Tree - rpms/nodejs - CentOS Git server

rpms / nodejs

Blame SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch

Blob History Raw

		5af130	`https://github.com/jbgutierrez/path-parse/pull/10`
		5af130
		5af130	`From 72c38e3a36b8ed2ec03960ac659aa114cbe6a420 Mon Sep 17 00:00:00 2001`
		5af130	`From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>`
		5af130	`Date: Thu, 13 May 2021 10:53:50 -0400`
		5af130	`Subject: [PATCH 1/2] fixed regexes to avoid ReDoS attacks`
		5af130
		5af130	`Signed-off-by: rpm-build <rpm-build>`
		5af130	`---`
		5af130	`deps/npm/node_modules/path-parse/index.js \| 6 +++---`
		5af130	`deps/npm/node_modules/path-parse/redos.js \| 20 ++++++++++++++++++++`
		5af130	`2 files changed, 23 insertions(+), 3 deletions(-)`
		5af130	`create mode 100644 deps/npm/node_modules/path-parse/redos.js`
		5af130
		5af130	`diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js`
		5af130	`index 3b7601f..e6b2af1 100644`
		5af130	`--- a/deps/npm/node_modules/path-parse/index.js`
		5af130	`+++ b/deps/npm/node_modules/path-parse/index.js`
		5af130	`@@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32';`
		5af130	`// Regex to split a windows path into three parts: [*, device, slash,`
		5af130	`// tail] windows-only`
		5af130	`var splitDeviceRe =`
		5af130	`- /^([a-zA-Z]:\|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/;`
		5af130	`+ /^([a-zA-Z]:\|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;`
		5af130
		5af130	`// Regex to split the tail part of the above into [*, dir, basename, ext]`
		5af130	`var splitTailRe =`
		5af130	`- /^([\s\S]?)((?:\.{1,2}\|[^\\\/]+?\|)(\.[^.\/\\]\|))(?:[\\\/]*)$/;`
		5af130	`+ /^((?:[^\\\/][\\\/]))((?:\.{1,2}\|[^\\\/]+?\|)(\.[^.\/\\]\|))(?:[\\\/])$/;`
		5af130
		5af130	`var win32 = {};`
		5af130
		5af130	`@@ -51,7 +51,7 @@ win32.parse = function(pathString) {`
		5af130	`// Split a filename into [root, dir, basename, ext], unix version`
		5af130	`// 'root' is just a slash, or nothing.`
		5af130	`var splitPathRe =`
		5af130	`- /^(\/?\|)([\s\S]?)((?:\.{1,2}\|[^\/]+?\|)(\.[^.\/]\|))(?:[\/]*)$/;`
		5af130	`+ /^(\/?\|)((?:[^\/]\/))((?:\.{1,2}\|[^\/]+?\|)(\.[^.\/]\|))(?:[\/])$/;`
		5af130	`var posix = {};`
		5af130
		5af130
		5af130	`diff --git a/deps/npm/node_modules/path-parse/redos.js b/deps/npm/node_modules/path-parse/redos.js`
		5af130	`new file mode 100644`
		5af130	`index 0000000..261947f`
		5af130	`--- /dev/null`
		5af130	`+++ b/deps/npm/node_modules/path-parse/redos.js`
		5af130	`@@ -0,0 +1,20 @@`
		5af130	`+var pathParse = require('.');`
		5af130	`+`
		5af130	`+function build_attack(n) {`
		5af130	`+ var ret = ""`
		5af130	`+ for (var i = 0; i < n; i++) {`
		5af130	`+ ret += "/"`
		5af130	`+ }`
		5af130	`+ return ret + "◎";`
		5af130	`+}`
		5af130	`+`
		5af130	`+for(var i = 1; i <= 5000000; i++) {`
		5af130	`+ if (i % 10000 == 0) {`
		5af130	`+ var time = Date.now();`
		5af130	`+ var attack_str = build_attack(i)`
		5af130	`+ pathParse.posix(attack_str);`
		5af130	`+ pathParse.win32(attack_str);`
		5af130	`+ var time_cost = Date.now() - time;`
		5af130	`+ console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")`
		5af130	`+ }`
		5af130	`+}`
		5af130	`--`
		5af130	`2.31.1`
		5af130
		5af130
		5af130	`From 44d1c9cd047988bb819707c726d9640f8aabe04d Mon Sep 17 00:00:00 2001`
		5af130	`From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>`
		5af130	`Date: Thu, 13 May 2021 11:51:45 -0400`
		5af130	`Subject: [PATCH 2/2] streamlined regexes, simplified parse() returns`
		5af130
		5af130	`Signed-off-by: rpm-build <rpm-build>`
		5af130	`---`
		5af130	`deps/npm/node_modules/path-parse/index.js \| 52 ++++++++---------------`
		5af130	`1 file changed, 17 insertions(+), 35 deletions(-)`
		5af130
		5af130	`diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js`
		5af130	`index e6b2af1..f062d0a 100644`
		5af130	`--- a/deps/npm/node_modules/path-parse/index.js`
		5af130	`+++ b/deps/npm/node_modules/path-parse/index.js`
