nodejs10/CVE-2022-21824.patch

commit be69403528da99bf3df9e1dc47186f18ba59cb5e
Author: Tobias Nießen <tniessen@tnie.de>
Date:   Tue Dec 21 18:03:15 2021 +0000

    console: fix prototype pollution via console.table
    
    CVE-ID: CVE-2022-21824
    Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/308
    PR-URL: https://github.com/nodejs-private/node-private/pull/307
    Refs: https://hackerone.com/reports/1431042
    Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
    Reviewed-By: Michaël Zasso <targos@protonmail.com>
    Reviewed-By: Richard Lau <rlau@redhat.com>
    Reviewed-By: Michael Dawson <midawson@redhat.com>
    Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

Index: node-v10.24.1/test/parallel/test-console-table.js
===================================================================
--- node-v10.24.1.orig/test/parallel/test-console-table.js
+++ node-v10.24.1/test/parallel/test-console-table.js
@@ -244,3 +244,18 @@ test([{ a: 1, b: 'Y' }, { a: 'Z', b: 2 }
 │    1    │ 'Z' │  2  │
 └─────────┴─────┴─────┘
 `);
+
+// Regression test for prototype pollution via console.table. Earlier versions
+// of Node.js created an object with a non-null prototype within console.table
+// and then wrote to object[column][index], which lead to an error as well as
+// modifications to Object.prototype.
+test([{ foo: 10 }, { foo: 20 }], ['__proto__'], `
+┌─────────┬───────────┐
+│ (index) │ __proto__ │
+├─────────┼───────────┤
+│    0    │           │
+│    1    │           │
+└─────────┴───────────┘
+`);
+assert.strictEqual('0' in Object.prototype, false);
+assert.strictEqual('1' in Object.prototype, false);
Index: node-v10.24.1/lib/console.js
===================================================================
--- node-v10.24.1.orig/lib/console.js
+++ node-v10.24.1/lib/console.js
@@ -425,7 +425,7 @@ Console.prototype.table = function(tabul
     ]);
   }
 
-  const map = {};
+  const map = Object.create(null);
   let hasPrimitives = false;
   const valuesKeyArray = [];
   const indexKeyArray = ObjectKeys(tabularData);
- CVE-2022-21824.patch: fix prototype pollution via console.table OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs10?expand=0&rev=172 2022-02-15 12:05:47 +00:00			`commit be69403528da99bf3df9e1dc47186f18ba59cb5e`
			`Author: Tobias Nießen <tniessen@tnie.de>`
			`Date: Tue Dec 21 18:03:15 2021 +0000`

			`console: fix prototype pollution via console.table`

			`CVE-ID: CVE-2022-21824`
			`Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/308`
			`PR-URL: https://github.com/nodejs-private/node-private/pull/307`
			`Refs: https://hackerone.com/reports/1431042`
			`Reviewed-By: Matteo Collina <matteo.collina@gmail.com>`
			`Reviewed-By: Rich Trott <rtrott@gmail.com>`
			`Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>`
			`Reviewed-By: Michaël Zasso <targos@protonmail.com>`
			`Reviewed-By: Richard Lau <rlau@redhat.com>`
			`Reviewed-By: Michael Dawson <midawson@redhat.com>`
			`Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>`
			`Reviewed-By: James M Snell <jasnell@gmail.com>`
			`Reviewed-By: Colin Ihrig <cjihrig@gmail.com>`

			`Index: node-v10.24.1/test/parallel/test-console-table.js`
			`===================================================================`
			`--- node-v10.24.1.orig/test/parallel/test-console-table.js`
			`+++ node-v10.24.1/test/parallel/test-console-table.js`
			`@@ -244,3 +244,18 @@ test([{ a: 1, b: 'Y' }, { a: 'Z', b: 2 }`
			`│ 1 │ 'Z' │ 2 │`
			`└─────────┴─────┴─────┘`
			`);
			`+`
			`+// Regression test for prototype pollution via console.table. Earlier versions`
			`+// of Node.js created an object with a non-null prototype within console.table`
			`+// and then wrote to object[column][index], which lead to an error as well as`
			`+// modifications to Object.prototype.`
			+test([{ foo: 10 }, { foo: 20 }], ['__proto__'], `
			`+┌─────────┬───────────┐`
			`+│ (index) │ __proto__ │`
			`+├─────────┼───────────┤`
			`+│ 0 │ │`
			`+│ 1 │ │`
			`+└─────────┴───────────┘`
			+`);
			`+assert.strictEqual('0' in Object.prototype, false);`
			`+assert.strictEqual('1' in Object.prototype, false);`
			`Index: node-v10.24.1/lib/console.js`
			`===================================================================`
			`--- node-v10.24.1.orig/lib/console.js`
			`+++ node-v10.24.1/lib/console.js`
			`@@ -425,7 +425,7 @@ Console.prototype.table = function(tabul`
			`]);`
			`}`

			`- const map = {};`
			`+ const map = Object.create(null);`
			`let hasPrimitives = false;`
			`const valuesKeyArray = [];`
			`const indexKeyArray = ObjectKeys(tabularData);`