From f5e2ab8e709124c38b9a1ed5729b1b552bb344b3 Mon Sep 17 00:00:00 2001
From: houyingchao <1348375921@qq.com>
Date: Wed, 13 Oct 2021 11:09:43 +0800
Subject: [PATCH] fix CVE-2020-7598

(cherry picked from commit 6d3f983cc2faae4cb934d029d018f025925e91bc)
---
 CVE-2020-7598.patch  | 40 ++++++++++++++++++++++++++++++++++++++++
 nodejs-minimist.spec |  7 ++++++-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-7598.patch

diff --git a/CVE-2020-7598.patch b/CVE-2020-7598.patch
new file mode 100644
index 0000000..243b746
--- /dev/null
+++ b/CVE-2020-7598.patch
@@ -0,0 +1,40 @@
+From 38a4d1caead72ef99e824bb420a2528eec03d9ab Mon Sep 17 00:00:00 2001
+From: substack <substack@bits.coop>
+Date: Tue, 10 Mar 2020 09:08:00 -1000
+Subject: [PATCH] even more aggressive checks for protocol pollution
+
+---
+ index.js | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/index.js b/index.js
+index 6a0559d..cfdf0a5 100644
+--- a/index.js
++++ b/index.js
+@@ -68,12 +68,21 @@ module.exports = function (args, opts) {
+ 
+     function setKey (obj, keys, value) {
+         var o = obj;
+-        keys.slice(0,-1).forEach(function (key) {
++	for (var i = 0; i < keys.length-1; i++) {
++	    var key = keys[i];
++	    if (key === '__proto__') return;
+             if (o[key] === undefined) o[key] = {};
++	    if (o[key] === Object.prototype || o[key] === Number.prototype
++		|| o[key] === String.prototype) o[key] = {};
++	    if (o[key] === Array.prototype) o[key] = [];
+             o = o[key];
+-        });
++	}
+ 
+         var key = keys[keys.length - 1];
++	if (key === '__proto__') return;
++	if (o === Object.prototype || o === Number.prototype
++	    || o === String.prototype) o = {};
++	if (o === Array.prototype) o = [];
+         if (o[key] === undefined || flags.bools[key] || typeof o[key] === 'boolean') {
+             o[key] = value;
+         }
+-- 
+2.23.0
+
diff --git a/nodejs-minimist.spec b/nodejs-minimist.spec
index 2a82569..324d9aa 100644
--- a/nodejs-minimist.spec
+++ b/nodejs-minimist.spec
@@ -2,11 +2,12 @@
 %global enable_tests 1
 Name:                nodejs-minimist
 Version:             1.2.0
-Release:             1
+Release:             2
 Summary:             Parse argument options in Node.js
 License:             MIT
 URL:                 https://github.com/substack/minimist
 Source0:             https://registry.npmjs.org/minimist/-/minimist-%{version}.tgz
+patch0:		     CVE-2020-7598.patch
 BuildArch:           noarch
 ExclusiveArch:       %{nodejs_arches} noarch
 BuildRequires:       nodejs-packaging
@@ -20,6 +21,7 @@ fanciful decoration.
 
 %prep
 %setup -q -n package
+%patch0 -p1
 
 %build
 
@@ -39,5 +41,8 @@ cp -pr package.json index.js %{buildroot}%{nodejs_sitelib}/minimist
 %license LICENSE
 
 %changelog
+* Wed Oct 13 2021 houyingchao <houyingchao@huawei.com> - 1.2.0-2
+- Fix CVE-2020-7598
+
 * Mon Aug 17 2020 wutao <wutao61@huawei.com> - 1.2.0-1
 - Package init