		5af130	`@@ -2,29 +2,14 @@`
		5af130
		5af130	`var isWindows = process.platform === 'win32';`
		5af130
		5af130	`-// Regex to split a windows path into three parts: [*, device, slash,`
		5af130	`-// tail] windows-only`
		5af130	`-var splitDeviceRe =`
		5af130	`- /^([a-zA-Z]:\|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;`
		5af130	`-`
		5af130	`-// Regex to split the tail part of the above into [*, dir, basename, ext]`
		5af130	`-var splitTailRe =`
		5af130	`- /^((?:[^\\\/][\\\/]))((?:\.{1,2}\|[^\\\/]+?\|)(\.[^.\/\\]\|))(?:[\\\/])$/;`
		5af130	`+// Regex to split a windows path into into [dir, root, basename, name, ext]`
		5af130	`+var splitWindowsRe =`
		5af130	`+ /^(((?:[a-zA-Z]:\|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?[\\\/]?)(?:[^\\\/][\\\/]))((\.{1,2}\|[^\\\/]+?\|)(\.[^.\/\\]\|))[\\\/]$/;`
		5af130
		5af130	`var win32 = {};`
		5af130
		5af130	`-// Function to split a filename into [root, dir, basename, ext]`
		5af130	`function win32SplitPath(filename) {`
		5af130	`- // Separate device+slash from tail`
		5af130	`- var result = splitDeviceRe.exec(filename),`
		5af130	`- device = (result[1] \|\| '') + (result[2] \|\| ''),`
		5af130	`- tail = result[3] \|\| '';`
		5af130	`- // Split the tail into dir, basename and extension`
		5af130	`- var result2 = splitTailRe.exec(tail),`
		5af130	`- dir = result2[1],`
		5af130	`- basename = result2[2],`
		5af130	`- ext = result2[3];`
		5af130	`- return [device, dir, basename, ext];`
		5af130	`+ return splitWindowsRe.exec(filename).slice(1);`
		5af130	`}`
		5af130
		5af130	`win32.parse = function(pathString) {`
		5af130	`@@ -34,24 +19,24 @@ win32.parse = function(pathString) {`
		5af130	`);`
		5af130	`}`
		5af130	`var allParts = win32SplitPath(pathString);`
		5af130	`- if (!allParts \|\| allParts.length !== 4) {`
		5af130	`+ if (!allParts \|\| allParts.length !== 5) {`
		5af130	`throw new TypeError("Invalid path '" + pathString + "'");`
		5af130	`}`
		5af130	`return {`
		5af130	`- root: allParts[0],`
		5af130	`- dir: allParts[0] + allParts[1].slice(0, -1),`
		5af130	`+ root: allParts[1],`
		5af130	`+ dir: allParts[0] === allParts[1] ? allParts[0] : allParts[0].slice(0, -1),`
		5af130	`base: allParts[2],`
		5af130	`- ext: allParts[3],`
		5af130	`- name: allParts[2].slice(0, allParts[2].length - allParts[3].length)`
		5af130	`+ ext: allParts[4],`
		5af130	`+ name: allParts[3]`
		5af130	`};`
		5af130	`};`
		5af130
		5af130
		5af130
		5af130	`-// Split a filename into [root, dir, basename, ext], unix version`
		5af130	`+// Split a filename into [dir, root, basename, name, ext], unix version`
		5af130	`// 'root' is just a slash, or nothing.`
		5af130	`var splitPathRe =`
		5af130	`- /^(\/?\|)((?:[^\/]\/))((?:\.{1,2}\|[^\/]+?\|)(\.[^.\/]\|))(?:[\/])$/;`
		5af130	`+ /^((\/?)(?:[^\/]\/))((\.{1,2}\|[^\/]+?\|)(\.[^.\/]\|))[\/]$/;`
		5af130	`var posix = {};`
		5af130
		5af130
		5af130	`@@ -67,19 +52,16 @@ posix.parse = function(pathString) {`
		5af130	`);`
		5af130	`}`
		5af130	`var allParts = posixSplitPath(pathString);`
		5af130	`- if (!allParts \|\| allParts.length !== 4) {`
		5af130	`+ if (!allParts \|\| allParts.length !== 5) {`
		5af130	`throw new TypeError("Invalid path '" + pathString + "'");`
		5af130	`}`
		5af130	`- allParts[1] = allParts[1] \|\| '';`
		5af130	`- allParts[2] = allParts[2] \|\| '';`
		5af130	`- allParts[3] = allParts[3] \|\| '';`
		5af130	`-`
		5af130	`+`
		5af130	`return {`
		5af130	`- root: allParts[0],`
		5af130	`- dir: allParts[0] + allParts[1].slice(0, -1),`
		5af130	`+ root: allParts[1],`
		5af130	`+ dir: allParts[0].slice(0, -1),`
		5af130	`base: allParts[2],`
		5af130	`- ext: allParts[3],`
		5af130	`- name: allParts[2].slice(0, allParts[2].length - allParts[3].length)`
		5af130	`+ ext: allParts[4],`
		5af130	`+ name: allParts[3],`
		5af130	`};`
		5af130	`};`
		5af130
		5af130	`--`
		5af130	`2.31.1`
		5af130

rpms / nodejs

Source Code

Blame SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch