invocieplane: Add patches for CVE-2021-29024, CVE-2021-29023

pkgs/servers/web-apps/invoiceplane/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, writeText, unzip, nixosTests }:
+{ lib, stdenv, fetchurl, writeText, unzip, nixosTests, fetchpatch }:
 
 stdenv.mkDerivation rec {
   pname = "invoiceplane";
@@ -9,6 +9,37 @@ stdenv.mkDerivation rec {
     sha256 = "137g0xps4kb3j7f5gz84ql18iggbya6d9dnrfp05g2qcbbp8kqad";
   };
 
+  patches = [
+
+    # Fix CVE-2021-29024, unauthenticated directory listing
+    # Should be included in a later release > 1.5.11
+    # https://github.com/NixOS/nixpkgs/issues/166655
+    # https://github.com/InvoicePlane/InvoicePlane/pull/754
+    (fetchpatch {
+      url = "https://patch-diff.githubusercontent.com/raw/InvoicePlane/InvoicePlane/pull/754.patch";
+      sha256 = "sha256-EHXw7Zqli/nA3tPIrhxpt8ueXvDtshz0XRzZT78sdQk=";
+    })
+
+    # Fix CVE-2021-29023, password reset rate-limiting
+    # Should be included in a later release > 1.5.11
+    # https://github.com/NixOS/nixpkgs/issues/166655
+    # https://github.com/InvoicePlane/InvoicePlane/pull/739
+    (fetchpatch {
+      url = "https://patch-diff.githubusercontent.com/raw/InvoicePlane/InvoicePlane/pull/739.patch";
+      sha256 = "sha256-6ksJjW6awr3lZsDRxa22pCcRGBVBYyV8+TbhOp6HBq0=";
+    })
+
+    # Fix CVE-2021-29022, full path disclosure
+    # Should be included in a later release > 1.5.11
+    # https://github.com/NixOS/nixpkgs/issues/166655
+    # https://github.com/InvoicePlane/InvoicePlane/pull/767
+    #(fetchpatch {
+    #  url = "https://patch-diff.githubusercontent.com/raw/InvoicePlane/InvoicePlane/pull/767.patch";
+    #  sha256 = "sha256-rSWDH8KeHSRWLyQEa7RSwv+8+ja9etTz+6Q9XThuwUo=";
+    #})
+
+  ];
+
   nativeBuildInputs = [ unzip ];
 
   sourceRoot = ".";