Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, node-yargs-parser is vulnerable to prototype pollution. I fixed it and added a basic test taken from [1]. Sid version is fixed (18.1.1-1). Cheers, Xavier [1] https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
diff --git a/debian/changelog b/debian/changelog index 481bfc4..5f18499 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-yargs-parser (11.1.1-1+deb10u1) unstable; urgency=medium + + * Team upload + * Fix prototype pollution and add test (Closes: CVE-2020-7608) + + -- Xavier Guimard <y...@debian.org> Tue, 24 Mar 2020 10:22:44 +0100 + node-yargs-parser (11.1.1-1) unstable; urgency=medium [ Utkarsh Gupta ] diff --git a/debian/patches/CVE-2020-7608.diff b/debian/patches/CVE-2020-7608.diff new file mode 100644 index 0000000..262102e --- /dev/null +++ b/debian/patches/CVE-2020-7608.diff @@ -0,0 +1,51 @@ +Description: fix prototype pollution +Author: Benjamin E. Coe <ben...@google.com> +Bug: https://github.com/yargs/yargs-parser/pull/258 + https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-03-24 + +--- a/index.js ++++ b/index.js +@@ -618,10 +618,11 @@ + if (!configuration['dot-notation']) keys = [keys.join('.')] + + keys.slice(0, -1).forEach(function (key) { +- o = (o[key] || {}) ++ key = sanitizeKey(key) ++ o = (o[key]) + }) + +- var key = keys[keys.length - 1] ++ var key = sanitizeKey(keys[keys.length - 1]) + + if (typeof o !== 'object') return false + else return key in o +@@ -633,6 +634,7 @@ + if (!configuration['dot-notation']) keys = [keys.join('.')] + + keys.slice(0, -1).forEach(function (key, index) { ++ key = sanitizeKey(key) + if (typeof o === 'object' && o[key] === undefined) { + o[key] = {} + } +@@ -652,7 +654,7 @@ + } + }) + +- var key = keys[keys.length - 1] ++ var key = sanitizeKey(keys[keys.length - 1]) + + var isTypeArray = checkAllAliases(keys.join('.'), flags.arrays) + var isValueArray = Array.isArray(value) +@@ -863,4 +865,9 @@ + return parse(args.slice(), opts) + } + ++function sanitizeKey (key) { ++ if (key === '__proto__') return '___proto___' ++ return key ++} ++ + module.exports = Parser diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..348ca56 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2020-7608.diff diff --git a/debian/rules b/debian/rules index b39f453..9787e73 100755 --- a/debian/rules +++ b/debian/rules @@ -10,4 +10,8 @@ override_dh_auto_test: ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) mocha test/*.js + if node debian/tests/CVE-2020-7608.js|egrep ^baz; then \ + echo "Vulnerable to CVE-2020-7608"; \ + exit 1; \ + fi endif diff --git a/debian/tests/CVE-2020-7608.js b/debian/tests/CVE-2020-7608.js new file mode 100644 index 0000000..b61cef2 --- /dev/null +++ b/debian/tests/CVE-2020-7608.js @@ -0,0 +1,3 @@ +const parser = require("../.."); +console.log(parser('--foo.__proto__.bar baz')); +console.log(({}).bar);
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel