From 4399c7df64ad6f0437e6a681a092f4d799772fc9 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 5 Nov 2021 12:04:10 -0700
Subject: [PATCH 1/4] fix(deps): update dependency rotating-file-stream to v3
 (#4451)

Co-authored-by: Renovate Bot <bot@renovateapp.com>
---
 package.json | 2 +-
 yarn.lock    | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package.json b/package.json
index 7babaa8e267e..dd7796df68d1 100644
--- a/package.json
+++ b/package.json
@@ -94,7 +94,7 @@
     "proxy-agent": "^5.0.0",
     "proxy-from-env": "^1.1.0",
     "qs": "6.10.1",
-    "rotating-file-stream": "^2.1.1",
+    "rotating-file-stream": "^3.0.0",
     "safe-buffer": "^5.1.1",
     "safe-compare": "^1.1.4",
     "semver": "^7.1.3",
diff --git a/yarn.lock b/yarn.lock
index 3015bb9aa867..a87c70124bce 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -3701,10 +3701,10 @@ rimraf@^3.0.2:
   dependencies:
     glob "^7.1.3"
 
-rotating-file-stream@^2.1.1:
-  version "2.1.5"
-  resolved "https://registry.yarnpkg.com/rotating-file-stream/-/rotating-file-stream-2.1.5.tgz#6490d0a09e11dd4d441aa5d4d3676debed4a44e4"
-  integrity sha512-wnYazkT8oD5HXTj44WhB030aKo74OyICrPz/QKCUah59QD7Np4OhdoTC0WNZfhMx1ClsZp4lYMlAdof+DIkZ1Q==
+rotating-file-stream@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/rotating-file-stream/-/rotating-file-stream-3.0.0.tgz#5193da921808dc98e1e60595fb2f32d33d622884"
+  integrity sha512-qKk1AAjrKxFYIqRU/GBSzwMLM7wqHYxztKXk7h55728n5EU2sKlPNlcXjqfbK11TiOUZChbtAHDCDIGCE6cg5g==
 
 router@2.0.0-alpha.1:
   version "2.0.0-alpha.1"

From 94b2774f8c9fb120c19232d2739616e447f9b89d Mon Sep 17 00:00:00 2001
From: Matthew Beckett <matt@beckett.cloud>
Date: Fri, 5 Nov 2021 19:04:52 +0000
Subject: [PATCH 2/4] Drop duplicate Helm values from values.yaml (#4450)

* Drop duplicate Helm values from values.yaml

* Use frozen lockfile for test dependencies in CI (#4442)

* Use frozen lockfile for test dependencies in CI

This might be causing more Playwright issues.

* Bump Playwright

Mostly just to trigger a reinstall of dependencies since it is cached
and still failing.

Once updated it errors saying install needs to run so add that too.

* Drop duplicate Helm values from values.yaml

Co-authored-by: Asher <ash@coder.com>
---
 ci/helm-chart/values.yaml | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/ci/helm-chart/values.yaml b/ci/helm-chart/values.yaml
index 36a0457ec25f..d893389a3816 100644
--- a/ci/helm-chart/values.yaml
+++ b/ci/helm-chart/values.yaml
@@ -28,14 +28,6 @@ podAnnotations: {}
 podSecurityContext: {}
   # fsGroup: 2000
 
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-
 service:
   type: ClusterIP
   port: 8080
@@ -127,10 +119,6 @@ persistence:
   # existingClaim: ""
   # hostPath: /data
 
-serviceAccount:
-  create: true
-  name:
-
 ## Enable an Specify container in extraContainers.
 ## This is meant to allow adding code-server dependencies, like docker-dind.
 extraContainers: |

From 605c3c63670c4f9ba94064e04a642a344f149a66 Mon Sep 17 00:00:00 2001
From: LG <76845820+im-coder-lg@users.noreply.github.com>
Date: Tue, 9 Nov 2021 23:00:27 +0530
Subject: [PATCH 3/4] Add a gist of the difference between code-server and
 Coder (#4419)

