Docker image doesn't build due to lax version fixing

[noraj]

The app doesn't build from the docker file.

vulnerable-node-vulnerable_node-1  | > vulnerable-node-source@0.0.0 start /app
vulnerable-node-vulnerable_node-1  | > node ./bin/www
vulnerable-node-vulnerable_node-1  |
vulnerable-node-vulnerable_node-1  | Sat, 21 Jan 2023 12:16:02 GMT body-parser deprecated bodyParser: use individual json/urlencoded middlewares at app.js:38:9
vulnerable-node-vulnerable_node-1  | Sat, 21 Jan 2023 12:16:02 GMT body-parser deprecated undefined extended: provide extended option at node_modules/body-parser/index.js:105:29
vulnerable-node-vulnerable_node-1  | Sat, 21 Jan 2023 12:16:02 GMT express-session deprecated undefined resave option; provide resave option at app.js:43:9
vulnerable-node-vulnerable_node-1  | Sat, 21 Jan 2023 12:16:02 GMT express-session deprecated undefined saveUninitialized option; provide saveUninitialized option at app.js:43:9
vulnerable-node-vulnerable_node-1  | [2023-01-21 12:16:02.112] [INFO] vnode - Building database
vulnerable-node-vulnerable_node-1  | /app/node_modules/pg/lib/connection.js:426
vulnerable-node-vulnerable_node-1  |   throw new Error("Unknown authenticationOk message type" + util.inspect(msg));
vulnerable-node-vulnerable_node-1  |   ^
vulnerable-node-vulnerable_node-1  |
vulnerable-node-vulnerable_node-1  | Error: Unknown authenticationOk message type{ name: 'authenticationOk', length: 23 }
vulnerable-node-vulnerable_node-1  |     at Connection.parseR (/app/node_modules/pg/lib/connection.js:426:9)
vulnerable-node-vulnerable_node-1  |     at Connection.parseMessage (/app/node_modules/pg/lib/connection.js:345:17)
vulnerable-node-vulnerable_node-1  |     at Socket.<anonymous> (/app/node_modules/pg/lib/connection.js:105:22)
vulnerable-node-vulnerable_node-1  |     at emitOne (events.js:77:13)
vulnerable-node-vulnerable_node-1  |     at Socket.emit (events.js:169:7)
vulnerable-node-vulnerable_node-1  |     at readableAddChunk (_stream_readable.js:146:16)
vulnerable-node-vulnerable_node-1  |     at Socket.Readable.push (_stream_readable.js:110:10)
vulnerable-node-vulnerable_node-1  |     at TCP.onread (net.js:523:20)
vulnerable-node-postgres_db-1      | 2023-01-21 12:16:02.145 UTC [117] LOG:  could not receive data from client: Connection reset by peer
vulnerable-node-postgres_db-1      | 2023-01-21 12:16:02.145 UTC [116] LOG:  could not receive data from client: Connection reset by peer
vulnerable-node-vulnerable_node-1  |
vulnerable-node-vulnerable_node-1  | npm ERR! Linux 6.1.7-arch1-1
vulnerable-node-vulnerable_node-1  | npm ERR! argv "/usr/bin/nodejs" "/usr/bin/npm" "start"
vulnerable-node-vulnerable_node-1  | npm ERR! node v4.2.6
vulnerable-node-vulnerable_node-1  | npm ERR! npm  v3.5.2
vulnerable-node-vulnerable_node-1  | npm ERR! code ELIFECYCLE
vulnerable-node-vulnerable_node-1  | npm ERR! vulnerable-node-source@0.0.0 start: `node ./bin/www`
vulnerable-node-vulnerable_node-1  | npm ERR! Exit status 1
vulnerable-node-vulnerable_node-1  | npm ERR!
vulnerable-node-vulnerable_node-1  | npm ERR! Failed at the vulnerable-node-source@0.0.0 start script 'node ./bin/www'.
vulnerable-node-vulnerable_node-1  | npm ERR! Make sure you have the latest version of node.js and npm installed.
vulnerable-node-vulnerable_node-1  | npm ERR! If you do, this is most likely a problem with the vulnerable-node-source package,
vulnerable-node-vulnerable_node-1  | npm ERR! not with npm itself.
vulnerable-node-vulnerable_node-1  | npm ERR! Tell the author that this fails on your system:
vulnerable-node-vulnerable_node-1  | npm ERR!     node ./bin/www
vulnerable-node-vulnerable_node-1  | npm ERR! You can get information on how to open an issue for this project with:
vulnerable-node-vulnerable_node-1  | npm ERR!     npm bugs vulnerable-node-source
vulnerable-node-vulnerable_node-1  | npm ERR! Or if that isn't available, you can get their info via:
vulnerable-node-vulnerable_node-1  | npm ERR!     npm owner ls vulnerable-node-source
vulnerable-node-vulnerable_node-1  | npm ERR! There is likely additional logging output above.
vulnerable-node-vulnerable_node-1  |
vulnerable-node-vulnerable_node-1  | npm ERR! Please include the following file with any support request:
vulnerable-node-vulnerable_node-1  | npm ERR!     /app/npm-debug.log
vulnerable-node-vulnerable_node-1 exited with code 1

