Adam Majer
f4459ed4e2
(bsc#1198247, CVE-2021-44906) - CVE-2021-44907.patch: fix insuficient sanitation in npm dependency (bsc#1197283, CVE-2021-44907) - CVE-2022-0235.patch: fix passing of cookie data and sensitive headers to different hostnames in node-fetch-npm (bsc#1194819, CVE-2022-0235) OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs12?expand=0&rev=141
82 lines
3.3 KiB
Diff
82 lines
3.3 KiB
Diff
Index: node-v8.17.0/deps/npm/node_modules/minimist/index.js
|
|
===================================================================
|
|
--- node-v8.17.0.orig/deps/npm/node_modules/minimist/index.js
|
|
+++ node-v8.17.0/deps/npm/node_modules/minimist/index.js
|
|
@@ -70,7 +70,7 @@ module.exports = function (args, opts) {
|
|
var o = obj;
|
|
for (var i = 0; i < keys.length-1; i++) {
|
|
var key = keys[i];
|
|
- if (key === '__proto__') return;
|
|
+ if (isConstructorOrProto(o, key)) return;
|
|
if (o[key] === undefined) o[key] = {};
|
|
if (o[key] === Object.prototype || o[key] === Number.prototype
|
|
|| o[key] === String.prototype) o[key] = {};
|
|
@@ -79,7 +79,7 @@ module.exports = function (args, opts) {
|
|
}
|
|
|
|
var key = keys[keys.length - 1];
|
|
- if (key === '__proto__') return;
|
|
+ if (isConstructorOrProto(o, key)) return;
|
|
if (o === Object.prototype || o === Number.prototype
|
|
|| o === String.prototype) o = {};
|
|
if (o === Array.prototype) o = [];
|
|
@@ -243,3 +243,7 @@ function isNumber (x) {
|
|
return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x);
|
|
}
|
|
|
|
+
|
|
+function isConstructorOrProto (obj, key) {
|
|
+ return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__';
|
|
+}
|
|
Index: node-v8.17.0/deps/npm/node_modules/minimist/package.json
|
|
===================================================================
|
|
--- node-v8.17.0.orig/deps/npm/node_modules/minimist/package.json
|
|
+++ node-v8.17.0/deps/npm/node_modules/minimist/package.json
|
|
@@ -69,5 +69,5 @@
|
|
"opera/12"
|
|
]
|
|
},
|
|
- "version": "1.2.5"
|
|
+ "version": "1.2.6"
|
|
}
|
|
Index: node-v8.17.0/deps/npm/node_modules/minimist/readme.markdown
|
|
===================================================================
|
|
--- node-v8.17.0.orig/deps/npm/node_modules/minimist/readme.markdown
|
|
+++ node-v8.17.0/deps/npm/node_modules/minimist/readme.markdown
|
|
@@ -34,7 +34,10 @@ $ node example/parse.js -x 3 -y 4 -n5 -a
|
|
Previous versions had a prototype pollution bug that could cause privilege
|
|
escalation in some circumstances when handling untrusted user input.
|
|
|
|
-Please use version 1.2.3 or later: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
|
|
+Please use version 1.2.6 or later:
|
|
+
|
|
+* https://security.snyk.io/vuln/SNYK-JS-MINIMIST-2429795 (version <=1.2.5)
|
|
+* https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 (version <=1.2.3)
|
|
|
|
# methods
|
|
|
|
Index: node-v8.17.0/deps/npm/node_modules/minimist/test/proto.js
|
|
===================================================================
|
|
--- node-v8.17.0.orig/deps/npm/node_modules/minimist/test/proto.js
|
|
+++ node-v8.17.0/deps/npm/node_modules/minimist/test/proto.js
|
|
@@ -42,3 +42,19 @@ test('proto pollution (constructor)', fu
|
|
t.equal(argv.y, undefined);
|
|
t.end();
|
|
});
|
|
+
|
|
+test('proto pollution (constructor function)', function (t) {
|
|
+ var argv = parse(['--_.concat.constructor.prototype.y', '123']);
|
|
+ function fnToBeTested() {}
|
|
+ t.equal(fnToBeTested.y, undefined);
|
|
+ t.equal(argv.y, undefined);
|
|
+ t.end();
|
|
+});
|
|
+
|
|
+// powered by snyk - https://github.com/backstage/backstage/issues/10343
|
|
+test('proto pollution (constructor function) snyk', function (t) {
|
|
+ var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' '));
|
|
+ t.equal((function(){}).foo, undefined);
|
|
+ t.equal(argv.y, undefined);
|
|
+ t.end();
|
|
+})
|