!5 [sync] PR-4: fix CVE-2022-21680

From: @openeuler-sync-bot Reviewed-by: @dou33 Signed-off-by: @dou33
2022-09-02 08:01:18 +00:00 · 2022-09-02 08:01:18 +00:00 · 54307071e1
commit 54307071e1
parent dd292e5422 32978708f1
2 changed files with 70 additions and 1 deletions
--- a/0001-CVE-2022-21680.patch
+++ b/0001-CVE-2022-21680.patch
@ -0,0 +1,64 @@
+diff -Naur marked-2.0.0/src/rules.js marked-2.0.0~/src/rules.js
+--- marked-2.0.0/src/rules.js	2021-02-08 06:26:26.000000000 +0800
+++ marked-2.0.0~/src/rules.js	2022-09-02 11:01:07.576853870 +0800
+@@ -25,7 +25,7 @@
+     + '|<(?!script|pre|style)([a-z][\\w-]*)(?:attribute)*? */?>(?=[ \\t]*(?:\\n|$))[\\s\\S]*?(?:\\n{2,}|$)' // (7) open tag
+     + '|</(?!script|pre|style)[a-z][\\w-]*\\s*>(?=[ \\t]*(?:\\n|$))[\\s\\S]*?(?:\\n{2,}|$)' // (7) closing tag
+     + ')',
+-  def: /^ {0,3}\[(label)\]: *\n? *<?([^\s>]+)>?(?:(?: +\n? *| *\n *)(title))? *(?:\n+|$)/,
+  def: /^ {0,3}\[(label)\]: *(?:\n *)?<?([^\s>]+)>?(?:(?: +(?:\n *)?| *\n *)(title))? *(?:\n+|$)/,
+   nptable: noopTest,
+   table: noopTest,
+   lheading: /^([^\n]+)\n {0,3}(=+|-+) *(?:\n+|$)/,
+@@ -35,7 +35,7 @@
+   text: /^[^\n]+/
+ };
+ 
+-block._label = /(?!\s*\])(?:\\[\[\]]|[^\[\]])+/;
+block._label = /(?!\s*\])(?:\\.|[^\[\]\\])+/;
+ block._title = /(?:"(?:\\"?|[^"\\])*"|'[^'\n]*(?:\n[^'\n]+)*\n?'|\([^()]*\))/;
+ block.def = edit(block.def)
+   .replace('label', block._label)
+@@ -170,8 +170,8 @@
+     + '|^<![a-zA-Z]+\\s[\\s\\S]*?>' // declaration, e.g. <!DOCTYPE html>
+     + '|^<!\\[CDATA\\[[\\s\\S]*?\\]\\]>', // CDATA section
+   link: /^!?\[(label)\]\(\s*(href)(?:\s+(title))?\s*\)/,
+-  reflink: /^!?\[(label)\]\[(?!\s*\])((?:\\[\[\]]?|[^\[\]\\])+)\]/,
+-  nolink: /^!?\[(?!\s*\])((?:\[[^\[\]]*\]|\\[\[\]]|[^\[\]])*)\](?:\[\])?/,
+  reflink: /^!?\[(label)\]\[(ref)\]/,
+  nolink: /^!?\[(ref)\](?:\[\])?/,
+   reflinkSearch: 'reflink|nolink(?!\\()',
+   emStrong: {
+     lDelim: /^(?:\*+(?:([punct_])|[^\s*]))|^_+(?:([punct*])|([^\s_]))/,
+@@ -238,6 +238,11 @@
+ 
+ inline.reflink = edit(inline.reflink)
+   .replace('label', inline._label)
+  .replace('ref', block._label)
+  .getRegex();
+
+inline.nolink = edit(inline.nolink)
+  .replace('ref', block._label)
+   .getRegex();
+ 
+ inline.reflinkSearch = edit(inline.reflinkSearch, 'g')
+diff -Naur marked-2.0.0/test/specs/redos/cubic_def.cjs marked-2.0.0~/test/specs/redos/cubic_def.cjs
+--- marked-2.0.0/test/specs/redos/cubic_def.cjs	1970-01-01 08:00:00.000000000 +0800
+++ marked-2.0.0~/test/specs/redos/cubic_def.cjs	2022-09-02 10:50:19.562274563 +0800
+@@ -0,0 +1,4 @@
+module.exports = {
+  markdown: `[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`,
+  html: `<p>[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x</p>`,
+};
+diff -Naur marked-2.0.0/test/specs/redos/reflink_redos.html marked-2.0.0~/test/specs/redos/reflink_redos.html
+--- marked-2.0.0/test/specs/redos/reflink_redos.html	1970-01-01 08:00:00.000000000 +0800
+++ marked-2.0.0~/test/specs/redos/reflink_redos.html	2022-09-02 10:50:42.510544453 +0800
+@@ -0,0 +1 @@
+<p>[[]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([</p>
+diff -Naur marked-2.0.0/test/specs/redos/reflink_redos.md marked-2.0.0~/test/specs/redos/reflink_redos.md
+--- marked-2.0.0/test/specs/redos/reflink_redos.md	1970-01-01 08:00:00.000000000 +0800
+++ marked-2.0.0~/test/specs/redos/reflink_redos.md	2022-09-02 10:51:08.129845768 +0800
+@@ -0,0 +1,3 @@
+[x]: x
+
+[\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\]([
--- a/marked.spec
+++ b/marked.spec
@ -4,11 +4,12 @@

 Name:           marked
 Version:        2.0.0
-Release:        3
+Release:        4
 Summary:        A markdown parser for Node.js built for speed
 License:        MIT
 URL:            https://github.com/markedjs/%{name}
 Source0:        https://github.com/markedjs/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch1:          0001-CVE-2022-21680.patch

 BuildArch:      noarch

@ -65,6 +66,7 @@ Install this for the minified web assests for nodejs-marked.

 %prep
 %setup -q -n %{name}-%{version}
+%patch1 -p1

 # remove the bundled minified marked
 rm -f marked.min.js
@ -131,6 +133,9 @@ npm run test
 %{_jsdir}/%{name}

 %changelog
+* Fri Sep 2 2022 douyan <douyan@kylinos.cn> - 2.0.0-4
+- fix CVE-2022-21680
+
 * Thu Jun 2 2022 peijiankang <peijiankang@kylinos.cn> - 2.0.0-3
 - Init Package for openEuler