Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
devel:languages:nodejs
nodejs8
CVE-2021-44906.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2021-44906.patch of Package nodejs8
Index: node-v8.17.0/deps/npm/node_modules/minimist/index.js =================================================================== --- node-v8.17.0.orig/deps/npm/node_modules/minimist/index.js +++ node-v8.17.0/deps/npm/node_modules/minimist/index.js @@ -70,7 +70,7 @@ module.exports = function (args, opts) { var o = obj; for (var i = 0; i < keys.length-1; i++) { var key = keys[i]; - if (key === '__proto__') return; + if (isConstructorOrProto(o, key)) return; if (o[key] === undefined) o[key] = {}; if (o[key] === Object.prototype || o[key] === Number.prototype || o[key] === String.prototype) o[key] = {}; @@ -79,7 +79,7 @@ module.exports = function (args, opts) { } var key = keys[keys.length - 1]; - if (key === '__proto__') return; + if (isConstructorOrProto(o, key)) return; if (o === Object.prototype || o === Number.prototype || o === String.prototype) o = {}; if (o === Array.prototype) o = []; @@ -243,3 +243,7 @@ function isNumber (x) { return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x); } + +function isConstructorOrProto (obj, key) { + return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__'; +} Index: node-v8.17.0/deps/npm/node_modules/minimist/package.json =================================================================== --- node-v8.17.0.orig/deps/npm/node_modules/minimist/package.json +++ node-v8.17.0/deps/npm/node_modules/minimist/package.json @@ -69,5 +69,5 @@ "opera/12" ] }, - "version": "1.2.5" + "version": "1.2.6" } Index: node-v8.17.0/deps/npm/node_modules/minimist/readme.markdown =================================================================== --- node-v8.17.0.orig/deps/npm/node_modules/minimist/readme.markdown +++ node-v8.17.0/deps/npm/node_modules/minimist/readme.markdown @@ -34,7 +34,10 @@ $ node example/parse.js -x 3 -y 4 -n5 -a Previous versions had a prototype pollution bug that could cause privilege escalation in some circumstances when handling untrusted user input. -Please use version 1.2.3 or later: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 +Please use version 1.2.6 or later: + +* https://security.snyk.io/vuln/SNYK-JS-MINIMIST-2429795 (version <=1.2.5) +* https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 (version <=1.2.3) # methods Index: node-v8.17.0/deps/npm/node_modules/minimist/test/proto.js =================================================================== --- node-v8.17.0.orig/deps/npm/node_modules/minimist/test/proto.js +++ node-v8.17.0/deps/npm/node_modules/minimist/test/proto.js @@ -42,3 +42,19 @@ test('proto pollution (constructor)', fu t.equal(argv.y, undefined); t.end(); }); + +test('proto pollution (constructor function)', function (t) { + var argv = parse(['--_.concat.constructor.prototype.y', '123']); + function fnToBeTested() {} + t.equal(fnToBeTested.y, undefined); + t.equal(argv.y, undefined); + t.end(); +}); + +// powered by snyk - https://github.com/backstage/backstage/issues/10343 +test('proto pollution (constructor function) snyk', function (t) { + var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' ')); + t.equal((function(){}).foo, undefined); + t.equal(argv.y, undefined); + t.end(); +})
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor