From 9b78c31d9d6ff474c9d29aa4252a2d95ccc9861c Mon Sep 17 00:00:00 2001 From: timothycarambat Date: Fri, 19 Jul 2024 16:21:12 -0700 Subject: [PATCH 1/3] add VEX exception --- .github/workflows/build-and-push-image.yaml | 1 + docker/vex/CVE-2024-37890.vex.json | 51 +++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 docker/vex/CVE-2024-37890.vex.json diff --git a/.github/workflows/build-and-push-image.yaml b/.github/workflows/build-and-push-image.yaml index f29fa511d..95e8d187b 100644 --- a/.github/workflows/build-and-push-image.yaml +++ b/.github/workflows/build-and-push-image.yaml @@ -22,6 +22,7 @@ on: - '.github/ISSUE_TEMPLATE/**/*' - 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced - 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images. + - 'docker/vex/*' # CVE exceptions we know are not in risk jobs: push_multi_platform_to_registries: diff --git a/docker/vex/CVE-2024-37890.vex.json b/docker/vex/CVE-2024-37890.vex.json new file mode 100644 index 000000000..89de7553c --- /dev/null +++ b/docker/vex/CVE-2024-37890.vex.json @@ -0,0 +1,51 @@ +{ + "@context": "https://openvex.dev/ns/v0.2.0", + "@id": "https://openvex.dev/docs/public/vex-939548c125c5bfebd3fd91e64c1c53bffacbde06b3611b4474ea90fa58045004", + "author": "tim@mintplexlabs.com", + "timestamp": "2024-07-19T16:08:47.147169-07:00", + "version": 1, + "statements": [ + { + "vulnerability": { + "name": "CVE-2024-37890" + }, + "timestamp": "2024-07-19T16:08:47.147172-07:00", + "products": [ + { + "@id": "pkg:docker/mintplexlabs/anythingllm@render", + "subcomponents": [ + { + "@id": "pkg:npm/ws@8.14.2" + } + ] + }, + { + "@id": "pkg:docker/mintplexlabs/anythingllm@railway", + "subcomponents": [ + { + "@id": "pkg:npm/ws@8.14.2" + } + ] + }, + { + "@id": "pkg:docker/mintplexlabs/anythingllm@latest", + "subcomponents": [ + { + "@id": "pkg:npm/ws@8.14.2" + } + ] + }, + { + "@id": "pkg:docker/mintplexlabs/anythingllm@master", + "subcomponents": [ + { + "@id": "pkg:npm/ws@8.14.2" + } + ] + } + ], + "status": "not_affected", + "justification": "vulnerable_code_cannot_be_controlled_by_adversary" + } + ] +} \ No newline at end of file From b5a2437bb53a414780549cf67c58c82755d3657d Mon Sep 17 00:00:00 2001 From: Timothy Carambat Date: Fri, 19 Jul 2024 17:40:22 -0700 Subject: [PATCH 2/3] patch docker scount CVE in old express-ws pkg (#1907) * patch CVE in old express-ws pkg * patch workflow * remove dev-image --- server/index.js | 2 +- server/package.json | 4 ++-- .../websocket/websock-branding-collab.js | 2 +- .../websocket/websock-multi-turn-chat.js | 2 +- server/utils/boot/index.js | 11 +++++++++- server/yarn.lock | 22 +++++++++---------- 6 files changed, 26 insertions(+), 17 deletions(-) diff --git a/server/index.js b/server/index.js index c2f584443..757f35344 100644 --- a/server/index.js +++ b/server/index.js @@ -41,7 +41,7 @@ app.use( if (!!process.env.ENABLE_HTTPS) { bootSSL(app, process.env.SERVER_PORT || 3001); } else { - require("express-ws")(app); // load WebSockets in non-SSL mode. + require("@mintplex-labs/express-ws").default(app); // load WebSockets in non-SSL mode. } app.use("/api", apiRouter); diff --git a/server/package.json b/server/package.json index 57c925686..4f07e68b5 100644 --- a/server/package.json +++ b/server/package.json @@ -33,6 +33,7 @@ "@langchain/openai": "0.0.28", "@langchain/textsplitters": "0.0.0", "@mintplex-labs/bree": "^9.2.5", + "@mintplex-labs/express-ws": "^5.0.7", "@pinecone-database/pinecone": "^2.0.1", "@prisma/client": "5.3.1", "@qdrant/js-client-rest": "^1.9.0", @@ -49,7 +50,6 @@ "dotenv": "^16.0.3", "elevenlabs": "^0.5.0", "express": "^4.18.2", - "express-ws": "^5.0.2", "extract-json-from-string": "^1.0.1", "extract-zip": "^2.0.1", "graphql": "^16.7.1", @@ -101,4 +101,4 @@ "nodemon": "^2.0.22", "prettier": "^3.0.3" } -} \ No newline at end of file +} diff --git a/server/utils/agents/aibitat/example/websocket/websock-branding-collab.js b/server/utils/agents/aibitat/example/websocket/websock-branding-collab.js index 7229bd882..809aafd3c 100644 --- a/server/utils/agents/aibitat/example/websocket/websock-branding-collab.js +++ b/server/utils/agents/aibitat/example/websocket/websock-branding-collab.js @@ -13,7 +13,7 @@ const { const path = require("path"); const port = 3000; const app = express(); -require("express-ws")(app); +require("@mintplex-labs/express-ws").default(app); // load WebSockets in non-SSL mode. require("dotenv").config({ path: `../../../../../.env.development` }); // Debugging echo function if this is working for you. diff --git a/server/utils/agents/aibitat/example/websocket/websock-multi-turn-chat.js b/server/utils/agents/aibitat/example/websocket/websock-multi-turn-chat.js