RHAIENG-1023: fix(rstudio): update the esbuild inside of rstudio's installation as it was done in the poc (#2513)

Author: jiridanek

rstudio/c9s-python-3.11/Dockerfile.cpu

@@ -78,6 +78,7 @@ RUN chmod -R a+w ${LIBLOC} && \
     chmod -R a+w ${R_LIBS_USER}
 
 WORKDIR /tmp/
+COPY /rstudio/utils /tmp/utils
 
 # Install RStudio
 ARG RSTUDIO_RPM=rstudio-server-rhel-2024.12.1-563-x86_64.rpm
@@ -92,7 +93,8 @@ RUN wget --progress=dot:giga https://download2.rstudio.org/server/rhel8/x86_64/$
     # install necessary texlive-framed package to make Knit R markup to PDF rendering possible
     dnf install -y libsodium-devel.x86_64 libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed && \
     dnf clean all && \
-    rm -rf /var/cache/yum
+    rm -rf /var/cache/yum && \
+    (cd /tmp/utils && ./cve_remediation.sh)
 
 COPY ${RSTUDIO_SOURCE_CODE}/rsession.conf /etc/rstudio/rsession.conf
 

rstudio/c9s-python-3.11/Dockerfile.cuda

@@ -80,6 +80,7 @@ RUN chmod -R a+w ${LIBLOC} && \
     chmod -R a+w ${R_LIBS_USER}
 
 WORKDIR /tmp/
+COPY /rstudio/utils /tmp/utils
 
 # Install RStudio
 ARG RSTUDIO_RPM=rstudio-server-rhel-2024.12.1-563-x86_64.rpm
@@ -94,7 +95,8 @@ RUN wget --progress=dot:giga https://download2.rstudio.org/server/rhel8/x86_64/$
     # install necessary texlive-framed package to make Knit R markup to PDF rendering possible
     dnf install -y libsodium-devel.x86_64 libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed && \
     dnf clean all && \
-    rm -rf /var/cache/yum
+    rm -rf /var/cache/yum && \
+    (cd /tmp/utils && ./cve_remediation.sh)
 
 COPY ${RSTUDIO_SOURCE_CODE}/rsession.conf /etc/rstudio/rsession.conf
 

rstudio/rhel9-python-3.11/Dockerfile.cpu

@@ -93,6 +93,7 @@ RUN chmod -R a+w ${LIBLOC} && \
     chmod -R a+w ${R_LIBS_USER}
 
 WORKDIR /tmp/
+COPY /rstudio/utils /tmp/utils
 
 # Install RStudio
 ARG RSTUDIO_RPM=rstudio-server-rhel-2024.12.1-563-x86_64.rpm
@@ -107,7 +108,8 @@ RUN wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/$
     # install necessary texlive-framed package to make Knit R markup to PDF rendering possible \
     dnf install -y libsodium-devel.x86_64 libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed && \
     dnf clean all && \
-    rm -rf /var/cache/yum
+    rm -rf /var/cache/yum && \
+    (cd /tmp/utils && ./cve_remediation.sh)
 
 COPY ${RSTUDIO_SOURCE_CODE}/rsession.conf /etc/rstudio/rsession.conf
 

rstudio/rhel9-python-3.11/Dockerfile.cuda

@@ -223,6 +223,7 @@ RUN chmod -R a+w ${LIBLOC} && \
     chmod -R a+w ${R_LIBS_USER}
 
 WORKDIR /tmp/
+COPY /rstudio/utils /tmp/utils
 
 # Install RStudio
 ARG RSTUDIO_RPM=rstudio-server-rhel-2024.12.1-563-x86_64.rpm
@@ -237,7 +238,8 @@ RUN wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/$
     # install necessary texlive-framed package to make Knit R markup to PDF rendering possible \
     dnf install -y libsodium-devel.x86_64 libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed && \
     dnf clean all && \
-    rm -rf /var/cache/yum
+    rm -rf /var/cache/yum && \
+    (cd /tmp/utils && ./cve_remediation.sh)
 
 COPY ${RSTUDIO_SOURCE_CODE}/rsession.conf /etc/rstudio/rsession.conf
 

rstudio/utils/README.md

@@ -0,0 +1,11 @@
+## package.json
+
+Used to manage the esbuild version that we inject into installed RStudio.
+
+```shell
+# install dependencies from a lock file
+npm ci
+
+# update the lock file
+npm install --package-lock-only
+```

rstudio/utils/cve_remediation.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -Eeuxo pipefail
+
+# CVE remediation
+# remediate CVEs introduced through older embedded version of esbuild
+rm "/usr/lib/rstudio-server/bin/quarto/bin/tools/$(uname -m)/esbuild"
+npm ci
+mv node_modules/esbuild/bin/esbuild "/usr/lib/rstudio-server/bin/quarto/bin/tools/$(uname -m)/"
+# clean up
+rm -r node_modules package.json package-lock.json
+npm cache clean --force