Package: release.debian.org Severity: normal Tags: buster User: [email protected] Usertags: pu
[ Reason ] Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks. [ Impact ] Medium security risk [ Tests ] Upstream test related to this vulnerability is included in patch. I ran both build & autopkgtest tests [ Risks ] Low risk: test covers all features including CVE fix, change just trim left to prevent unsantitized input from generating false positives [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] 1. "mocha" was missing in build dependencies, causing test failures 2. the upstream fix adds security checks without modifying algorithm Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 04127dd..ee819f8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-url-parse (1.2.0-2+deb10u1) buster; urgency=medium + + * Add missing test dependency: mocha + * Fix insufficient validation and sanitization of user input + (Closes: CVE-2020-8124) + + -- Xavier Guimard <[email protected]> Tue, 01 Sep 2020 12:55:09 +0200 + node-url-parse (1.2.0-2) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index 2c683c6..8433ca7 100644 --- a/debian/control +++ b/debian/control @@ -7,6 +7,7 @@ Testsuite: autopkgtest-pkg-nodejs Build-Depends: debhelper (>= 9) , dh-buildinfo + , mocha <!nocheck> , nodejs , webpack , node-deep-eql <!nocheck> diff --git a/debian/patches/CVE-2020-8124.diff b/debian/patches/CVE-2020-8124.diff new file mode 100644 index 0000000..129c377 --- /dev/null +++ b/debian/patches/CVE-2020-8124.diff @@ -0,0 +1,93 @@ +Description: Fix CVE 2020-8124 + Insufficient validation and sanitization of user input exists in url-parse + npm package version 1.4.4 and earlier may allow attacker to bypass security + checks. +Author: Arnout Kazemier <[email protected]> +Origin: upstream, https://github.com/unshiftio/url-parse/commit/3ecd256f +Bug: https://hackerone.com/reports/496293 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <[email protected]> +Last-Update: 2020-09-01 + +--- a/index.js ++++ b/index.js +@@ -2,8 +2,20 @@ + + var required = require('requires-port') + , qs = require('querystringify') ++ , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\// + , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\S\s]*)/i +- , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//; ++ , whitespace = '[\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]' ++ , left = new RegExp('^'+ whitespace +'+'); ++ ++/** ++ * Trim a given string. ++ * ++ * @param {String} str String to trim. ++ * @public ++ */ ++function trimLeft(str) { ++ return (str || '').replace(left, ''); ++} + + /** + * These are the parse rules for the URL parser, it informs the parser +@@ -94,6 +106,7 @@ + * @api private + */ + function extractProtocol(address) { ++ address = trimLeft(address); + var match = protocolre.exec(address); + + return { +@@ -149,6 +162,8 @@ + * @api public + */ + function URL(address, location, parser) { ++ address = trimLeft(address); ++ + if (!(this instanceof URL)) { + return new URL(address, location, parser); + } +@@ -414,6 +429,7 @@ + // + URL.extractProtocol = extractProtocol; + URL.location = lolcation; ++URL.trimLeft = trimLeft; + URL.qs = qs; + + module.exports = URL; +--- a/test/test.js ++++ b/test/test.js +@@ -31,6 +31,14 @@ + + describe('extractProtocol', function () { + it('extracts the protocol data', function () { ++ assume(parse.extractProtocol('http://example.com')).eql({ ++ slashes: true, ++ protocol: 'http:', ++ rest: 'example.com' ++ }); ++ }); ++ ++ it('extracts the protocol data for nothing', function () { + assume(parse.extractProtocol('')).eql({ + slashes: false, + protocol: '', +@@ -49,6 +57,15 @@ + }); + }); + ++ ++ it('trimsLeft', function () { ++ assume(parse.extractProtocol(' javascript://foo')).eql({ ++ slashes: true, ++ protocol: 'javascript:', ++ rest: 'foo' ++ }); ++ }); ++ + it('parses the query string into an object', function () { + var url = 'http://google.com/?foo=bar' + , data = parse(url, true); diff --git a/debian/patches/series b/debian/patches/series index 1ae99bc..c24e259 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ CVE-2018-3774.diff +CVE-2020-8124.diff
