Accepting request 1184231 from devel:languages:python

- Add CVE-2024-28397.patch upstream patch. (bsc#1226660, gh#PiotrDabkowski/Js2Py#323) - Run tests - Add patches: * remove-python-six.patch, to remove python-six dependency * python312.patch, to make it compatible with python312 OBS-URL: https://build.opensuse.org/request/show/1184231 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Js2Py?expand=0&rev=10
2024-07-01 09:22:19 +00:00 · 2024-07-01 09:22:19 +00:00 · f1f204ff3d
commit f1f204ff3d
parent 6b2ca33df1 22dfe005c0
5 changed files with 1212 additions and 6 deletions
--- a/CVE-2024-28397.patch
+++ b/CVE-2024-28397.patch
@ -0,0 +1,13 @@
+Index: Js2Py-0.74/js2py/constructors/jsobject.py
+===================================================================
+--- Js2Py-0.74.orig/js2py/constructors/jsobject.py
+++ Js2Py-0.74/js2py/constructors/jsobject.py
+@@ -48,7 +48,7 @@ class ObjectMethods:
+             raise MakeError(
+                 'TypeError',
+                 'Object.getOwnPropertyDescriptor called on non-object')
+-        return obj.own.keys()
+        return list(obj.own.keys())
+ 
+     def create(obj):
+         if not (obj.is_object() or obj.is_null()):
--- a/python-Js2Py.changes
+++ b/python-Js2Py.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Mon Jul  1 08:39:07 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add CVE-2024-28397.patch upstream patch.
+  (bsc#1226660, gh#PiotrDabkowski/Js2Py#323)
+
+-------------------------------------------------------------------
+Mon Jul  1 08:19:03 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Run tests
+- Add patches:
+  * remove-python-six.patch, to remove python-six dependency
+  * python312.patch, to make it compatible with python312
+
 -------------------------------------------------------------------
 Fri Apr 21 12:20:47 UTC 2023 - Dirk Müller <dmueller@suse.com>

--- a/python-Js2Py.spec
+++ b/python-Js2Py.spec
@ -1,7 +1,7 @@
 #
 # spec file for package python-Js2Py
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -16,7 +16,6 @@
 #


-%{?!python_module:%define python_module() python-%{**} python3-%{**}}
 %{?sle15_python_module_pythons}
 Name:           python-Js2Py
 Version:        0.74
@ -27,11 +26,17 @@ Group:          Development/Languages/Python
 URL:            https://github.com/PiotrDabkowski/Js2Py
 Source:         https://files.pythonhosted.org/packages/source/J/Js2Py/Js2Py-%{version}.tar.gz
 Source1:        https://raw.githubusercontent.com/PiotrDabkowski/Js2Py/master/LICENSE.md
+# PATCH-FIX-OPENSUSE remove-python-six.patch
+Patch0:         remove-python-six.patch
+# PATCH-FIX-UPSTREAM python312.patch gh#PiotrDabkowski/Js2Py#327
+Patch1:         python312.patch
+# PATCH-FIX-UPSTREAM CVE-2024-28397.patch gh#PiotrDabkowski/Js2Py#323
+Patch2:         CVE-2024-28397.patch
+BuildRequires:  %{python_module pyjsparser}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
 Requires:       python-pyjsparser
-Requires:       python-six
 Requires:       python-tzlocal
 BuildArch:      noarch
 %python_subpackages
@ -42,7 +47,7 @@ execute virtually any JavaScript code. Js2Py, basically an
 implementation of the JavaScript core, is written in pure Python.

 %prep
-%setup -q -n Js2Py-%{version}
+%autosetup -p1 -n Js2Py-%{version}
 cp %{SOURCE1} .

 %build
@ -52,11 +57,18 @@ cp %{SOURCE1} .
 %python_install
 %python_expand %fdupes %{buildroot}%{$python_sitelib}

-# no tests in pypi sdist and no tags in github repo (https://github.com/PiotrDabkowski/Js2Py/issues/100)
+%check
+pushd tests
+touch node_failed.txt
+%{python_expand #
+PYTHONPATH=%{buildroot}%{$python_sitelib} $python run.py
+}
+popd

 %files %{python_files}
 %doc README.md
 %license LICENSE.md
-%{python_sitelib}/*
+%{python_sitelib}/js2py
+%{python_sitelib}/Js2Py-%{version}*-info

 %changelog
--- a/python312.patch
+++ b/python312.patch
@ -0,0 +1,57 @@
+From fd7df4a91fb08060914c7b1d9e94583d18f3371b Mon Sep 17 00:00:00 2001
+From: Felix Yan <felixonmars@archlinux.org>
+Date: Wed, 17 Apr 2024 16:47:47 +0300
+Subject: [PATCH] Fix bytecode for Python 3.12
+
+`LOAD_ATTR` has been changed in Python 3.12 and it seems reusing the
+`LOAD_GLOBAL` logic makes the simple tests passing.
+
+I am not sure if this is correct since I'm pretty new to the code, but
+maybe it's still helpful.
+---
+ js2py/translators/translating_nodes.py | 2 +-
+ js2py/utils/injector.py                | 4 +++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+Index: Js2Py-0.74/js2py/translators/translating_nodes.py
+===================================================================
+--- Js2Py-0.74.orig/js2py/translators/translating_nodes.py
+++ Js2Py-0.74/js2py/translators/translating_nodes.py
+@@ -538,7 +538,7 @@ def TryStatement(type, block, handler, h
+     if handler:
+         identifier = handler['param']['name']
+         holder = 'PyJsHolder_%s_%d' % (to_hex(identifier),
+-                                       random.randrange(1e8))
+                                       random.randrange(six.integer_types[-1](1e8)))
+         identifier = repr(identifier)
+         result += 'except PyJsException as PyJsTempException:\n'
+         # fill in except ( catch ) block and remember to recover holder variable to its previous state
+Index: Js2Py-0.74/js2py/utils/injector.py
+===================================================================
+--- Js2Py-0.74.orig/js2py/utils/injector.py
+++ Js2Py-0.74/js2py/utils/injector.py
+@@ -13,6 +13,7 @@ chr = lambda x: x
+ # Opcode constants used for comparison and replacecment
+ LOAD_FAST = opcode.opmap['LOAD_FAST']
+ LOAD_GLOBAL = opcode.opmap['LOAD_GLOBAL']
+LOAD_ATTR = opcode.opmap['LOAD_ATTR']
+ STORE_FAST = opcode.opmap['STORE_FAST']
+ 
+ 
+@@ -88,6 +89,7 @@ def append_arguments(code_obj, new_local
+         (co_names.index(name), varnames.index(name)) for name in new_locals)
+ 
+     is_new_bytecode = sys.version_info >= (3, 11)
+    is_new_load_attr = sys.version_info >= (3, 12)
+     # Now we modify the actual bytecode
+     modified = []
+     drop_future_cache = False
+@@ -106,7 +108,7 @@ def append_arguments(code_obj, new_local
+         # it's one of the globals that we are replacing. Either way,
+         # update its arg using the appropriate dict.
+         drop_future_cache = False
+-        if inst.opcode == LOAD_GLOBAL:
+        if inst.opcode == LOAD_GLOBAL or (is_new_load_attr and inst.opcode == LOAD_ATTR):
+             idx = inst.arg
+             if is_new_bytecode:
+                 idx = idx // 2
--- a/remove-python-six.patch
+++ b/remove-python-six.patch