!2 fix CVE-2021-23358

From: @wangxiao65 Reviewed-by: @jackie_wu123,@zhengyuhanghans Signed-off-by: @zhengyuhanghans
2021-04-16 15:34:37 +08:00 · 2021-04-16 15:34:37 +08:00 · 80bb13342d
commit 80bb13342d
parent 2f3658099c 5d36e4fe33
2 changed files with 69 additions and 1 deletions
--- a/CVE-2021-23358.patch
+++ b/CVE-2021-23358.patch
@ -0,0 +1,64 @@
+From 4c73526d43838ad6ab43a6134728776632adeb66 Mon Sep 17 00:00:00 2001
+From: Julian Gonggrijp <dev@juliangonggrijp.com>
+Date: Sat, 13 Mar 2021 22:38:44 +0100
+Subject: [PATCH] Fix #2911
+
+---
+ underscore.js         | 23 +++++++++++++++++++----
+ 1 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/underscore.js b/underscore.js
+index 3af6352e6..798eda091 100644
+--- a/underscore.js
+++ b/underscore.js
+@@ -1550,6 +1550,13 @@
+     return '\\' + escapes[match];
+   };
+ 
+  // In order to prevent third-party code injection through
+  // `_.templateSettings.variable`, we test it against the following regular
+  // expression. It is intentionally a bit more liberal than just matching valid
+  // identifiers, but still prevents possible loopholes through defaults or
+  // destructuring assignment.
+  var bareIdentifier = /^\s*(\w|\$)+\s*$/;
+
+   // JavaScript micro-templating, similar to John Resig's implementation.
+   // Underscore templating handles arbitrary delimiters, preserves whitespace,
+   // and correctly escapes quotes within interpolated code.
+@@ -1585,8 +1592,17 @@
+     });
+     source += "';\n";
+ 
+-    // If a variable is not specified, place data values in local scope.
+-    if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
+    var argument = settings.variable;
+    if (argument) {
+      // Insure against third-party code injection.
+      if (!bareIdentifier.test(argument)) throw new Error(
+        'variable is not a bare identifier: ' + argument
+      );
+    } else {
+      // If a variable is not specified, place data values in local scope.
+      source = 'with(obj||{}){\n' + source + '}\n';
+      argument = 'obj';
+    }
+ 
+     source = "var __t,__p='',__j=Array.prototype.join," +
+       "print=function(){__p+=__j.call(arguments,'');};\n" +
+@@ -1594,7 +1610,7 @@
+ 
+     var render;
+     try {
+-      render = new Function(settings.variable || 'obj', '_', source);
+      render = new Function(argument, '_', source);
+     } catch (e) {
+       e.source = source;
+       throw e;
+@@ -1605,7 +1621,6 @@
+     };
+ 
+     // Provide the compiled source as a convenience for precompilation.
+-    var argument = settings.variable || 'obj';
+     template.source = 'function(' + argument + '){\n' + source + '}';
+ 
+     return template;
--- a/nodejs-underscore.spec
+++ b/nodejs-underscore.spec
@ -3,11 +3,12 @@
 %global installdir  %{_jsdir}/underscore
 Name:                nodejs-underscore
 Version:             1.9.1
-Release:             1
+Release:             2
 Summary:             JavaScript's functional programming helper library
 License:             MIT
 URL:                 http://github.com/jashkenas/underscore
 Source0:             http://github.com/jashkenas/underscore/archive/%{version}.tar.gz
+Patch0000:           CVE-2021-23358.patch
 BuildArch:           noarch
 ExclusiveArch:       %{nodejs_arches} noarch
 BuildRequires:       web-assets-devel
@ -61,5 +62,8 @@ cp -pr underscore.js underscore-min.js underscore-min.map \
 %{installdir}

 %changelog
+* Fri Apr 16 2021 wangxiao <wangxiao65@huawei.com> - 1.9.1-2
+- Fix CVE-2021-23358
+
 * Thu Aug 20 2020 zhanghua <zhanghua40@huawei.com> - 1.9.1-1
 - Package init