Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, node-dot-prop is vulnerable to a prototype pollution. This upstream patch fixes the problem. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 84868fc..f7509b9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-dot-prop (4.1.1-1+deb10u1) buster; urgency=medium + + * Team upload + * Add fix for prototype pollution (Closes: CVE-2020-8116) + + -- Xavier Guimard <y...@debian.org> Thu, 06 Feb 2020 06:33:11 +0100 + node-dot-prop (4.1.1-1) unstable; urgency=low * Initial release (Closes: #868441) diff --git a/debian/patches/CVE-2020-8116.diff b/debian/patches/CVE-2020-8116.diff new file mode 100644 index 0000000..b7d34f1 --- /dev/null +++ b/debian/patches/CVE-2020-8116.diff @@ -0,0 +1,90 @@ +Description: Prevent setting/getting some problematic path components + Fixes CVE-2020-8116 +Author: Sindre Sorhus <sindresor...@gmail.com> +Origin: upstream, https://github.com/sindresorhus/dot-prop/commit/3039c8c0 +Bug: https://hackerone.com/reports/719856 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-02-06 + +--- a/index.js ++++ b/index.js +@@ -1,6 +1,14 @@ + 'use strict'; + const isObj = require('is-obj'); + ++const disallowedKeys = [ ++ '__proto__', ++ 'prototype', ++ 'constructor' ++]; ++ ++const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment)); ++ + function getPathSegments(path) { + const pathArr = path.split('.'); + const parts = []; +@@ -15,6 +23,9 @@ + + parts.push(p); + } ++ if (!isValidPath(parts)) { ++ return []; ++ } + + return parts; + } +@@ -26,6 +37,9 @@ + } + + const pathArr = getPathSegments(path); ++ if (pathArray.length === 0) { ++ return; ++ } + + for (let i = 0; i < pathArr.length; i++) { + if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) { +@@ -57,6 +71,9 @@ + } + + const pathArr = getPathSegments(path); ++ if (pathArray.length === 0) { ++ return; ++ } + + for (let i = 0; i < pathArr.length; i++) { + const p = pathArr[i]; +@@ -79,6 +96,9 @@ + } + + const pathArr = getPathSegments(path); ++ if (pathArray.length === 0) { ++ return; ++ } + + for (let i = 0; i < pathArr.length; i++) { + const p = pathArr[i]; +--- a/readme.md ++++ b/readme.md +@@ -79,6 +79,8 @@ + + Use `\\.` if you have a `.` in the key. + ++The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`. ++ + #### value + + Type: `any` +--- a/test.js ++++ b/test.js +@@ -193,3 +193,10 @@ + t.is(m.has({'foo.baz': {bar: true}}, 'foo\\.baz.bar'), true); + t.is(m.has({'fo.ob.az': {bar: true}}, 'fo\\.ob\\.az.bar'), true); + }); ++ ++test('prevent setting/getting `__proto__`', t => { ++ dotProp.set({}, '__proto__.unicorn', 'x'); ++ t.not({}.unicorn, 'x'); // eslint-disable-line no-use-extend-native/no-use-extend-native ++ ++ t.is(dotProp.get({}, '__proto__'), undefined); ++}); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..3100f1e --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2020-8116.diff
