Patch bundled glob-parent

2023-03-21 11:12:35 +01:00 · 2023-03-21 11:12:35 +01:00 · 1a2fb39542
commit 1a2fb39542
parent 2b37f5abff
2 changed files with 71 additions and 2 deletions
--- a/0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch
+++ b/0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch
@ -0,0 +1,63 @@
+From 62287c7af3aabd73db9bd1057c4c6cfcb5f3f67b Mon Sep 17 00:00:00 2001
+From: Takayuki Sato <sttk.xslet@gmail.com>
+Date: Tue, 20 Jul 2021 14:46:33 +0900
+Subject: [PATCH] deps(glob-parent): Resolve ReDoS vulnerability from
+ CVE-2021-35065 (#49)
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ node_modules/glob-parent/index.js | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js
+index 09e257e..b182190 100644
+--- a/node_modules/glob-parent/index.js
+++ b/node_modules/glob-parent/index.js
+@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';
+ 
+ var slash = '/';
+ var backslash = /\\/g;
+-var enclosure = /[\{\[].*[\}\]]$/;
+ var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
+ var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;
+ 
+@@ -25,7 +24,7 @@ module.exports = function globParent(str, opts) {
+   }
+ 
+   // special case for strings ending in enclosure containing path separator
+-  if (enclosure.test(str)) {
+  if (isEnclosure(str)) {
+     str += slash;
+   }
+ 
+@@ -40,3 +39,27 @@ module.exports = function globParent(str, opts) {
+   // remove escape chars and return result
+   return str.replace(escaped, '$1');
+ };
+
+
+function isEnclosure(str) {
+  var lastChar = str.slice(-1)
+
+  var enclosureStart;
+  switch (lastChar) {
+    case '}':
+      enclosureStart = '{';
+      break;
+    case ']':
+      enclosureStart = '[';
+      break;
+    default:
+      return false;
+  }
+
+  var foundIndex = str.indexOf(enclosureStart);
+  if (foundIndex < 0) {
+    return false;
+  }
+
+  return str.slice(foundIndex + 1, -1).includes(slash);
+}
+-- 
+2.39.2
+
--- a/nodejs-nodemon.spec
+++ b/nodejs-nodemon.spec
@ -6,12 +6,14 @@

 Name:          nodejs-%{npm_name}
 Version:       2.0.20
-Release:       1%{?dist}
+Release:       2%{?dist}
 Summary:       Simple monitor script for use during development of a node.js app
 License:       MIT
 URL:           https://www.npmjs.com/package/nodemon
 Source0:       %{npm_name}-v%{version}-bundled.tar.gz

+Patch1:        0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch
+
 BuildRequires: nodejs-devel
 BuildRequires: nodejs-packaging
 BuildRequires: npm
@ -47,7 +49,7 @@ replacement wrapper for node, think of it as replacing the word "node"
 on the command line when you run your script.

 %prep
-%setup -q -n package
+%autosetup -p1 -n package

 %build

@ -73,6 +75,10 @@ npm run test
 %{_bindir}/nodemon

 %changelog
+* Mon Mar 20 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.20-2
+- Patch bundled glob-parent
+- Resolves: CVE-2021-35065
+
 * Wed Nov 09 2022 Jan Staněk <jstanek@redhat.com> - 2.0.20-1
 - Rebase to 2.0.20
  Resolves: CVE-2022-3517