* Add a gist of the difference

* Update the gist

* Update README.md

As told by @tmikaeld here: https://github.com/cdr/code-server/discussions/3102#discussioncomment-1565789

* Update docs/README.md

Co-authored-by: Joe Previte <jjprevite@gmail.com>

* `yarn fmt` results

Co-authored-by: Joe Previte <jjprevite@gmail.com>
Co-authored-by: Asher <ash@coder.com>
---
 docs/README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/README.md b/docs/README.md
index da68fcc5b320..58e00397e9d1 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -14,6 +14,9 @@ access it in the browser.
 - Preserve battery life when you're on the go; all intensive tasks run on your
   server
 
+| 🔔 code-server is a free browser-based IDE while [Coder](https://coder.com/), is our enterprise developer workspace platform. For more information, visit [Coder.com](https://coder.com/docs/comparison)
+| ---
+
 ## Requirements
 
 See [requirements](requirements.md) for minimum specs, as well as instructions

From 31d5823d1071dc1481c4524157265157c7f292b2 Mon Sep 17 00:00:00 2001
From: Mauricio Garavaglia <mauri@users.noreply.github.com>
Date: Tue, 9 Nov 2021 18:39:54 -0300
Subject: [PATCH 4/4] Escape HTML from messages in error page (#4430)

Co-authored-by: Asher <ash@coder.com>
Co-authored-by: Joe Previte <jjprevite@gmail.com>
---
 src/node/routes/errors.ts            |  4 ++--
 test/unit/node/routes/errors.test.ts | 35 ++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100644 test/unit/node/routes/errors.test.ts

diff --git a/src/node/routes/errors.ts b/src/node/routes/errors.ts
index 757e9f7449d5..66f424ac2711 100644
--- a/src/node/routes/errors.ts
+++ b/src/node/routes/errors.ts
@@ -6,7 +6,7 @@ import { WebsocketRequest } from "../../../typings/pluginapi"
 import { HttpCode } from "../../common/http"
 import { rootPath } from "../constants"
 import { replaceTemplates } from "../http"
-import { getMediaMime } from "../util"
+import { escapeHtml, getMediaMime } from "../util"
 
 const notFoundCodes = ["ENOENT", "EISDIR", "FileNotFound"]
 export const errorHandler: express.ErrorRequestHandler = async (err, req, res, next) => {
@@ -29,7 +29,7 @@ export const errorHandler: express.ErrorRequestHandler = async (err, req, res, n
       replaceTemplates(req, content)
         .replace(/{{ERROR_TITLE}}/g, status)
         .replace(/{{ERROR_HEADER}}/g, status)
-        .replace(/{{ERROR_BODY}}/g, err.message),
+        .replace(/{{ERROR_BODY}}/g, escapeHtml(err.message)),
     )
   } else {
     res.json({
diff --git a/test/unit/node/routes/errors.test.ts b/test/unit/node/routes/errors.test.ts
new file mode 100644
index 000000000000..ffa8f479111c
--- /dev/null
+++ b/test/unit/node/routes/errors.test.ts
@@ -0,0 +1,35 @@
+import express from "express"
+import { errorHandler } from "../../../../src/node/routes/errors"
+
+describe("error page is rendered for text/html requests", () => {
+  it("escapes any html in the error messages", async () => {
+    const next = jest.fn()
+    const err = {
+      code: "ENOENT",
+      statusCode: 404,
+      message: ";>hello<script>alert(1)</script>",
+    }
+    const req = createRequest()
+    const res = {
+      status: jest.fn().mockReturnValue(this),
+      send: jest.fn().mockReturnValue(this),
+      set: jest.fn().mockReturnValue(this),
+    } as unknown as express.Response
+
+    await errorHandler(err, req, res, next)
+    expect(res.status).toHaveBeenCalledWith(404)
+    expect(res.send).toHaveBeenCalledWith(expect.not.stringContaining("<script>"))
+  })
+})
+
+function createRequest(): express.Request {
+  return {
+    headers: {
+      accept: ["text/html"],
+    },
+    originalUrl: "http://example.com/test",
+    query: {
+      to: "test",
+    },
+  } as unknown as express.Request
+}