Merge pull request #1602 from topcoder-platform/develop

PROD Release - Work Manager Security Issues (5442)

Author: kkartunov

config/constants/development.js

@@ -51,7 +51,7 @@ module.exports = {
   // duration to show the prompt saying user will be logged out, before actually logging out the user
   IDLE_TIMEOUT_GRACE_MINUTES: 5,
   MULTI_ROUND_CHALLENGE_TEMPLATE_ID: 'd4201ca4-8437-4d63-9957-3f7708184b07',
-  UNIVERSAL_NAV_URL: '//uni-nav.topcoder-dev.com/v1/tc-universal-nav.js',
+  UNIVERSAL_NAV_URL: 'https://uni-nav.topcoder-dev.com/v1/tc-universal-nav.js',
   HEADER_AUTH_URLS_HREF: `https://accounts-auth0.${DOMAIN}?utm_source=community-app-main`,
   HEADER_AUTH_URLS_LOCATION: `https://accounts-auth0.${DOMAIN}?retUrl=%S&utm_source=community-app-main`,
   SKILLS_V5_API_URL: `${API_V5}/standardized-skills/skills/autocomplete`,

config/constants/production.js

@@ -48,7 +48,7 @@ module.exports = {
   IDLE_TIMEOUT_MINUTES: 10,
   IDLE_TIMEOUT_GRACE_MINUTES: 5,
   MULTI_ROUND_CHALLENGE_TEMPLATE_ID: 'd4201ca4-8437-4d63-9957-3f7708184b07',
-  UNIVERSAL_NAV_URL: '//uni-nav.topcoder.com/v1/tc-universal-nav.js',
+  UNIVERSAL_NAV_URL: 'https://uni-nav.topcoder.com/v1/tc-universal-nav.js',
   HEADER_AUTH_URLS_HREF: `https://accounts-auth0.${DOMAIN}?utm_source=community-app-main`,
   HEADER_AUTH_URLS_LOCATION: `https://accounts-auth0.${DOMAIN}?retUrl=%S&utm_source=community-app-main`,
   SKILLS_V5_API_URL: `${API_V5}/standardized-skills/skills/autocomplete`,

config/env.js

@@ -49,7 +49,7 @@ dotenvFiles.forEach(dotenvFile => {
 // Otherwise, we risk importing Node.js core modules into an app instead of Webpack shims.
 // https://github.com/facebook/create-react-app/issues/1023#issuecomment-265344421
 // We also resolve them to make sure all tools using them work consistently.
-const appDirectory = fs.realpathSync(process.cwd())
+const appDirectory = process.cwd()
 process.env.NODE_PATH = (process.env.NODE_PATH || '')
   .split(path.delimiter)
   .filter(folder => folder && !path.isAbsolute(folder))

config/paths.js

@@ -6,7 +6,7 @@ const url = require('url')
 
 // Make sure any symlinks in the project folder are resolved:
 // https://github.com/facebook/create-react-app/issues/637
-const appDirectory = fs.realpathSync(process.cwd())
+const appDirectory = process.cwd()
 const resolveApp = relativePath => path.resolve(appDirectory, relativePath)
 
 const envPublicUrl = process.env.PUBLIC_URL

config/webpack.config.js

@@ -27,9 +27,6 @@ const shouldUseSourceMap = process.env.GENERATE_SOURCEMAP !== 'false'
 // makes for a smoother build process.
 const shouldInlineRuntimeChunk = process.env.INLINE_RUNTIME_CHUNK !== 'false'
 
-// Check if TypeScript is setup
-const useTypeScript = fs.existsSync(paths.appTsConfig)
-
 // style files regexes
 const cssRegex = /\.css$/
 const cssModuleRegex = /\.module\.css$/
@@ -257,7 +254,7 @@ module.exports = function (webpackEnv) {
       // for React Native Web.
       extensions: paths.moduleFileExtensions
         .map(ext => `.${ext}`)
-        .filter(ext => useTypeScript || !ext.includes('ts')),
+        .filter(ext => !ext.includes('ts')),
       alias: {
         // Support React Native Web
         // https://www.smashingmagazine.com/2016/08/a-glimpse-into-the-future-with-react-native-for-web/

docker/Dockerfile

@@ -1,5 +1,6 @@
 # Use the base image with Node.js
 FROM node:12
+RUN useradd -m -s /bin/bash appuser
 ARG NODE_ENV
 ARG BABEL_ENV
 
@@ -18,6 +19,9 @@ COPY . /challenge-engine-ui
 # Set working directory for future use
 WORKDIR /challenge-engine-ui
 
+RUN chown -R appuser:appuser /challenge-engine-ui
+USER appuser
+
 # Install the dependencies from package.json
 RUN echo "NODE ENV in Docker: $NODE_ENV"
 RUN echo "BABEL ENV in Docker: $BABEL_ENV"

package.json

@@ -38,9 +38,9 @@
     "jwt-decode": "^2.2.0",
     "lodash": "^4.17.11",
     "mini-css-extract-plugin": "0.4.3",
-    "moment": "^2.24.0",
-    "moment-duration-format": "^2.2.2",
-    "moment-timezone": "^0.5.34",
+    "moment": "^2.29.4",
+    "moment-duration-format": "^2.3.2",
+    "moment-timezone": "^0.5.43",
     "node-sass": "^4.14.0",
     "normalize-text": "^2.4.1",
     "optimize-css-assets-webpack-plugin": "5.0.1",

scripts/build.js

@@ -28,7 +28,7 @@ const printBuildError = require('react-dev-utils/printBuildError')
 const measureFileSizesBeforeBuild =
   FileSizeReporter.measureFileSizesBeforeBuild
 const printFileSizesAfterBuild = FileSizeReporter.printFileSizesAfterBuild
-const useYarn = fs.existsSync(paths.yarnLockFile)
+const useYarn = false
 
 // These sizes are pretty large. We'll warn for bundles exceeding them.
 const WARN_AFTER_BUNDLE_GZIP_SIZE = 512 * 1024

scripts/start.js

@@ -32,7 +32,7 @@ const paths = require('../config/paths')
 const configFactory = require('../config/webpack.config')
 const createDevServerConfig = require('../config/webpackDevServer.config')
 
-const useYarn = fs.existsSync(paths.yarnLockFile)
+const useYarn = false
 const isInteractive = process.stdout.isTTY
 
 // Warn and crash if required files are missing

scripts/test.js

@@ -16,36 +16,16 @@ process.on('unhandledRejection', err => {
 require('../config/env')
 
 const jest = require('jest')
-const execSync = require('child_process').execSync
 let argv = process.argv.slice(2)
 
-function isInGitRepository () {
-  try {
-    execSync('git rev-parse --is-inside-work-tree', { stdio: 'ignore' })
-    return true
-  } catch (e) {
-    return false
-  }
-}
-
-function isInMercurialRepository () {
-  try {
-    execSync('hg --cwd . root', { stdio: 'ignore' })
-    return true
-  } catch (e) {
-    return false
-  }
-}
-
 // Watch unless on CI, in coverage mode, or explicitly running all tests
 if (
   !process.env.CI &&
   argv.indexOf('--coverage') === -1 &&
   argv.indexOf('--watchAll') === -1
 ) {
   // https://github.com/facebook/create-react-app/issues/5210
-  const hasSourceControl = isInGitRepository() || isInMercurialRepository()
-  argv.push(hasSourceControl ? '--watch' : '--watchAll')
+  argv.push('--watchAll')
 }
 
 jest.run(argv)