Patch bundled glob-parent
This commit is contained in:
Zuzana Svetlikova
parent
d6910dcea7
commit
7271ac2e79
@ -0,0 +1,63 @@
|
||||
From 62287c7af3aabd73db9bd1057c4c6cfcb5f3f67b Mon Sep 17 00:00:00 2001
|
||||
From: Takayuki Sato <sttk.xslet@gmail.com>
|
||||
Date: Tue, 20 Jul 2021 14:46:33 +0900
|
||||
Subject: [PATCH] deps(glob-parent): Resolve ReDoS vulnerability from
|
||||
CVE-2021-35065 (#49)
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
node_modules/glob-parent/index.js | 27 +++++++++++++++++++++++++--
|
||||
1 file changed, 25 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js
|
||||
index 09e257e..b182190 100644
|
||||
--- a/node_modules/glob-parent/index.js
|
||||
+++ b/node_modules/glob-parent/index.js
|
||||
@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';
|
||||
|
||||
var slash = '/';
|
||||
var backslash = /\\/g;
|
||||
-var enclosure = /[\{\[].*[\}\]]$/;
|
||||
var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
|
||||
var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;
|
||||
|
||||
@@ -25,7 +24,7 @@ module.exports = function globParent(str, opts) {
|
||||
}
|
||||
|
||||
// special case for strings ending in enclosure containing path separator
|
||||
- if (enclosure.test(str)) {
|
||||
+ if (isEnclosure(str)) {
|
||||
str += slash;
|
||||
}
|
||||
|
||||
@@ -40,3 +39,27 @@ module.exports = function globParent(str, opts) {
|
||||
// remove escape chars and return result
|
||||
return str.replace(escaped, '$1');
|
||||
};
|
||||
+
|
||||
+
|
||||
+function isEnclosure(str) {
|
||||
+ var lastChar = str.slice(-1)
|
||||
+
|
||||
+ var enclosureStart;
|
||||
+ switch (lastChar) {
|
||||
+ case '}':
|
||||
+ enclosureStart = '{';
|
||||
+ break;
|
||||
+ case ']':
|
||||
+ enclosureStart = '[';
|
||||
+ break;
|
||||
+ default:
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ var foundIndex = str.indexOf(enclosureStart);
|
||||
+ if (foundIndex < 0) {
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ return str.slice(foundIndex + 1, -1).includes(slash);
|
||||
+}
|
||||
--
|
||||
2.39.2
|
||||
|
||||
@ -1,17 +1,19 @@
|
||||
%{?nodejs_find_provides_and_requires}
|
||||
%global npm_name nodemon
|
||||
|
||||
# Disable until dependencies are bundled
|
||||
# Disable until dependencies are met
|
||||
%global enable_tests 0
|
||||
|
||||
Name: nodejs-%{npm_name}
|
||||
Version: 2.0.20
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: Simple monitor script for use during development of a node.js app
|
||||
License: MIT
|
||||
URL: https://github.com/remy/nodemon
|
||||
URL: https://www.npmjs.com/package/nodemon
|
||||
Source0: %{npm_name}-v%{version}-bundled.tar.gz
|
||||
|
||||
Patch1: 0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch
|
||||
|
||||
BuildRequires: nodejs-devel
|
||||
BuildRequires: nodejs-packaging
|
||||
BuildRequires: npm
|
||||
@ -35,7 +37,7 @@ replacement wrapper for node, think of it as replacing the word "node"
|
||||
on the command line when you run your script.
|
||||
|
||||
%prep
|
||||
%autosetup -n %{npm_name}-%{version}
|
||||
%autosetup -p1 -n package
|
||||
|
||||
%build
|
||||
|
||||
@ -44,14 +46,11 @@ on the command line when you run your script.
|
||||
|
||||
%install
|
||||
mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}
|
||||
cp -pr doc bin lib package.json website node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name}
|
||||
cp -pr doc bin lib package.json node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name}
|
||||
|
||||
mkdir -p %{buildroot}%{_bindir}
|
||||
ln -sf %{nodejs_sitelib}/%{npm_name}/bin/nodemon.js %{buildroot}%{_bindir}/nodemon
|
||||
|
||||
|
||||
#%%nodejs_symlink_deps
|
||||
|
||||
%if 0%{?enable_tests}
|
||||
%check
|
||||
%nodejs_symlink_deps --check
|
||||
@ -59,11 +58,15 @@ npm run test
|
||||
%endif
|
||||
|
||||
%files
|
||||
%doc CODE_OF_CONDUCT.md doc faq.md README.md
|
||||
%doc doc README.md
|
||||
%{nodejs_sitelib}/%{npm_name}
|
||||
%{_bindir}/nodemon
|
||||
|
||||
%changelog
|
||||
* Mon Mar 27 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.20-3
|
||||
- Patch bundled glob-parent
|
||||
- Resolves: CVE-2021-35065
|
||||
|
||||
* Thu Dec 08 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.20-2
|
||||
- Record CVE fixed in the current or previous upstream versions
|
||||
- Resolves: CVE-2021-44906
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#!/bin/sh
|
||||
|
||||
version=$(rpm -q --specfile --qf='%{version}\n' nodejs-nodemon.spec | head -n1)
|
||||
wget https://github.com/remy/nodemon/archive/v$version.tar.gz
|
||||
tar -zxf v$version.tar.gz
|
||||
cd nodemon-$version
|
||||
npm install --production && cd .. && tar -zcf nodemon-v$version-bundled.tar.gz nodemon-$version
|
||||
wget https://registry.npmjs.org/nodemon/-/nodemon-$version.tgz
|
||||
tar -zxf nodemon-$version.tgz
|
||||
cd package
|
||||
npm install --production && rm -rf Dockerfile && cd .. && tar -zcf nodemon-v$version-bundled.tar.gz package
|
||||
|
||||
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (nodemon-v2.0.20-bundled.tar.gz) = 51f71b6341dba1d6c6b02c1e44bb1aa0c8bcb43ef7319073e471884ca6b309696dc0134089f6e3a7a81999cd7da9cf89e7739a1f547d4ab45fba98bccc23256c
|
||||
SHA512 (nodemon-v2.0.20-bundled.tar.gz) = 283399e33bd3467d64024e0b8568e75f520aa7bf7d615c06b154911e7edf890f7cf05c226b95d49c3066fb94e8f46e1ada7e052eae4c7ed1402552c0181ea849
|
||||
|
||||
Loading…
Reference in New Issue
Block a user