diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..eaae149b41 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,17 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/cf.yml b/.github/workflows/cf.yml index 00b920706f..8b8a5a00de 100644 --- a/.github/workflows/cf.yml +++ b/.github/workflows/cf.yml @@ -108,14 +108,15 @@ jobs: - name: 📚 Wrangler publish # github.com/cloudflare/wrangler-action - uses: cloudflare/wrangler-action@v3 + uses: cloudflare/wrangler-action@f84a562284fc78278ff9052435d9526f9c718361 # v3.7.0 with: apiToken: ${{ secrets.CF_API_TOKEN }} + accountId: ${{ secrets.CF_ACCOUNT_ID }} # input overrides env-defaults, regardless environment: ${{ env.WORKERS_ENV }} wranglerVersion: ${{ env.WRANGLER_VER }} env: - CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }} + CLOUDFLARE_ACCOUNT_ID: ${{ secrets.NEXTDNS_CONF }} GIT_COMMIT_ID: ${{ env.COMMIT_SHA }} - name: 🎤 Notice diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..907e79138a --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,78 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["javascript", "typescript"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/deno-deploy.yml b/.github/workflows/deno-deploy.yml index 91b26f6559..88b0cbd365 100644 --- a/.github/workflows/deno-deploy.yml +++ b/.github/workflows/deno-deploy.yml @@ -53,6 +53,9 @@ env: IN_FILE: 'src/server-deno.ts' OUT_FILE: 'rethinkdns.js' +permissions: + contents: read + jobs: deploy: name: đŸŒ¯ Deno Deploy @@ -63,6 +66,11 @@ jobs: # needed to clone repo contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: 🚚 Fetch code uses: actions/checkout@v4 with: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..1792f0181c --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: 'Dependency Review' + uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 diff --git a/.github/workflows/fly.yml b/.github/workflows/fly.yml index f1628bef29..c98c79144d 100644 --- a/.github/workflows/fly.yml +++ b/.github/workflows/fly.yml @@ -80,6 +80,11 @@ jobs: name: 🚀 Deploy app runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: 🚚 Checkout uses: actions/checkout@v4 with: @@ -146,7 +151,7 @@ jobs: # experimental: github.com/superfly/flyctl-actions/pull/20 - name: 🏗 Setup flyctl @ latest - uses: superfly/flyctl-actions/setup-flyctl@master + uses: superfly/flyctl-actions/setup-flyctl@fc53c09e1bc3be6f54706524e3b82c4f462f77be # master with: version: latest diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml new file mode 100644 index 0000000000..a2d9541d22 --- /dev/null +++ b/.github/workflows/ossar.yml @@ -0,0 +1,61 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates a collection of open source static analysis tools +# with GitHub code scanning. For documentation, or to provide feedback, visit +# https://github.com/github/ossar-action +name: OSSAR + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '30 15 * * 6' + +permissions: + contents: read + +jobs: + OSSAR-Scan: + # OSSAR runs on windows-latest. + # ubuntu-latest and macos-latest support coming soon + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: windows-latest + + steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + # Ensure a compatible version of dotnet is installed. + # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. + # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. + # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. + # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: + # - name: Install .NET + # uses: actions/setup-dotnet@v2 + # with: + # dotnet-version: '3.1.x' + + # Run open source static analysis tools + - name: Run OSSAR + uses: github/ossar-action@786a16a90ba92b4ae6228fe7382fb16ef5c51000 # v1 + id: ossar + + # Upload results to the Security tab + - name: Upload OSSAR results + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + with: + sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index d0e2eb4fcc..b326dd4fa1 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -26,11 +26,21 @@ env: GH_REF: "${{ github.ref }}" GH_SHA: ${{ github.sha }} +permissions: + contents: read + jobs: lint-fmt: + permissions: + contents: write # for Git to git push name: Lint & fmt runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: 🚚 Get latest code uses: actions/checkout@v4 with: diff --git a/.github/workflows/profiler.yml b/.github/workflows/profiler.yml index 447198d17d..595949a28c 100644 --- a/.github/workflows/profiler.yml +++ b/.github/workflows/profiler.yml @@ -47,12 +47,20 @@ env: MODE: 'p1' QDOH: 'q' +permissions: + contents: read + jobs: profiler1: name: 🕒 Fetch profiler runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: 🍌 Checkout uses: actions/checkout@v4 with: @@ -84,7 +92,7 @@ jobs: # deno.com/blog/deploy-static-files#example-a-statically-generated-site - name: đŸĻ• Setup Deno @2.x if: env.JS_RUNTIME == 'deno' - uses: denoland/setup-deno@main + uses: denoland/setup-deno@5fae568d37c3b73449009674875529a984555dd1 # main with: deno-version: ${{ env.DENO_VER }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 36792dd644..17ae8225bf 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@v4 with: @@ -59,7 +64,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: SARIF file path: results.sarif @@ -67,6 +72,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 with: sarif_file: results.sarif diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000000..723e338d33 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,18 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pre-commit/mirrors-eslint + rev: v8.38.0 + hooks: + - id: eslint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..034e848032 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. diff --git a/package.json b/package.json index 71229e3d9b..12b6406162 100644 --- a/package.json +++ b/package.json @@ -35,27 +35,25 @@ "@serverless-dns/lfu-cache": "github:serverless-dns/lfu-cache#v3.5.2", "@serverless-dns/trie": "github:serverless-dns/trie#v0.0.17", "httpx-server": "^2.0.0", - "node-polyfill-webpack-plugin": "^2.0.1", + "node-polyfill-webpack-plugin": "^4.0.0", "proxy-protocol-js": "^4.0.5" }, "optionalDependencies": { - "@fastly/js-compute": "^1.0.1" + "@fastly/js-compute": "^3.2.1" }, "devDependencies": { - "@types/node": "^16.11.7", + "@types/node": "^22.0.0", "buffer": "^6.0.3", - "clinic": "^11.1.0", - "eslint": "^8.5.0", + "clinic": "^13.0.0", + "eslint": "^9.2.0", "eslint-config-google": "^0.14.0", - "eslint-plugin-prettier": "^4.0.0", - "husky": "^7.0.4", - "lint-staged": "^12.1.4", - "node-loader": "^2.0.0", - "prettier": "2.5.1", - "webpack": "^5.92.1", - "webpack-cli": "^4.10.0", - "why-is-node-running": "^3.2.0", - "wrangler": "^3.0.0" + "eslint-plugin-prettier": "^5.0.0", + "husky": "^9.0.6", + "lint-staged": "^15.0.1", + "prettier": "3.3.3", + "webpack": "^5.65.0", + "webpack-cli": "^5.1.4", + "wrangler": "^3.5.1" }, "lint-staged": { "*.?(m|c)js": "eslint --cache --fix", diff --git a/src/core/node/blocklists.js b/src/core/node/blocklists.js index 3d28c3f251..acf56a15b4 100644 --- a/src/core/node/blocklists.js +++ b/src/core/node/blocklists.js @@ -67,6 +67,8 @@ function save(bw, timestamp, codec) { } // fmmap mmaps file at fp for random reads, returns a Buffer backed by the file. + + async function fmmap(fp) { const dynimports = envutil.hasDynamicImports(); const isNode = envutil.isNode(); diff --git a/wrangler.toml b/wrangler.toml index 767ebbd9c4..9d0e05f6d0 100644 --- a/wrangler.toml +++ b/wrangler.toml @@ -28,6 +28,7 @@ globs = ["**/*.js"] LOG_LEVEL = "debug" WORKER_ENV = "development" CLOUD_PLATFORM = "cloudflare" +CF_DNS_RESOLVER_URL = "https://mozilla.cloudflare-dns.com/dns-query" ################## #------PROD------#