Merge pull request #1542 from microsoft/260319-updates

Application defaults hardening

Author: jeffwilcox

.cspell.json

@@ -3,9 +3,10 @@
   "dictionaries": ["typescript", "softwareTerms"],
   "ignorePaths": [
     ".environment/**",
-    ".deploy/geneva/**",
     ".config/1espt/**",
     ".config/guardian/**",
+    ".deploy/geneva/**",
+    ".deploy/sitecontainers/**",
     ".npmrc*",
     ".cspell.json",
     ".git/",
@@ -374,6 +375,7 @@
     "hsts",
     "Hsts",
     "HSTS",
+    "httplogging",
     "hubber",
     "hubbers",
     "hubot",
@@ -395,6 +397,7 @@
     "insideadmin",
     "insideread",
     "insidewrite",
+    "installationid",
     "intelli",
     "internalcontent",
     "internalissuescreated",
@@ -484,6 +487,7 @@
     "managerunlink",
     "Markdownlint",
     "maxif",
+    "maxpingfailures",
     "MCAPS",
     "MEMBERTOMAINTAINER",
     "memex",
@@ -819,6 +823,7 @@
     "signoff",
     "signout",
     "signup",
+    "sitecontainer",
     "sitecontainers",
     "skus",
     "smartcard",
@@ -879,6 +884,7 @@
     "tolower",
     "Toolset",
     "toscalar",
+    "tostring",
     "totalcount",
     "touchedtime",
     "toupper",

.github/scripts/appsettings-apply-if-changed.sh

@@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# @cspell: ignore argjson slurpfile endgroup
+
+APP_NAME=''
+RESOURCE_GROUP=''
+SLOT=''
+SETTINGS_FILE=''
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --name)
+      APP_NAME="$2"
+      shift 2
+      ;;
+    --resource-group)
+      RESOURCE_GROUP="$2"
+      shift 2
+      ;;
+    --slot)
+      SLOT="$2"
+      shift 2
+      ;;
+    --settings-file)
+      SETTINGS_FILE="$2"
+      shift 2
+      ;;
+    *)
+      echo "Unknown argument: $1"
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -z "$APP_NAME" || -z "$RESOURCE_GROUP" || -z "$SETTINGS_FILE" ]]; then
+  echo 'Usage: appsettings-apply-if-changed.sh --name <app> --resource-group <rg> [--slot <slot>] --settings-file <json>'
+  exit 1
+fi
+
+if [[ ! -f "$SETTINGS_FILE" ]]; then
+  echo "::error::Settings file not found: $SETTINGS_FILE"
+  exit 1
+fi
+
+echo '::group::Diagnostics: desired settings'
+echo "Diagnostics: desired settings file path: $SETTINGS_FILE"
+echo 'Diagnostics: desired settings payload:'
+cat "$SETTINGS_FILE"
+echo '::endgroup::'
+
+SLOT_ARGS=()
+if [[ -n "$SLOT" ]]; then
+  SLOT_ARGS+=(--slot "$SLOT")
+fi
+
+CURRENT_SETTINGS=$(az webapp config appsettings list \
+  --name "$APP_NAME" \
+  --resource-group "$RESOURCE_GROUP" \
+  "${SLOT_ARGS[@]}" \
+  --output json)
+
+echo "::group::Diagnostics: current app settings for $APP_NAME${SLOT:+ slot $SLOT}"
+echo "Diagnostics: current app settings for $APP_NAME${SLOT:+ slot $SLOT}:"
+echo "$CURRENT_SETTINGS"
+echo '::endgroup::'
+
+CHANGED_SETTINGS_FILE=$(mktemp)
+
+jq -n \
+  --slurpfile desired "$SETTINGS_FILE" \
+  --argjson current "$CURRENT_SETTINGS" \
+  '
+  ($current
+    | map(select(type == "object"))
+    | map(select((.name | type) == "string" and (.name | length) > 0))
+    | map({key: .name, value: .value})
+    | from_entries) as $current_map
+  | ((($desired[0] // [])
+      | if type == "array" then . else [] end)
+      | map(select(type == "object"))
+      | map(select((.name | type) == "string" and (.name | length) > 0)))
+  | map(select(($current_map[.name] // "__MISSING__") != .value))
+  ' > "$CHANGED_SETTINGS_FILE"
+
+CHANGED_COUNT=$(jq 'length' "$CHANGED_SETTINGS_FILE")
+if [[ "$CHANGED_COUNT" -eq 0 ]]; then
+  echo "No app settings changes detected for $APP_NAME${SLOT:+ slot $SLOT}. Skipping apply."
+  rm -f "$CHANGED_SETTINGS_FILE"
+  exit 0
+fi
+
+echo "Applying $CHANGED_COUNT changed app setting(s) for $APP_NAME${SLOT:+ slot $SLOT}."
+echo "::group::Diagnostics: changed app settings for $APP_NAME${SLOT:+ slot $SLOT}"
+echo 'Diagnostics: changed settings payload:'
+cat "$CHANGED_SETTINGS_FILE"
+echo '::endgroup::'
+az webapp config appsettings set \
+  --name "$APP_NAME" \
+  --resource-group "$RESOURCE_GROUP" \
+  "${SLOT_ARGS[@]}" \
+  --settings @"$CHANGED_SETTINGS_FILE"
+
+rm -f "$CHANGED_SETTINGS_FILE"

