Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

node-yargs-parser is vulnerable to prototype pollution. I fixed it and
added a basic test taken from [1].

Sid version is fixed (18.1.1-1).

Cheers,
Xavier

[1] https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
diff --git a/debian/changelog b/debian/changelog
index 481bfc4..5f18499 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-yargs-parser (11.1.1-1+deb10u1) unstable; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution and add test (Closes: CVE-2020-7608)
+
+ -- Xavier Guimard <y...@debian.org>  Tue, 24 Mar 2020 10:22:44 +0100
+
 node-yargs-parser (11.1.1-1) unstable; urgency=medium
 
   [ Utkarsh Gupta ]
diff --git a/debian/patches/CVE-2020-7608.diff 
b/debian/patches/CVE-2020-7608.diff
new file mode 100644
index 0000000..262102e
--- /dev/null
+++ b/debian/patches/CVE-2020-7608.diff
@@ -0,0 +1,51 @@
+Description: fix prototype pollution
+Author: Benjamin E. Coe <ben...@google.com>
+Bug: https://github.com/yargs/yargs-parser/pull/258
+ https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <y...@debian.org>
+Last-Update: 2020-03-24
+
+--- a/index.js
++++ b/index.js
+@@ -618,10 +618,11 @@
+     if (!configuration['dot-notation']) keys = [keys.join('.')]
+ 
+     keys.slice(0, -1).forEach(function (key) {
+-      o = (o[key] || {})
++      key = sanitizeKey(key)
++      o = (o[key])
+     })
+ 
+-    var key = keys[keys.length - 1]
++    var key = sanitizeKey(keys[keys.length - 1])
+ 
+     if (typeof o !== 'object') return false
+     else return key in o
+@@ -633,6 +634,7 @@
+     if (!configuration['dot-notation']) keys = [keys.join('.')]
+ 
+     keys.slice(0, -1).forEach(function (key, index) {
++      key = sanitizeKey(key)
+       if (typeof o === 'object' && o[key] === undefined) {
+         o[key] = {}
+       }
+@@ -652,7 +654,7 @@
+       }
+     })
+ 
+-    var key = keys[keys.length - 1]
++    var key = sanitizeKey(keys[keys.length - 1])
+ 
+     var isTypeArray = checkAllAliases(keys.join('.'), flags.arrays)
+     var isValueArray = Array.isArray(value)
+@@ -863,4 +865,9 @@
+   return parse(args.slice(), opts)
+ }
+ 
++function sanitizeKey (key) {
++  if (key === '__proto__') return '___proto___'
++  return key
++}
++
+ module.exports = Parser
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..348ca56
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2020-7608.diff
diff --git a/debian/rules b/debian/rules
index b39f453..9787e73 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,4 +10,8 @@
 override_dh_auto_test:
 ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
        mocha test/*.js
+       if node debian/tests/CVE-2020-7608.js|egrep ^baz; then \
+               echo "Vulnerable to CVE-2020-7608"; \
+               exit 1; \
+       fi
 endif
diff --git a/debian/tests/CVE-2020-7608.js b/debian/tests/CVE-2020-7608.js
new file mode 100644
index 0000000..b61cef2
--- /dev/null
+++ b/debian/tests/CVE-2020-7608.js
@@ -0,0 +1,3 @@
+const parser = require("../..");
+console.log(parser('--foo.__proto__.bar baz'));
+console.log(({}).bar);

Reply via email to