Commit Graph

2749 Commits

Author SHA1 Message Date
Asher 44c4722edf
Fix data directory path in Dockerfile 2019-12-10 12:06:52 -06:00
Asher e5fc63f2c8
Fix accessing manifest behind basic auth
Apparently the manifest spec doesn't include sending credentials in an
attempt to be secure by default.

Fixes #1212.
2019-12-09 11:25:59 -06:00
Asher 015a99e87d
Always install VS Code dependencies
This fixes the case where the script is killed before all the
dependencies were fully installed.
2019-12-09 10:55:24 -06:00
Simen Eriksen 884491d72b Update Dockerfile to fix EACCES issue on mount (#1191)
https://github.com/cdr/code-server/issues/1188 
Fixes issue with permissions mounting in directories in the container. Folders are generated by root causing issues when the container user "coder" wants to create sub-folders. This fix solves it, at least on Crostini (ChromeOS)
2019-12-05 13:38:03 -06:00
Asher e14362f322
Pass along Node options 2019-11-14 17:20:23 -06:00
Asher 917aa48072
Update enterprise link
Fixes #1172.
2019-11-14 11:16:08 -06:00
Asher 938c6ef829
Update fail2ban configuration
Fixes #1177.
2019-11-14 11:14:27 -06:00
Sandro 0add01d383 Delete apt lists from final image (#1174) 2019-11-14 11:12:21 -06:00
Asher 2018024810
Hash password
Fixes issues with unexpected characters breaking things when setting the
cookie (like semicolons).

This change as-is does not affect the security of code-server
itself (we've just replaced the static password with a static hash) but
if we were to add a salt in the future it would let us invalidate keys
by rehashing with a new salt which could be handy.
2019-11-07 15:57:57 -06:00
Asher a1d6bcb8e5
Handle cookies more robustly
If you visit /login/ instead of /login the cookie will be set at /login
instead of / which means the cookie can't be read at the root. It will
redirect to the login page which *can* read the cookie at /login and
redirect back resulting in an infinite loop.

The previous solution relied on setting the cookie at / (any invalid
value works) which then overrode the login page cookie since
parseCookies only kept a single value. So the login page would see the
same cookie the root was seeing and not redirect back. However, that
behavior depends on the cookies being in the right order which I'm not
sure is guaranteed.

This new method tests all available cookies and always sets the cookie
so the root path will be able to read it in case the login page is
seeing a cookie the root can't.

It also goes a step further and explicitly sets the path on the cookie
which fixes the case where there is a permanent misconfiguration
redirecting /login to /login/. Otherwise the cookie would continually be
set on /login only and you'd have another loop. It also means you only
need to delete one cookie to log out.

Lastly add some properties to make the cookies a bit more secure.
2019-11-07 13:36:18 -06:00
ecrode 727ac6483b Clear password when redirecting to login
Should prevent endless redirects when the cookie is set on a different path or domain (like with a dot prefix).
2019-11-07 11:38:10 -06:00
Asher 2c15c09fc0
Add missing telemetry option 2019-11-06 15:47:34 -06:00
Asher 2ad2582cc0
Minor readme updates and fixes 2019-11-05 13:49:18 -06:00
Asher cee0ac213c
Fix error activating extensions on insecure domains
Doesn't affect Firefox but it does affect other browsers.

Fixes #1136.
2019-11-04 17:10:00 -06:00
Asher 780a673017
Add meta tag to allow full screen app on iOS
Fixes #933.
2019-11-04 16:01:01 -06:00
Asher af71203955
Fix relaunching during an update 2019-11-01 10:51:23 -05:00
Asher fc3acfabb2
Fix update check 2019-10-30 17:35:50 -05:00
Asher 3d5db8313a
Add secure domain to requirements 2019-10-30 10:33:07 -05:00
Asher 73cf8f34e3
Fix outgoing scheme transformation
Accidentally used local instead of remote.