index 6277978cc..6c58709bb 100644 --- a/server/utils/agents/aibitat/example/websocket/websock-multi-turn-chat.js +++ b/server/utils/agents/aibitat/example/websocket/websock-multi-turn-chat.js @@ -13,7 +13,7 @@ const { const path = require("path"); const port = 3000; const app = express(); -require("express-ws")(app); +require("@mintplex-labs/express-ws").default(app); // load WebSockets in non-SSL mode. require("dotenv").config({ path: `../../../../../.env.development` }); // Debugging echo function if this is working for you. diff --git a/server/utils/boot/index.js b/server/utils/boot/index.js index 8a3dcbd25..979c8e137 100644 --- a/server/utils/boot/index.js +++ b/server/utils/boot/index.js @@ -4,6 +4,15 @@ const { EncryptionManager } = require("../EncryptionManager"); const { CommunicationKey } = require("../comKey"); const setupTelemetry = require("../telemetry"); +// Testing SSL? You can make a self signed certificate and point the ENVs to that location +// make a directory in server called 'sslcert' - cd into it +// - openssl genrsa -aes256 -passout pass:gsahdg -out server.pass.key 4096 +// - openssl rsa -passin pass:gsahdg -in server.pass.key -out server.key +// - rm server.pass.key +// - openssl req -new -key server.key -out server.csr +// Update .env keys with the correct values and boot. These are temporary and not real SSL certs - only use for local. +// Test with https://localhost:3001/api/ping +// build and copy frontend to server/public with correct API_BASE and start server in prod model and all should be ok function bootSSL(app, port = 3001) { try { console.log( @@ -26,7 +35,7 @@ function bootSSL(app, port = 3001) { }) .on("error", catchSigTerms); - require("express-ws")(app, server); // Apply same certificate + server for WSS connections + require("@mintplex-labs/express-ws").default(app, server); return { app, server }; } catch (e) { console.error( diff --git a/server/yarn.lock b/server/yarn.lock index 37477622f..3c5484d4b 100644 --- a/server/yarn.lock +++ b/server/yarn.lock @@ -704,6 +704,13 @@ p-wait-for "3" safe-timers "^1.1.0" +"@mintplex-labs/express-ws@^5.0.7": + version "5.0.7" + resolved "https://registry.yarnpkg.com/@mintplex-labs/express-ws/-/express-ws-5.0.7.tgz#ef22a849e2c21a8ab93bd68adbe52e278db4d858" + integrity sha512-cwAvW1aB+/nu8QvkCDnLzav9UOAAlRz042PYHh/bS7z4xpucKP2c002+ZbrW6+flA8qIwoBn3FrSjLCHj7Pi2w== + dependencies: + ws "^7.5.10" + "@nodelib/fs.scandir@2.1.5": version "2.1.5" resolved "https://registry.yarnpkg.com/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz#7619c2eb21b25483f6d167548b4cfd5a7488c3d5" @@ -2895,13 +2902,6 @@ expr-eval@^2.0.2: resolved "https://registry.yarnpkg.com/expr-eval/-/expr-eval-2.0.2.tgz#fa6f044a7b0c93fde830954eb9c5b0f7fbc7e201" integrity sha512-4EMSHGOPSwAfBiibw3ndnP0AvjDWLsMvGOvWEZ2F96IGk0bIVdjQisOHxReSkE13mHcfbuCiXw+G4y0zv6N8Eg== -express-ws@^5.0.2: - version "5.0.2" - resolved "https://registry.yarnpkg.com/express-ws/-/express-ws-5.0.2.tgz#5b02d41b937d05199c6c266d7cc931c823bda8eb" - integrity sha512-0uvmuk61O9HXgLhGl3QhNSEtRsQevtmbL94/eILaliEADZBHZOQUAiHFrGPrgsjikohyrmSG5g+sCfASTt0lkQ== - dependencies: - ws "^7.4.6" - express@^4.18.2: version "4.19.2" resolved "https://registry.yarnpkg.com/express/-/express-4.19.2.tgz#e25437827a3aa7f2a827bc8171bbbb664a356465" @@ -6823,10 +6823,10 @@ wrappy@1: resolved "https://registry.yarnpkg.com/wrappy/-/wrappy-1.0.2.tgz#b5243d8f3ec1aa35f1364605bc0d1036e30ab69f" integrity sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ== -ws@^7.4.6: - version "7.5.9" - resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.9.tgz#54fa7db29f4c7cec68b1ddd3a89de099942bb591" - integrity sha512-F+P9Jil7UiSKSkppIiD94dN07AwvFixvLIj1Og1Rl9GGMuNipJnV9JzjD6XuqmAeiswGvUmNLjr5cFuXwNS77Q== +ws@^7.5.10: + version "7.5.10" + resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.10.tgz#58b5c20dc281633f6c19113f39b349bd8bd558d9" + integrity sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ== xtend@^4.0.0: version "4.0.2" From 113d7f1f9908788f93b4c75cc32c151dc9a01066 Mon Sep 17 00:00:00 2001 From: timothycarambat Date: Fri, 19 Jul 2024 17:44:51 -0700 Subject: [PATCH 3/3] temp disable ARM builds --- .github/workflows/build-and-push-image.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-push-image.yaml b/.github/workflows/build-and-push-image.yaml index 95e8d187b..20a44fbb4 100644 --- a/.github/workflows/build-and-push-image.yaml +++ b/.github/workflows/build-and-push-image.yaml @@ -90,7 +90,8 @@ jobs: push: true sbom: true provenance: mode=max - platforms: linux/amd64,linux/arm64 + # platforms: linux/amd64,linux/arm64 + platforms: linux/amd64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha