From 7011353e68141eb4f5972a7d864b9d8e1eec9a88 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 26 2021 09:52:34 +0000
Subject: import rh-nodejs14-nodejs-nodemon-2.0.3-5.el7


---

diff --git a/SOURCES/0001-fix-redirect-help.patch b/SOURCES/0001-fix-redirect-help.patch
index b0a9e67..89cfc0a 100644
--- a/SOURCES/0001-fix-redirect-help.patch
+++ b/SOURCES/0001-fix-redirect-help.patch
@@ -1,4 +1,4 @@
-From cccb59dd0029243d816cd1a07ffa1f4b3ed25313 Mon Sep 17 00:00:00 2001
+From 190d081bdbc703d34124aba06f3903c27e4f7c11 Mon Sep 17 00:00:00 2001
 From: Remy Sharp <remy@remysharp.com>
 Date: Wed, 6 Jan 2021 10:38:53 +0000
 Subject: [PATCH] fix: redirect help
diff --git a/SOURCES/0002-Fix-ReDoS-for-data-URLs.patch b/SOURCES/0002-Fix-ReDoS-for-data-URLs.patch
index 83004a4..c16dd66 100644
--- a/SOURCES/0002-Fix-ReDoS-for-data-URLs.patch
+++ b/SOURCES/0002-Fix-ReDoS-for-data-URLs.patch
@@ -1,4 +1,4 @@
-From f3fa3bb4248f851be3cb6adc1beaf68711848ff3 Mon Sep 17 00:00:00 2001
+From 099828b738527c3a1e9fcba8ed9b0b1a5103526f Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Fri, 2 Jul 2021 16:30:14 +0200
 Subject: [PATCH] Fix ReDoS for data URLs
diff --git a/SOURCES/0003-fix-eliminate-ReDoS-36.patch b/SOURCES/0003-fix-eliminate-ReDoS-36.patch
new file mode 100644
index 0000000..a8a208b
--- /dev/null
+++ b/SOURCES/0003-fix-eliminate-ReDoS-36.patch
@@ -0,0 +1,31 @@
+From 77d803b877935e51c42e8bd66510d41f3e76460c Mon Sep 17 00:00:00 2001
+From: Rich Trott <rtrott@gmail.com>
+Date: Sat, 6 Mar 2021 13:16:16 -0800
+Subject: [PATCH] fix: eliminate ReDoS (#36)
+
+This change fixes a regular expression denial of service
+vulnerability.
+
+Refs: https://github.com/gulpjs/glob-parent/issues/32
+Refs: https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
+Signed-off-by: rpm-build <rpm-build>
+---
+ node_modules/glob-parent/index.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js
+index 2ded6ea..c7b3bd3 100644
+--- a/node_modules/glob-parent/index.js
++++ b/node_modules/glob-parent/index.js
+@@ -6,7 +6,7 @@ var isWin32 = require('os').platform() === 'win32';
+ 
+ var slash = '/';
+ var backslash = /\\/g;
+-var enclosure = /[\{\[].*[\/]*.*[\}\]]$/;
++var enclosure = /[\{\[].*[\}\]]$/;
+ var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
+ var escaped = /\\([\*\?\|\[\]\(\)\{\}])/g;
+ 
+-- 
+2.31.1
+
diff --git a/SOURCES/0004-do-not-allow-invalid-hazardous-string-as-section-nam.patch b/SOURCES/0004-do-not-allow-invalid-hazardous-string-as-section-nam.patch
new file mode 100644
index 0000000..85f2ba4
--- /dev/null
+++ b/SOURCES/0004-do-not-allow-invalid-hazardous-string-as-section-nam.patch
@@ -0,0 +1,99 @@
+From 26bf6f9b5118302d41cc702587e5bb9c5ac51350 Mon Sep 17 00:00:00 2001
+From: isaacs <i@izs.me>
+Date: Tue, 8 Dec 2020 14:21:50 -0800
+Subject: [PATCH] do not allow invalid hazardous string as section name
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ node_modules/ini/ini.js        |  8 ++++++
+ node_modules/ini/test/proto.js | 45 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+ create mode 100644 node_modules/ini/test/proto.js
+
+diff --git a/node_modules/ini/ini.js b/node_modules/ini/ini.js
+index 590195d..0401258 100644
+--- a/node_modules/ini/ini.js
++++ b/node_modules/ini/ini.js
+@@ -80,6 +80,12 @@ function decode (str) {
+     if (!match) return
+     if (match[1] !== undefined) {
+       section = unsafe(match[1])
++      if (section === '__proto__') {
++        // not allowed
++        // keep parsing the section, but don't attach it.
++        p = {}
++        return
++      }
+       p = out[section] = out[section] || {}
+       return
+     }
+@@ -94,6 +100,7 @@ function decode (str) {
+     // Convert keys with '[]' suffix to an array
+     if (key.length > 2 && key.slice(-2) === '[]') {
+       key = key.substring(0, key.length - 2)
++      if (key === '__proto__') return
+       if (!p[key]) {
+         p[key] = []
+       } else if (!Array.isArray(p[key])) {
+@@ -125,6 +132,7 @@ function decode (str) {
+     var l = parts.pop()
+     var nl = l.replace(/\\\./g, '.')
+     parts.forEach(function (part, _, __) {
++      if (part === '__proto__') return
+       if (!p[part] || typeof p[part] !== 'object') p[part] = {}
+       p = p[part]
+     })
+diff --git a/node_modules/ini/test/proto.js b/node_modules/ini/test/proto.js
+new file mode 100644
+index 0000000..ab35533
+--- /dev/null
++++ b/node_modules/ini/test/proto.js
+@@ -0,0 +1,45 @@
++var ini = require('../')
++var t = require('tap')
++
++var data = `
++__proto__ = quux
++foo = baz
++[__proto__]
++foo = bar
++[other]
++foo = asdf
++[kid.__proto__.foo]
++foo = kid
++[arrproto]
++hello = snyk
++__proto__[] = you did a good job
++__proto__[] = so you deserve arrays
++thanks = true
++`
++var res = ini.parse(data)
++t.deepEqual(res, {
++  foo: 'baz',
++  other: {
++    foo: 'asdf',
++  },
++  kid: {
++    foo: {
++      foo: 'kid',
++    },
++  },
++  arrproto: {
++    hello: 'snyk',
++    thanks: true,
++  },
++})
++t.equal(res.__proto__, Object.prototype)
++t.equal(res.kid.__proto__, Object.prototype)
++t.equal(res.kid.foo.__proto__, Object.prototype)
++t.equal(res.arrproto.__proto__, Object.prototype)
++t.equal(Object.prototype.foo, undefined)
++t.equal(Object.prototype[0], undefined)
++t.equal(Object.prototype['0'], undefined)
++t.equal(Object.prototype[1], undefined)
++t.equal(Object.prototype['1'], undefined)
++t.equal(Array.prototype[0], undefined)
++t.equal(Array.prototype[1], undefined)
+-- 
+2.31.1
+
diff --git a/SPECS/nodejs-nodemon.spec b/SPECS/nodejs-nodemon.spec
index abccbb5..5972f6c 100644
--- a/SPECS/nodejs-nodemon.spec
+++ b/SPECS/nodejs-nodemon.spec
@@ -9,7 +9,7 @@
 