.github/scripts/sitecontainer-apply-if-changed.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# @cspell: ignore argjson containername
+
+APP_NAME=''
+RESOURCE_GROUP=''
+SLOT=''
+CONTAINER_NAME=''
+IS_MAIN=''
+IMAGE=''
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --name)
+      APP_NAME="$2"
+      shift 2
+      ;;
+    --resource-group)
+      RESOURCE_GROUP="$2"
+      shift 2
+      ;;
+    --slot)
+      SLOT="$2"
+      shift 2
+      ;;
+    --container-name)
+      CONTAINER_NAME="$2"
+      shift 2
+      ;;
+    --is-main)
+      IS_MAIN="$2"
+      shift 2
+      ;;
+    --image)
+      IMAGE="$2"
+      shift 2
+      ;;
+    *)
+      echo "Unknown argument: $1"
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -z "$APP_NAME" || -z "$RESOURCE_GROUP" || -z "$CONTAINER_NAME" || -z "$IS_MAIN" || -z "$IMAGE" ]]; then
+  echo 'Usage: sitecontainer-apply-if-changed.sh --name <app> --resource-group <rg> [--slot <slot>] --container-name <name> --is-main <true|false> --image <image>'
+  exit 1
+fi
+
+SLOT_ARGS=()
+if [[ -n "$SLOT" ]]; then
+  SLOT_ARGS+=(--slot "$SLOT")
+fi
+
+CURRENT_CONTAINERS=$(az webapp sitecontainers list \
+  --name "$APP_NAME" \
+  --resource-group "$RESOURCE_GROUP" \
+  "${SLOT_ARGS[@]}" \
+  --output json)
+
+CURRENT_IMAGE=$(jq -r \
+  --arg container_name "$CONTAINER_NAME" \
+  '
+  map(select((.name // .containerName // "") == $container_name))
+  | .[0]
+  | (.image // .properties.image // "")
+  ' <<< "$CURRENT_CONTAINERS")
+
+if [[ "$CURRENT_IMAGE" == "$IMAGE" ]]; then
+  echo "No sitecontainer image change for $APP_NAME/$CONTAINER_NAME${SLOT:+ slot $SLOT}. Skipping update."
+  exit 0
+fi
+
+echo "Updating sitecontainer image for $APP_NAME/$CONTAINER_NAME${SLOT:+ slot $SLOT}."
+az webapp sitecontainers update \
+  --name "$APP_NAME" \
+  --resource-group "$RESOURCE_GROUP" \
+  "${SLOT_ARGS[@]}" \
+  --container-name "$CONTAINER_NAME" \
+  --is-main "$IS_MAIN" \
+  --image "$IMAGE"