Fixes #1127.
2019-10-30 10:32:57 -05:00
dependabot[bot] 766efd6079 Bump mixin-deep from 1.3.1 to 1.3.2 (#1126)
Bumps [mixin-deep](https://github.com/jonschlinkert/mixin-deep) from 1.3.1 to 1.3.2.
- [Release notes](https://github.com/jonschlinkert/mixin-deep/releases)
- [Commits](https://github.com/jonschlinkert/mixin-deep/compare/1.3.1...1.3.2)

Signed-off-by: dependabot[bot] <support@github.com>
2019-10-29 15:20:12 -05:00
Asher 87485948ad
Kill inner process if parent process dies
Fixes #1076.
2019-10-29 14:43:27 -05:00
Asher 7e4a73ce2d
Fix schema matching against vscode-remote
Fixes #1104.
2019-10-29 11:42:28 -05:00
Asher 2f0878d9b7
Revert remote scheme change
It doesn't show in the explorer anymore so there's no point. Also remove
the local scheme transform which is no longer required with the latest
client-side extension implementation.
2019-10-29 11:26:50 -05:00
Marc-André Daigneault f65c9b23fc Add docker-compose file (#680) 2019-10-29 11:08:01 -05:00
Asher cd859d117f
Start pushing to latest Docker tag 2019-10-29 11:04:38 -05:00
Asher e22964915a
Support opening workspaces from command line
Partly addresses #1121.
2019-10-28 16:25:51 -05:00
Asher 197d0b6ca9
Strip internal env vars when spawning the shell
This should fix all those reports of code-server dropping straight to
Node and things like #1121.
2019-10-28 16:08:32 -05:00
Asher 422503ef98
Proxy child exit code when exiting parent process
This fixes code-server exiting with zero on errors.
2019-10-28 14:57:01 -05:00
Asher ea36345d2c
Allow fetching any resource
Fixes #1118.
2019-10-28 14:29:51 -05:00
Asher a89d83cbba
Fix other incorrect usages of `split` 2019-10-28 14:03:13 -05:00
Asher 83ff31b620
Fix passwords that contain `=`
Fixes #1119.

Apparently `split` does not work the way I'd expect.
2019-10-28 13:47:31 -05:00
Asher 3a9b032c72
Add heartbeat file (#1115)
Fixes #1050.
2019-10-28 09:59:34 -05:00
Asher f73e9225b4
Remove directory restrictions for /webview/vscode-resource
This makes viewing images work. Fixes #1111.
2019-10-25 15:52:39 -05:00
Asher 168ccb0dfc
Prevent cache changes when patch updates 2019-10-25 13:12:04 -05:00
Asher 58f7f5b769
Properly fix blank --cert flag
See #1109.
2019-10-25 12:04:43 -05:00
Asher b8e6369fbe
Fix empty --cert not generating self-signed certificate
Fixes #1101.
2019-10-25 11:01:42 -05:00
Asher d81d5f499f
Remove Cloud Run button
Unfortunately it doesn't allow websockets so it's not working.
2019-10-24 16:45:22 -05:00
Asher 4be178d234
Move Google Cloud button to match Digital Ocean 2019-10-24 16:09:02 -05:00
Ayane Satomi 9c40466b4b Add Google Cloud quick-launch button (#1069) 2019-10-24 16:07:44 -05:00
Asher 95693fb58e
Handle /webview/vscode-resource/file urls
See #1103.
2019-10-24 14:35:25 -05:00
Asher e7945bea94
Enable password authentication by default
Fixes #1062.
2019-10-24 12:35:26 -05:00
Asher 91f49e1efd
Set SHELL to /bin/bash in Docker
Fixes #1081, fixes #918.
2019-10-23 13:34:00 -05:00
Asher eea9c1618c
Move client-side extension code out of patch 2019-10-23 13:12:11 -05:00
Asher f1b38e4e48
Fix out-of-order readme section 2019-10-23 11:54:47 -05:00
Asher ff99a1d768
Add security section to readme
See #1062.
2019-10-23 11:49:17 -05:00
Asher 7f07b8f66c
Push Docker using Linux build
Instead of doing a separate redundant build. The main problem was that
the files weren't being cached. There is probably a better way of
solving this but this seems to be the simplest for now.
2019-10-22 18:43:21 -05:00
Asher faae03da6b
Add prerequisites for building 2019-10-22 17:49:43 -05:00
Asher a6e4f96737
Fix webview html being excluded
Also skip the workbench html since we have our own.
2019-10-22 16:09:27 -05:00
Asher cc7585bbc2
Port onigasm fix for PHP 2019-10-22 11:39:00 -05:00
Asher 14a0cd3ffd
Remove build files in source
They aren't used in subsequent files and just slow down CI since it has
to extract from the cache and then package the changes.
2019-10-22 11:26:46 -05:00