 Name:          %{?scl_prefix}nodejs-%{npm_name}
 Version:       2.0.3
-Release:       2%{?dist}
+Release:       5%{?dist}
 Summary:       Simple monitor script for use during development of a node.js app
 License:       MIT
 URL:           https://github.com/remy/nodemon
@@ -17,6 +17,8 @@ Source0:       %{npm_name}-v%{version}-bundled.tar.gz
 
 Patch0:        0001-fix-redirect-help.patch
 Patch1:        0002-Fix-ReDoS-for-data-URLs.patch
+Patch2:        0003-fix-eliminate-ReDoS-36.patch
+Patch4:        0004-do-not-allow-invalid-hazardous-string-as-section-nam.patch
 
 BuildRequires: %{?scl_prefix}nodejs-devel
 BuildRequires: %{?scl_prefix}npm
@@ -79,6 +81,18 @@ npm run test
 %{_bindir}/nodemon
 
 %changelog
+* Tue Aug 17 2021 Jan Staněk <jstanek@redhat.com> - 2.0.3-5
+- Rebuild with the previous fix correctly applied
+  Related: rhbz#1991323
+
+* Mon Aug 16 2021 Jan Staněk <jstanek@redhat.com> - 2.0.3-4
+- Backport fix for CVE-2020-7788 in bundled(nodejs-ini)
+  Resolves: rhbz#1991323
+
+* Thu Aug 05 2021 Jan Staněk <jstanek@redhat.com> - 2.0.3-3
+- Backport fix for CVE-2020-28469 in bundled(nodejs-glob-parent)
+  Resolves: rhbz#1948027
+
 * Fri Jul 02 2021 Jan Staněk <jstanek@redhat.com> - 2.0.3-2
 - Allow --help option text to be redirected to file
 - Backport CVE-2021-33502 fix