++    addr = ip.fromLong(Number(addr));
++  }
++
+   return /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/
+       .test(addr) ||
+-    /^fe80::1$/.test(addr) ||
++    /^0177\./.test(addr) ||
++    /^0x7f\./i.test(addr) ||
++    /^fe80::1$/i.test(addr) ||
+     /^::1$/.test(addr) ||
+     /^::$/.test(addr);
+ };
+@@ -414,3 +435,51 @@ ip.fromLong = function(ipl) {
+       (ipl >> 8 & 255) + '.' +
+       (ipl & 255) );
+ };
++
++ip.normalizeToLong = function (addr) {
++  const parts = addr.split('.').map(part => {
++    // Handle hexadecimal format
++    if (part.startsWith('0x') || part.startsWith('0X')) {
++      return parseInt(part, 16);
++    }
++    // Handle octal format (strictly digits 0-7 after a leading zero)
++    else if (part.startsWith('0') && part !== '0' && /^[0-7]+$/.test(part)) {
++      return parseInt(part, 8);
++    }
++    // Handle decimal format, reject invalid leading zeros
++    else if (/^[1-9]\d*$/.test(part) || part === '0') {
++      return parseInt(part, 10);
++    }
++    // Return NaN for invalid formats to indicate parsing failure
++    else {
++      return NaN;
++    }
++  });
++
++  if (parts.some(isNaN)) return -1; // Indicate error with -1
++
++  let val = 0;
++  const n = parts.length;
++
++  switch (n) {
++  case 1:
++    val = parts[0];
++    break;
++  case 2:
++    if (parts[0] > 0xff || parts[1] > 0xffffff) return -1;
++    val = (parts[0] << 24) | (parts[1] & 0xffffff);
++    break;
++  case 3:
++    if (parts[0] > 0xff || parts[1] > 0xff || parts[2] > 0xffff) return -1;
++    val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] & 0xffff);
++    break;
++  case 4:
++    if (parts.some(part => part > 0xff)) return -1;
++    val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3];
++    break;
++  default:
++    return -1; // Error case
++  }
++
++  return val >>> 0;
++};
+-- 
+2.39.4
+

SPECS/reaper/CVE-2023-42282.patch

@@ -0,0 +1,34 @@
+From 355a396ccce875ea012a4ea8e6ab283bb575ba5b Mon Sep 17 00:00:00 2001
+From: ABC <abc>
+Date: Tue, 9 Jul 2024 16:48:16 +0000
+Subject: [PATCH] Patching CVE-2024-37890.
+
+Applying the patch for the 6.x versions from:
+https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
+---
+ src/ui/node_modules/ws/lib/websocket-server.js | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/ui/node_modules/ws/lib/websocket-server.js b/src/ui/node_modules/ws/lib/websocket-server.js
+index db02f4d0..b74eb1cf 100644
+--- a/src/ui/node_modules/ws/lib/websocket-server.js
++++ b/src/ui/node_modules/ws/lib/websocket-server.js
+@@ -186,12 +186,14 @@ class WebSocketServer extends EventEmitter {
+       req.headers['sec-websocket-key'] !== undefined
+         ? req.headers['sec-websocket-key'].trim()
+         : false;
++    const upgrade = req.headers.upgrade;
+     const version = +req.headers['sec-websocket-version'];
+     const extensions = {};
+ 
+     if (
+       req.method !== 'GET' ||
+-      req.headers.upgrade.toLowerCase() !== 'websocket' ||
++      upgrade === undefined ||
++      upgrade.toLowerCase() !== 'websocket' ||
+       !key ||
+       !keyRegex.test(key) ||
+       (version !== 8 && version !== 13) ||
+-- 
+2.39.4
+

SPECS/reaper/CVE-2024-37890.patch

@@ -1,12 +1,10 @@
 {
  "Signatures": {
   "cassandra-reaper-3.1.1.tar.gz": "6efe52195ad4a3c3b7a6f928bafa60d3df011709d9bc918e717033bf86d724d8",
-  "reaper-bower-cache-3.1.1.tar.gz": "a8532fe1d28f6d2c99a5e0d08b17b85465617931d49c7d27450ed328e59c0b08",
   "reaper-bower-components-3.1.1-1.tar.gz": "51f5b03b3f56966f5fbfe28a13e0a74003cf33372ff4ba13fd82c6fe79092033",
   "reaper-local-lib-node-modules-3.1.1.tar.gz": "8daf9a8726a85ca31b024a5bab60a357fe927f670908955cdd9b106bf9c6bd60",
   "reaper-local-n-3.1.1-1.tar.gz": "e60ecf1c982c8cd44b35da02aec6de5b1f8f0df562f290f9bb905d03f9eefa68",
   "reaper-m2-cache-3.1.1.tar.gz": "14103df496c6bfd1bf2690b45e6082e3411872f7332f03a68cf5d8e28fc6b27f",
-  "reaper-npm-cache-3.1.1.tar.gz": "1fd8fd9438ef682cccceaaf49d0e65ec50eb7145c20f27253a3521c731e79585",
   "reaper-srcui-node-modules-3.1.1-1.tar.gz": "edd67243e97838657e09513f639a8e7c81fbb813353a19eba3949f79fb9e3e9e"
  }
 }

SPECS/reaper/reaper.signatures.json

@@ -3,48 +3,45 @@
 %define local_n_release 1
 %define local_srcui_release 1
 
-%define srcdir cassandra-%{name}-%{version}
-%define bower_components reaper-bower-components-%{version}-%{local_srcui_release}.tar.gz
-%define srcui_node_modules reaper-srcui-node-modules-%{version}-%{local_srcui_release}.tar.gz
-%define bower_cache reaper-bower-cache-%{version}.tar.gz
-%define maven_cache reaper-m2-cache-%{version}.tar.gz
-%define npm_cache reaper-npm-cache-%{version}.tar.gz
-%define local_lib_node_modules reaper-local-lib-node-modules-%{version}.tar.gz
-%define local_n reaper-local-n-%{version}-%{local_n_release}.tar.gz
-
 Summary:        Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters.
 Name:           reaper
 Version:        3.1.1
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/System
 URL:            https://cassandra-reaper.io/
 Source0:        https://github.com/thelastpickle/cassandra-reaper/archive/refs/tags/%{version}.tar.gz#/cassandra-reaper-%{version}.tar.gz
-# Building reaper from sources downloads artifacts related to maven/node/etc. These artifacts need to be downloaded as caches in order to build reaper using maven in offline mode.
+# Building reaper from sources downloads artifacts related to maven/node/etc.
+# These artifacts need to be downloaded as caches in order to build reaper using maven in offline mode.
 # Below is the list of cached sources.
 # bower-components downloaded under src/ui
 # NOTE: USE "reaper_build_caches.sh" TO RE-GENERATE BUILD CACHES.
-Source1:        %{bower_components}
+Source1:        reaper-bower-components-%{version}-%{local_srcui_release}.tar.gz
 # node_modules downloaded under src/ui
-Source2:        %{srcui_node_modules}
-# bower cache
-Source3:        %{bower_cache}
+Source2:        reaper-srcui-node-modules-%{version}-%{local_srcui_release}.tar.gz
 # m2 cache
-Source4:        %{maven_cache}
-# npm cache
-Source5:        %{npm_cache}
+Source4:        reaper-m2-cache-%{version}.tar.gz
 # node_modules downloaded to /usr/local/lib
-Source6:        %{local_lib_node_modules}
+Source6:        reaper-local-lib-node-modules-%{version}.tar.gz
 # v14.18.0 node binary under /usr/local
-Source7:        %{local_n}
+Source7:        reaper-local-n-%{version}-%{local_n_release}.tar.gz
+# Patches the src/ui/node_modules/ws/lib/websocket-server.js file, which comes
+# from the "reaper-srcui-node-modules*" tarball.
+# The src/ui/node_modules/ws/package.json file suggest we're on the
+# 6.x version of "ws". Patch for this version taken from here:
+# https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
+Patch0:         CVE-2024-37890.patch
+Patch1:         CVE-2023-42282.patch
+Patch2:         CVE-2017-18214.patch
 BuildRequires:  git
 BuildRequires:  javapackages-tools
 BuildRequires:  maven
 BuildRequires:  msopenjdk-11
 BuildRequires:  nodejs
 BuildRequires:  python3
+BuildRequires:  rsync
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  openssl-devel
 Requires:       msopenjdk-11
@@ -58,22 +55,15 @@ ExclusiveArch:  x86_64
 Cassandra reaper is an open source tool that aims to schedule and orchestrate repairs of Apache Cassandra clusters.
 
 %prep
-%setup -q -n %{srcdir}
-
-%build
-export JAVA_HOME="%{_libdir}/jvm/msopenjdk-11"
-export LD_LIBRARY_PATH="%{_libdir}/jvm/msopenjdk-11/lib/jli"
-
-pushd "$HOME"
-echo "Installing bower cache."
-tar xf %{SOURCE3}
+%autosetup -N -n cassandra-%{name}-%{version}
 
-echo "Installing m2 cache."
-tar xf %{SOURCE4}
+echo "Installing bower_components and npm_modules caches."
+for source in "%{SOURCE1}" "%{SOURCE2}"; do
+    tar -C src/ui -xf "$source"
+done
 
-echo "Installing npm cache"
-tar xf %{SOURCE5}
-popd
+echo "Installing the m2 cache."
+tar -C "$HOME" -xf "%{SOURCE4}"
 
 # Reaper build fails when trying to install node-sass@4.9.0/node-gyp@3.8.0 and build node native addons using mariner default node@16.14.2/npm@8.5.0.
 # ERROR:
@@ -82,33 +72,35 @@ popd
 # There is no way to remove node-sass dependency from builds, hence we need to install local node/npm and caches to be able to build reaper.
 # NOTE: This issue was also faced on Fedora Fc37 when trying to build reaper.
 # NOTE: node-sass seems to be deprecated, the spec and build process will be modified once reaper removes its dependencies as well.
-pushd %{_prefix}/local
+
+# Extracting to intermediate folder to apply patch.
+tmp_local_dir=tmp_local
+mkdir -p $tmp_local_dir/{bin,lib}
+pushd $tmp_local_dir
 echo "Installing node_modules"
-tar xf %{SOURCE6} -C ./lib/
+tar -C ./lib/ -xf %{SOURCE6}
 
 echo "Installing n version 14.18.0"
-tar xf %{SOURCE7}
+tar -xf %{SOURCE7}
 
 echo "Creating symlinks under local/bin"
-cd ./bin
-ln -sf ../lib/node_modules/bower/bin/bower bower
-ln -sf ../lib/node_modules/npm/bin/npm-cli.js npm
-ln -sf ../lib/node_modules/npm/bin/npx-cli.js npx
+ln -sf ../lib/node_modules/bower/bin/bower bin/bower
+ln -sf ../lib/node_modules/npm/bin/npm-cli.js bin/npm
+ln -sf ../lib/node_modules/npm/bin/npx-cli.js bin/npx
 
-cp ../n/versions/node/14.18.0/bin/node .
+cp n/versions/node/14.18.0/bin/node bin
 
 ls -al
 popd
 
-cd %{_builddir}/%{srcdir}
-echo "Installing src caches"
-pushd ./src/ui
-echo "Installing bower_components"
-tar xf %{SOURCE1}
+%autopatch -p1
 
-echo "Installing npm_modules"
-tar fx %{SOURCE2}
-popd
+rsync -azvhr $tmp_local_dir/ "%{_prefix}/local"
+rm -rf $tmp_local_dir
+
+%build
+export JAVA_HOME="%{_libdir}/jvm/msopenjdk-11"
+export LD_LIBRARY_PATH="%{_libdir}/jvm/msopenjdk-11/lib/jli"
 
 # Building using maven in offline mode.
 mvn -DskipTests package -o
@@ -122,7 +114,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/cassandra-%{name}/configs
 mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d
 mkdir -p %{buildroot}%{_unitdir}
 mkdir -p %{buildroot}%{_datadir}/licenses/%{name}
-cd %{_builddir}/%{srcdir}/src/packaging
+
+pushd src/packaging
 
 cp resource/cassandra-reaper.yaml %{buildroot}%{_sysconfdir}/cassandra-%{name}/
 cp resource/cassandra-reaper*.yaml %{buildroot}%{_sysconfdir}/cassandra-%{name}/configs
@@ -139,7 +132,7 @@ cp debian/cassandra-%{name}.new.service %{buildroot}/%{_unitdir}/cassandra-%{nam
 chmod 0644 %{buildroot}/%{_unitdir}/cassandra-%{name}.service
 chmod 7555 %{buildroot}%{_sysconfdir}/init.d/cassandra-%{name}
 
-cp %{_builddir}/%{srcdir}/LICENSE.txt %{buildroot}%{_datadir}/licenses/%{name}
+popd
 
 %pre
 getent group reaper > /dev/null || groupadd -r reaper
@@ -178,6 +171,9 @@ fi
 %{_unitdir}/cassandra-%{name}.service
 
 %changelog
+* Tue Jul 09 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 3.1.1-10
+- Patching CVE-2024-37890, CVE-2023-42282, and CVE-2017-18214.
+
 * Thu May 23 2024 Archana Choudhary <archana1@microsoft.com> - 3.1.1-9
 - Repackage and update src/ui node modules and bower components to 3.1.1-1
 - Address CVE-2024-4068 by upgrading the version of the npm module "braces" to 3.0.3

SPECS/reaper/reaper.spec

@@ -24,9 +24,7 @@ SOURCE_URL="https://github.com/thelastpickle/cassandra-reaper/archive/refs/tags/
 # Build cache names
 BOWER_COMPONENTS="reaper-bower-components-${VERSION}.tar.gz"
 SRC_UI_NODE_MODULES="reaper-srcui-node-modules-${VERSION}.tar.gz"
-BOWER_CACHE="reaper-bower-cache-${VERSION}.tar.gz"
 MAVEN_CACHE="reaper-m2-cache-${VERSION}.tar.gz"
-NPM_CACHE="reaper-npm-cache-${VERSION}.tar.gz"
 LOCAL_LIB_NODE_MODULES="reaper-local-lib-node-modules-${VERSION}.tar.gz"
 LOCAL_N="reaper-local-n-${VERSION}.tar.gz"
 
@@ -103,17 +101,10 @@ function buildReaperSources {
 function createCacheTars {
 	echo "Creating build caches."
 	pushd ${homeCacheDir}
-	echo "creating bower_cache tar..."
-	tar -cf ${BOWER_CACHE} .cache
-	mv ${BOWER_CACHE} ${reaperCacheDir}
 
 	echo "creating maven_cache tar..."
 	tar -cf ${MAVEN_CACHE} .m2
 	mv ${MAVEN_CACHE} ${reaperCacheDir}
-
-	echo "creating npm_cache tar..."
-	tar -cf ${NPM_CACHE} .npm
-	mv ${NPM_CACHE} ${reaperCacheDir}
 	popd
 
 	pushd ${tempDir}/cassandra-reaper-${VERSION}/src/ui