Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: node-dot...@packages.debian.org Control: affects -1 + src:node-dottie
[ Reason ] node-dottie is vulnerable to prototype pollution (#1040592, CVE-2023-26132) [ Impact ] Medium security issue [ Tests ] Test updated passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Don't allow __proto__ modifications. Patch includes also debian/tests/pkg-js/enable_proto file to allow __proto__ calls during autopkgtest (forbidden by default) because patch includes a prototype-pollution test Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 9edf53f..a6edff9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-dottie (2.0.2-4+deb12u1) bookworm; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #1040592, CVE-2023-26132) + + -- Yadd <y...@debian.org> Sun, 09 Jul 2023 08:43:00 +0400 + node-dottie (2.0.2-4) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-26132.patch b/debian/patches/CVE-2023-26132.patch new file mode 100644 index 0000000..5186407 --- /dev/null +++ b/debian/patches/CVE-2023-26132.patch @@ -0,0 +1,76 @@ +Description: rudimentary __proto__ guarding +Author: Mick Hansen <ma...@mhansen.io> +Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c +Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763 +Bug-Debian: https://bugs.debian.org/1040592 +Forwarded: not-needed +Applied-Upstream: 2.0.6, commit:7d3aee1c +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-07-09 + +--- a/README.md ++++ b/README.md +@@ -42,6 +42,8 @@ + }); + ``` + ++If you accept arbitrary/user-defined paths to `set` you should call `Object.preventExtensions(values)` first to guard against potential pollution. ++ + ### Transform object + Transform object from keys with dottie notation to nested objects + +--- a/dottie.js ++++ b/dottie.js +@@ -72,6 +72,7 @@ + // Set nested value + Dottie.set = function(object, path, value, options) { + var pieces = Array.isArray(path) ? path : path.split('.'), current = object, piece, length = pieces.length; ++ if (pieces[0] === '__proto__') return; + + if (typeof current !== 'object') { + throw new Error('Parent is not an object.'); +@@ -137,6 +138,9 @@ + + if (key.indexOf(options.delimiter) !== -1) { + pieces = key.split(options.delimiter); ++ ++ if (pieces[0] === '__proto__') break; ++ + piecesLength = pieces.length; + current = transformed; + +--- a/test/set.test.js ++++ b/test/set.test.js +@@ -45,4 +45,12 @@ + }); + expect(data.foo.bar.baz).to.equal('someValue'); + }); ++ ++ it('should not attempt to set __proto__', function () { ++ var data = {}; ++ ++ dottie.set(data, '__proto__.pollution', 'polluted'); ++ ++ expect(data.__proto__.pollution).to.be.undefined; ++ }); + }); +\ No newline at end of file +--- a/test/transform.test.js ++++ b/test/transform.test.js +@@ -145,4 +145,16 @@ + expect(transformed.user.location.city).to.equal('Zanzibar City'); + expect(transformed.project.title).to.equal('dottie'); + }); ++ ++ it("should guard against prototype pollution", function () { ++ var values = { ++ 'user.name': 'John Doe', ++ '__proto__.pollution': 'pollution' ++ }; ++ ++ var transformed = dottie.transform(values); ++ expect(transformed.user).not.to.equal(undefined); ++ expect(transformed.user.name).to.equal('John Doe'); ++ expect(transformed.__proto__.pollution).to.be.undefined; ++ }); + }); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..e86da5e --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2023-26132.patch diff --git a/debian/tests/pkg-js/enable_proto b/debian/tests/pkg-js/enable_proto new file mode 100644 index 0000000..e69de29
