packages/nodejs-minimist
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!13 [sync] PR-7: Update minimist to 1.2.6 for fix CVE-2021-44906

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @solarhu 
Signed-off-by: @solarhu
This commit is contained in:
openeuler-ci-bot 2022-05-12 08:47:50 +00:00 committed by Gitee
commit 1cf5eb21a8
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 8 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
CVE-2020-7598.patch
View File

@ -1,40 +0,0 @@
From 38a4d1caead72ef99e824bb420a2528eec03d9ab Mon Sep 17 00:00:00 2001
From: substack <substack@bits.coop>
Date: Tue, 10 Mar 2020 09:08:00 -1000
Subject: [PATCH] even more aggressive checks for protocol pollution
---
index.js | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/index.js b/index.js
index 6a0559d..cfdf0a5 100644
--- a/index.js
+++ b/index.js
@@ -68,12 +68,21 @@ module.exports = function (args, opts) {
function setKey (obj, keys, value) {
var o = obj;
- keys.slice(0,-1).forEach(function (key) {
+ for (var i = 0; i < keys.length-1; i++) {
+ var key = keys[i];
+ if (key === '__proto__') return;
if (o[key] === undefined) o[key] = {};
+ if (o[key] === Object.prototype || o[key] === Number.prototype
+ || o[key] === String.prototype) o[key] = {};
+ if (o[key] === Array.prototype) o[key] = [];
o = o[key];
- });
+ }
var key = keys[keys.length - 1];
+ if (key === '__proto__') return;
+ if (o === Object.prototype || o === Number.prototype
+ || o === String.prototype) o = {};
+ if (o === Array.prototype) o = [];
if (o[key] === undefined || flags.bools[key] || typeof o[key] === 'boolean') {
o[key] = value;
}
--
2.23.0

BIN
minimist-1.2.0.tgz
View File

Binary file not shown.

BIN
minimist-1.2.6.tgz Normal file
View File

Binary file not shown.

13
nodejs-minimist.spec
View File

@ -1,13 +1,12 @@
%{?nodejs_find_provides_and_requires} %{?nodejs_find_provides_and_requires}
%global enable_tests 1 %global enable_tests 1
Name: nodejs-minimist Name: nodejs-minimist
Version: 1.2.0 Version: 1.2.6
Release: 2 Release: 1
Summary: Parse argument options in Node.js Summary: Parse argument options in Node.js
License: MIT License: MIT
URL: https://github.com/substack/minimist URL: https://github.com/substack/minimist
Source0: https://registry.npmjs.org/minimist/-/minimist-%{version}.tgz Source0: https://registry.npmjs.org/minimist/-/minimist-%{version}.tgz
patch0: CVE-2020-7598.patch
BuildArch: noarch BuildArch: noarch
ExclusiveArch: %{nodejs_arches} noarch ExclusiveArch: %{nodejs_arches} noarch
BuildRequires: nodejs-packaging BuildRequires: nodejs-packaging
@ -20,8 +19,7 @@ This module is the guts of nodejs-optimist's argument parser without all the
fanciful decoration. fanciful decoration.
%prep %prep
%setup -q -n package %autosetup -n package -p1
%patch0 -p1
%build %build
@ -37,10 +35,15 @@ cp -pr package.json index.js %{buildroot}%{nodejs_sitelib}/minimist
%files %files
%{nodejs_sitelib}/minimist %{nodejs_sitelib}/minimist
%{nodejs_sitelib}/minimist/index.js
%{nodejs_sitelib}/minimist/package.json
%doc readme.markdown example %doc readme.markdown example
%license LICENSE %license LICENSE
%changelog %changelog
* Wed Apr 13 2022 yaoxin <yaoxin30@h-partners.com> - 1.2.6-1
- Update minimist to 1.2.6 for fix CVE-2021-44906
* Wed Oct 13 2021 houyingchao <houyingchao@huawei.com> - 1.2.0-2 * Wed Oct 13 2021 houyingchao <houyingchao@huawei.com> - 1.2.0-2
- Fix CVE-2020-7598 - Fix CVE-2020-7598