rpms/nodejs-nodemon
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Patch bundled glob-parent

Browse Source
This commit is contained in:
Jan Staněk 2023-02-27 15:49:54 +01:00
parent 05227e95c6
commit 0cca7149ea
No known key found for this signature in database
GPG Key ID: 2972F2037B243B6D
2 changed files with 71 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch Normal file
View File

@ -0,0 +1,63 @@
From 62287c7af3aabd73db9bd1057c4c6cfcb5f3f67b Mon Sep 17 00:00:00 2001
From: Takayuki Sato <sttk.xslet@gmail.com>
Date: Tue, 20 Jul 2021 14:46:33 +0900
Subject: [PATCH] deps(glob-parent): Resolve ReDoS vulnerability from
CVE-2021-35065 (#49)
Signed-off-by: rpm-build <rpm-build>
---
node_modules/glob-parent/index.js | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js
index 09e257e..b182190 100644
--- a/node_modules/glob-parent/index.js
+++ b/node_modules/glob-parent/index.js
@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';
var slash = '/';
var backslash = /\\/g;
-var enclosure = /[\{\[].*[\}\]]$/;
var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;
@@ -25,7 +24,7 @@ module.exports = function globParent(str, opts) {
}
// special case for strings ending in enclosure containing path separator
- if (enclosure.test(str)) {
+ if (isEnclosure(str)) {
str += slash;
}
@@ -40,3 +39,27 @@ module.exports = function globParent(str, opts) {
// remove escape chars and return result
return str.replace(escaped, '$1');
};
+
+
+function isEnclosure(str) {
+ var lastChar = str.slice(-1)
+
+ var enclosureStart;
+ switch (lastChar) {
+ case '}':
+ enclosureStart = '{';
+ break;
+ case ']':
+ enclosureStart = '[';
+ break;
+ default:
+ return false;
+ }
+
+ var foundIndex = str.indexOf(enclosureStart);
+ if (foundIndex < 0) {
+ return false;
+ }
+
+ return str.slice(foundIndex + 1, -1).includes(slash);
+}
--
2.39.2

10
nodejs-nodemon.spec
View File

@ -6,12 +6,14 @@
Name: nodejs-%{npm_name} Name: nodejs-%{npm_name}
Version: 2.0.20 Version: 2.0.20
Release: 2%{?dist} Release: 3%{?dist}
Summary: Simple monitor script for use during development of a node.js app Summary: Simple monitor script for use during development of a node.js app
License: MIT License: MIT
URL: https://www.npmjs.com/package/nodemon URL: https://www.npmjs.com/package/nodemon
Source0: %{npm_name}-v%{version}-bundled.tar.gz Source0: %{npm_name}-v%{version}-bundled.tar.gz
Patch1: 0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch
BuildRequires: nodejs-devel BuildRequires: nodejs-devel
BuildRequires: nodejs-packaging BuildRequires: nodejs-packaging
BuildRequires: npm BuildRequires: npm
@ -47,7 +49,7 @@ replacement wrapper for node, think of it as replacing the word "node"
on the command line when you run your script. on the command line when you run your script.
%prep %prep
%setup -q -n package %autosetup -p1 -n package
%build %build
@ -73,6 +75,10 @@ npm run test
%{_bindir}/nodemon %{_bindir}/nodemon
%changelog %changelog
* Mon Feb 27 2023 Jan Staněk <jstanek@redhat.com> - 2.0.20-3
- Patch bundled glob-parent
Resolves: CVE-2021-35065
* Fri Dec 02 2022 Jan Staněk <jstanek@redhat.com> - 2.0.20-1 * Fri Dec 02 2022 Jan Staněk <jstanek@redhat.com> - 2.0.20-1
- Record CVE fixed in the current or previous upstream versions - Record CVE fixed in the current or previous upstream versions
Resolves: CVE-2021-44906 Resolves: CVE-2021-44906