I guess it's because the dockerfile doesn't fix any version and that the app is not compatible with the current nodejs / npm provided by the image.

#FROM library/node:6
FROM ubuntu:xenial

MAINTAINER "Daniel Garcia aka (cr0hn)" <cr0hn@cr0hn.com>

ENV STAGE "DOCKER"

RUN apt-get update && apt-get -y upgrade && \
    apt-get install -y nodejs npm netcat

# Fix node links
RUN ln -s /usr/bin/nodejs /usr/bin/node

# Build app folders
RUN mkdir /app
WORKDIR /app

# Install depends
COPY package.json /app/
RUN npm install

# Bundle code
COPY . /app

RUN chmod +x /app/start.sh

EXPOSE 3000

CMD [ "/app/start.sh" ]
#CMD [ "npm", "start" ]

[noraj]

I tried with

FROM node:14.21.2-buster-slim

MAINTAINER "Daniel Garcia aka (cr0hn)" <cr0hn@cr0hn.com>

ENV STAGE "DOCKER"

RUN apt-get update && apt-get install -y netcat

# Build app folders
RUN mkdir /app
WORKDIR /app

# Install depends
COPY package.json /app/
RUN npm install

# Bundle code
COPY . /app

RUN chmod +x /app/start.sh

EXPOSE 3000

CMD [ "/app/start.sh" ]

and

FROM node:19.4.0-bullseye-slim

MAINTAINER "Daniel Garcia aka (cr0hn)" <cr0hn@cr0hn.com>

ENV STAGE "DOCKER"

RUN apt-get update && apt-get install -y netcat

# Build app folders
RUN mkdir /app
WORKDIR /app

# Install depends
COPY package.json /app/
RUN npm install

# Bundle code
COPY . /app

RUN chmod +x /app/start.sh

EXPOSE 3000

CMD [ "/app/start.sh" ]

but in both cases the app build but I have an issue when trying to log in:

vulnerable-node-vulnerable_node-1  | [2023-01-21 12:57:45.382] [INFO] vnode - Building database
vulnerable-node-vulnerable_node-1  | (node:18) [DEP0066] DeprecationWarning: OutgoingMessage.prototype._headers is deprecated
vulnerable-node-vulnerable_node-1  | (Use `node --trace-deprecation ...` to show where the warning was created)
vulnerable-node-vulnerable_node-1  | [2023-01-21 12:58:09.264] [ERROR] vnode - Tried to login attempt from user = admin

[noraj]

@cr0hn If you know the version you used when you tested it, could you provide a dockerfile with debian and node fixed versions?

[cr0hn]

I'm sorry, but I don't remember. A lot of time from this. Sorry.

[fellipgomes]

@noraj same problem here