Update package versions and remove need for cloud-run-proxy

Implement a reverse authenticating proxy in node. Fixes multiple CVEs
GoogleCloudPlatform · Nov 24, 2023 · 8988aa4 · 8988aa4
1 parent 6b23b11
commit 8988aa4
Show file tree

Hide file tree

Showing 6 changed files with 425 additions and 2,984 deletions.
diff --git a/README.md b/README.md
@@ -33,6 +33,7 @@ Run and Eventarc.
 * 2023-06-20 v2.1.0 Resolve #46 where docker build failed, and #50 where pip3
     installs failed
 * 2023-11-22 v2.2.0 Add support for using environmental variables in the config.json file.
+* 2023-11-23 v2.3.0 Remove need for cloud-run-proxy, and update versions of packages. Fixes multiple CVEs.
 
 ## Upgrading from v1.x to v2.x
 

diff --git a/cloudrun-malware-scanner/Dockerfile b/cloudrun-malware-scanner/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM node:20
+FROM node:21
 WORKDIR /app
 COPY .  /app
 COPY config.json  /app
@@ -71,12 +71,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
     gcloud --version && \
     truncate -s 0 /var/log/apt/*.log /var/log/*.log
 
-# Get the cloud-run-proxy tool
-RUN CLOUD_RUN_PROXY_VERSION=0.3.0 && \
-    curl -s -L \
-        https://github.com/GoogleCloudPlatform/cloud-run-proxy/releases/download/v${CLOUD_RUN_PROXY_VERSION}/cloud-run-proxy_${CLOUD_RUN_PROXY_VERSION}_linux_amd64.tar.gz | \
-        tar -zxf - cloud-run-proxy
-
 # Get all required node.js dependencies
 RUN npm install --omit=dev
 

diff --git a/cloudrun-malware-scanner/bootstrap.sh b/cloudrun-malware-scanner/bootstrap.sh
@@ -47,18 +47,12 @@ apt-get -qqy install --no-install-recommends clamav-daemon clamav-freshclam
 export PATH="$PATH:$HOME/.local/bin" # add pipx locations to path.
 pipx install cvdupdate
 
-# Set up an authentication proxy server to point to GCS CVD Mirror bucket, and to
-# restart with a fresh token every 50 mins because access tokens expire after 1hr
-AUTH_SERVER_ADDRESS=127.0.0.1:8001
-while true ; do
-    Log INFO main "Restarting authentication proxy service"
-   ./cloud-run-proxy \
-       -host https://storage.googleapis.com/  \
-       -token  "$(gcloud auth print-access-token)" \
-       -bind "${AUTH_SERVER_ADDRESS}" \
-       -server-up-time 50m
-done &
-
+# The node server includes a reverse proxy which adds authentication
+# to requests to GCS REST API, allowing freshclam to access the GCS
+# CVD mirror as if it was an unauthenticated HTPP server
+#
+export PROXY_PORT=8888
+PROXY_SERVER_ADDRESS=127.0.0.1:${PROXY_PORT}
 
 # Ensure clamav services are shut down, as we do not have the config files set up yet.
 service clamav-daemon stop &
@@ -149,7 +143,7 @@ EOF
 updateClamConfigFile /etc/clamav/freshclam.conf << EOF
 # DatabaseMirror specifies to which mirror(s) freshclam should connect.
 # Set to the authentication proxy service which proxys to the GCS API.
-DatabaseMirror http://${AUTH_SERVER_ADDRESS}/${CVD_MIRROR_BUCKET}/cvds
+DatabaseMirror http://${PROXY_SERVER_ADDRESS}/${CVD_MIRROR_BUCKET}/cvds
 
 # Number of database checks per day.
 # Once per half hour, which is fine as we are using a local mirror.