commit: 2a103afad637fb46659a8b1d6ef048be8721b13b
Author: Aliaksei Urbanski <aliaksei.urbanski <AT> gmail <DOT> com>
AuthorDate: Mon Jun 24 22:32:22 2024 +0000
Commit: Maciej Barć <xgqt <AT> gentoo <DOT> org>
CommitDate: Mon Jun 24 23:01:45 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a103afa
dev-python/js2py: revbump to 0.74-r1
These changes:
- fix CVE-2024-28397
- fix ignoring of test failures
- restrict the test feature since
multiple tests are broken
Bug: https://bugs.gentoo.org/831356
Signed-off-by: Aliaksei Urbanski <aliaksei.urbanski <AT> gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/37285
Signed-off-by: Maciej Barć <xgqt <AT> gentoo.org>
.../js2py/files/js2py-0.74-CVE-2024-28397.patch | 21 +++++++++++++++++++
.../{js2py-0.74.ebuild => js2py-0.74-r1.ebuild} | 24 ++++++++++++++--------
2 files changed, 36 insertions(+), 9 deletions(-)
diff --git a/dev-python/js2py/files/js2py-0.74-CVE-2024-28397.patch
b/dev-python/js2py/files/js2py-0.74-CVE-2024-28397.patch
new file mode 100644
index 000000000000..c8ecfab22485
--- /dev/null
+++ b/dev-python/js2py/files/js2py-0.74-CVE-2024-28397.patch
@@ -0,0 +1,21 @@
+# https://nvd.nist.gov/vuln/detail/CVE-2024-28397
+#
https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape/blob/main/patch.txt
+# https://github.com/PiotrDabkowski/Js2Py/pull/323
+# https://github.com/Marven11/Js2Py/commit/56e244eb
+
+Author: Marven11 <[email protected]>
+Date: Fri, 1 Mar 2024 12:53:58 +0800
+
+diff --git a/js2py/constructors/jsobject.py b/js2py/constructors/jsobject.py
+index c4e0ada3..b1806ea6 100644
+--- a/js2py/constructors/jsobject.py
++++ b/js2py/constructors/jsobject.py
+@@ -49,7 +49,7 @@ def getOwnPropertyNames(obj):
+ raise MakeError(
+ 'TypeError',
+ 'Object.getOwnPropertyDescriptor called on non-object')
+- return obj.own.keys()
++ return list(obj.own.keys())
+
+ def create(obj):
+ if not (obj.is_object() or obj.is_null()):
diff --git a/dev-python/js2py/js2py-0.74.ebuild
b/dev-python/js2py/js2py-0.74-r1.ebuild
similarity index 63%
rename from dev-python/js2py/js2py-0.74.ebuild
rename to dev-python/js2py/js2py-0.74-r1.ebuild
index 22032fcf8e3b..a23e6913a497 100644
--- a/dev-python/js2py/js2py-0.74.ebuild
+++ b/dev-python/js2py/js2py-0.74-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@@ -6,18 +6,19 @@ EAPI=8
DISTUTILS_USE_PEP517=setuptools
PYPI_NO_NORMALIZE=1
PYPI_PN="Js2Py"
-PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_COMPAT=( python3_{10..11} )
inherit distutils-r1 pypi
DESCRIPTION="JavaScript to Python Translator & JavaScript interpreter in
Python"
-HOMEPAGE="http://piter.io/projects/js2py/
- https://github.com/PiotrDabkowski/Js2Py/
+HOMEPAGE="http://piter.io/projects/js2py
+ https://github.com/PiotrDabkowski/Js2Py
https://pypi.org/project/Js2Py/";
LICENSE="MIT"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc x86"
+RESTRICT="test"
RDEPEND="
>=dev-python/pyjsparser-2.5.1[${PYTHON_USEDEP}]
@@ -25,15 +26,20 @@ RDEPEND="
>=dev-python/six-1.10.0[${PYTHON_USEDEP}]
"
+PATCHES=(
+ "${FILESDIR}"/${P}-CVE-2024-28397.patch
+)
+
python_test() {
pushd ./tests >/dev/null || die
- # Tests require "node_failed.txt" file where the logs are kept
- if [[ -f ./node_failed.txt ]] ; then
- rm ./node_failed.txt || die
- fi
-
+ # run.py requires "node_failed.txt" file
touch ./node_failed.txt || die
+
+ # https://bugs.gentoo.org/831356
+ # make run.py return a non-zero exit code if any test failed
+ echo 'sys.exit(len(FAILING))' >> ./run.py || die
+
"${EPYTHON}" ./run.py || die "tests failed with ${EPYTHON}"
popd >/dev/null || die
