forked from pool/nodejs22
47 lines
1.8 KiB
Diff
47 lines
1.8 KiB
Diff
|
Applied following patches,
|
||
|
|
||
|
From 5ff3a07d9add449021d806e45c4168203aa833ff Mon Sep 17 00:00:00 2001
|
||
|
From: =?UTF-8?q?Andr=C3=A9=20Cruz?= <andremiguelcruz@msn.com>
|
||
|
Date: Wed, 6 Nov 2024 22:02:49 +0000
|
||
|
Subject: [PATCH] fix: disable regexp backtracking (#160)
|
||
|
|
||
|
---
|
||
|
lib/util/escape.js | 6 ++++--
|
||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||
|
|
||
|
|
||
|
From 640d391fde65388548601d95abedccc12943374f Mon Sep 17 00:00:00 2001
|
||
|
From: =?UTF-8?q?Andr=C3=A9=20Cruz?= <andre.cruz@uphold.com>
|
||
|
Date: Thu, 7 Nov 2024 12:50:38 +0000
|
||
|
Subject: [PATCH] fix: fix escaping bug introduced by backtracking
|
||
|
|
||
|
---
|
||
|
lib/util/escape.js | 4 ++--
|
||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||
|
|
||
|
|
||
|
Index: node-v18.20.5/deps/npm/node_modules/cross-spawn/lib/util/escape.js
|
||
|
===================================================================
|
||
|
--- node-v18.20.5.orig/deps/npm/node_modules/cross-spawn/lib/util/escape.js
|
||
|
+++ node-v18.20.5/deps/npm/node_modules/cross-spawn/lib/util/escape.js
|
||
|
@@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscap
|
||
|
arg = `${arg}`;
|
||
|
|
||
|
// Algorithm below is based on https://qntm.org/cmd
|
||
|
+ // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input
|
||
|
+ // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information
|
||
|
|
||
|
// Sequence of backslashes followed by a double quote:
|
||
|
// double up all the backslashes and escape the double quote
|
||
|
- arg = arg.replace(/(\\*)"/g, '$1$1\\"');
|
||
|
+ arg = arg.replace(/(?=(\\+?)?)\1"/g, '$1$1\\"');
|
||
|
|
||
|
// Sequence of backslashes followed by the end of the string
|
||
|
// (which will become a double quote later):
|
||
|
// double up all the backslashes
|
||
|
- arg = arg.replace(/(\\*)$/, '$1$1');
|
||
|
+ arg = arg.replace(/(?=(\\+?)?)\1$/, '$1$1');
|
||
|
|
||
|
// All other backslashes occur literally
|
||
|
|