.ossdev/environment/index.js

@@ -29,6 +29,7 @@ module.exports = function retrieveEnvironment(name, type, options) {
     }
   }
   try {
+    // eslint-disable-next-line security/detect-non-literal-require
     const values = require(environmentPath);
     return values;
   } catch (requireError) {

.prettierignore

@@ -1,6 +1,10 @@
 # Ignore artifacts
 dist
 
+# Never modify npmrc files (Microsoft Azure Artifacts configuration)
+.npmrc
+.npmrc.arg
+
 # Ignore upstream files
 .github/dotcom-workflows/
 .deploy/geneva/

.vscode/settings.json

@@ -2,6 +2,7 @@
   "typescript.tsdk": "node_modules/typescript/lib",
   "chat.tools.terminal.autoApprove": {
     "npm install": true,
-    "npx tsc": true
+    "npx tsc": true,
+    "npx vitest": true
   }
 }

Dockerfile

@@ -3,11 +3,15 @@
 # Licensed under the MIT license. See LICENSE file in the project root for full license information.
 #
 
-ARG IMAGE_NAME=mcr.microsoft.com/azurelinux/base/nodejs:20
+ARG IMAGE_NAME=mcr.microsoft.com/azurelinux/base/core:3.0
 
-FROM $IMAGE_NAME AS build
+FROM $IMAGE_NAME AS node24-base
 
-RUN tdnf -y update --quiet
+RUN tdnf -y update --quiet && \
+    tdnf -y install --quiet ca-certificates nodejs24 nodejs24-npm && \
+    tdnf clean all --quiet
+
+FROM node24-base AS build
 
 WORKDIR /build
 
@@ -35,7 +39,7 @@ RUN --mount=type=secret,id=npmrc,target=/root/.npmrc npm ci
 RUN npm run build
 RUN rm -f .npmrc
 
-FROM $IMAGE_NAME AS run
+FROM node24-base AS run
 
 ENV IS_DOCKER=1 \
     NPM_CONFIG_LOGLEVEL=warn \

Dockerfile.open

@@ -5,11 +5,15 @@
 
 # This file simulates running the scripts to convert to open, locally.
 
-ARG IMAGE_NAME=mcr.microsoft.com/azurelinux/base/nodejs:20
+ARG IMAGE_NAME=mcr.microsoft.com/azurelinux/base/core:3.0
 
-FROM $IMAGE_NAME AS build
+FROM $IMAGE_NAME AS node24-base
 
-RUN tdnf -y update --quiet
+RUN tdnf -y update --quiet && \
+    tdnf -y install --quiet ca-certificates nodejs24 nodejs24-npm && \
+    tdnf clean all --quiet
+
+FROM node24-base AS build
 
 WORKDIR /build
 
@@ -50,7 +54,7 @@ WORKDIR /build/frontend
 RUN npm install
 RUN npm run build
 
-FROM $IMAGE_NAME AS run
+FROM node24-base AS run
 
 ENV IS_DOCKER=1 \
     NPM_CONFIG_LOGLEVEL=warn \

README.md

@@ -1,6 +1,6 @@
 # Open Source Management Portal
 
-**2025 note: this project does not entirely build today and is a partial reference implementation for example purposes only**
+> **Note:** 2025 note: this project does not entirely build today and is a partial reference implementation for example purposes only
 
 This application represents the home for open source engineering experiences
 at Microsoft. As a backend application it manages source of truth for many

api/client/banner.ts

@@ -6,8 +6,7 @@
 import { NextFunction, Response, Router } from 'express';
 import { ReposAppRequest } from '../../interfaces/index.js';
 
-import { jsonError } from '../../middleware/index.js';
-import { getProviders } from '../../lib/transitional.js';
+import { CreateError, getProviders } from '../../lib/transitional.js';
 
 const router: Router = Router();
 
@@ -23,7 +22,7 @@ router.get('/', (req: ReposAppRequest, res: Response, next: NextFunction) => {
 });
 
 router.use('/*splat', (req, res: Response, next: NextFunction) => {
-  return next(jsonError('no API or function available within this banner route', 404));
+  return next(CreateError.NotFound('no API or function available within this banner route'));
 });
 
 export default router;