From 61cbc8f25afbd804f6acaa5ffe22f98a5cbcc5fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
Date: Wed, 3 Apr 2024 16:37:43 +0200
Subject: [PATCH] Update to version 6.11.1

Fixes CVE-2024-24750, CVE-2024-30260, and CVE-2024-30261.

Resolves: RHEL-32207 RHEL-31865 RHEL-31864
---
 ...w-customization-of-build-environment.patch | 123 --------------
 ...-for-externally-shared-js-builtins-2.patch | 155 ------------------
 ...-chore-refine-esbuild-node-detection.patch |  58 -------
 nodejs-undici.spec                            |  11 +-
 sources                                       |   8 +-
 undici-sources.sh                             |   5 +-
 6 files changed, 13 insertions(+), 347 deletions(-)
 delete mode 100644 0001-feat-allow-customization-of-build-environment.patch
 delete mode 100644 0002-Support-building-for-externally-shared-js-builtins-2.patch
 delete mode 100644 0002-chore-refine-esbuild-node-detection.patch

diff --git a/0001-feat-allow-customization-of-build-environment.patch b/0001-feat-allow-customization-of-build-environment.patch
deleted file mode 100644
index 63e013e..0000000
--- a/0001-feat-allow-customization-of-build-environment.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 9dfb61b331b09552250cea7268fc632335816661 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Thu, 2 Nov 2023 15:09:10 +0100
-Subject: [PATCH] feat: allow customization of build environment
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This allows for the WASM artifacts to be built elsewhere than only in
-the alpine-based node container.
-
-Signed-off-by: Jan Staněk <jstanek@redhat.com>
----
- build/wasm.js | 72 +++++++++++++++++++++------------------------------
- 1 file changed, 29 insertions(+), 43 deletions(-)
-
-diff --git a/build/wasm.js b/build/wasm.js
-index fd90ac26..2b63f3c7 100644
---- a/build/wasm.js
-+++ b/build/wasm.js
-@@ -9,6 +9,18 @@ const WASM_SRC = resolve(__dirname, '../deps/llhttp')
- const WASM_OUT = resolve(__dirname, '../lib/llhttp')
- const DOCKERFILE = resolve(__dirname, './Dockerfile')
- 
-+// These are defined by build environment
-+const WASM_CC = process.env.WASM_CC || 'clang'
-+let WASM_CFLAGS = process.env.WASM_CFLAGS || '--sysroot=/usr/share/wasi-sysroot -target wasm32-unknown-wasi'
-+let WASM_LDFLAGS = process.env.WASM_LDFLAGS || ''
-+const WASM_LDLIBS = process.env.WASM_LDLIBS || ''
-+
-+// These are relevant for undici and should not be overridden
-+WASM_CFLAGS += ' -Ofast -fno-exceptions -fvisibility=hidden -mexec-model=reactor'
-+WASM_LDFLAGS += ' -Wl,-error-limit=0 -Wl,-O3 -Wl,--lto-O3 -Wl,--strip-all'
-+WASM_LDFLAGS += ' -Wl,--allow-undefined -Wl,--export-dynamic -Wl,--export-table'
-+WASM_LDFLAGS += ' -Wl,--export=malloc -Wl,--export=free -Wl,--no-entry'
-+
- let platform = process.env.WASM_PLATFORM
- if (!platform && process.argv[2]) {
-   platform = execSync('docker info -f "{{.OSType}}/{{.Architecture}}"').toString().trim()
-@@ -35,35 +47,25 @@ if (process.argv[2] === '--docker') {
-   process.exit(0)
- }
- 
--// Gather information about the tools used for the build
--const buildInfo = execSync('apk info -v').toString()
--if (!buildInfo.includes('wasi-sdk')) {
--  console.log('Failed to generate build environment information')
--  process.exit(-1)
-+const hasApk = (function () {
-+  try { execSync('command -v apk'); return true } catch (error) { return false }
-+})()
-+if (hasApk) {
-+  // Gather information about the tools used for the build
-+  const buildInfo = execSync('apk info -v').toString()
-+  if (!buildInfo.includes('wasi-sdk')) {
-+    console.log('Failed to generate build environment information')
-+    process.exit(-1)
-+  }
-+  writeFileSync(join(WASM_OUT, 'wasm_build_env.txt'), buildInfo)
- }
--writeFileSync(join(WASM_OUT, 'wasm_build_env.txt'), buildInfo)
- 
- // Build wasm binary
--execSync(`clang \
-- --sysroot=/usr/share/wasi-sysroot \
-- -target wasm32-unknown-wasi \
-- -Ofast \
-- -fno-exceptions \
-- -fvisibility=hidden \
-- -mexec-model=reactor \
-- -Wl,-error-limit=0 \
-- -Wl,-O3 \
-- -Wl,--lto-O3 \
-- -Wl,--strip-all \
-- -Wl,--allow-undefined \
-- -Wl,--export-dynamic \
-- -Wl,--export-table \
-- -Wl,--export=malloc \
-- -Wl,--export=free \
-- -Wl,--no-entry \
-+execSync(`${WASM_CC} ${WASM_CFLAGS} ${WASM_LDFLAGS} \
-  ${join(WASM_SRC, 'src')}/*.c \
-  -I${join(WASM_SRC, 'include')} \
-- -o ${join(WASM_OUT, 'llhttp.wasm')}`, { stdio: 'inherit' })
-+ -o ${join(WASM_OUT, 'llhttp.wasm')} \
-+ ${WASM_LDLIBS}`, { stdio: 'inherit' })
- 
- const base64Wasm = readFileSync(join(WASM_OUT, 'llhttp.wasm')).toString('base64')
- writeFileSync(
-@@ -72,27 +74,11 @@ writeFileSync(
- )
- 
- // Build wasm simd binary
--execSync(`clang \
-- --sysroot=/usr/share/wasi-sysroot \
-- -target wasm32-unknown-wasi \
-- -msimd128 \
-- -Ofast \
-- -fno-exceptions \
-- -fvisibility=hidden \
-- -mexec-model=reactor \
-- -Wl,-error-limit=0 \
-- -Wl,-O3 \
-- -Wl,--lto-O3 \
-- -Wl,--strip-all \
-- -Wl,--allow-undefined \
-- -Wl,--export-dynamic \
-- -Wl,--export-table \
-- -Wl,--export=malloc \
-- -Wl,--export=free \
-- -Wl,--no-entry \
-+execSync(`${WASM_CC} ${WASM_CFLAGS} -msimd128 ${WASM_LDFLAGS} \
-  ${join(WASM_SRC, 'src')}/*.c \
-  -I${join(WASM_SRC, 'include')} \
-- -o ${join(WASM_OUT, 'llhttp_simd.wasm')}`, { stdio: 'inherit' })
-+ -o ${join(WASM_OUT, 'llhttp_simd.wasm')} \
-+ ${WASM_LDLIBS}`, { stdio: 'inherit' })
- 
- const base64WasmSimd = readFileSync(join(WASM_OUT, 'llhttp_simd.wasm')).toString('base64')
- writeFileSync(
--- 
-2.41.0
-
diff --git a/0002-Support-building-for-externally-shared-js-builtins-2.patch b/0002-Support-building-for-externally-shared-js-builtins-2.patch
deleted file mode 100644
index 94608d0..0000000
--- a/0002-Support-building-for-externally-shared-js-builtins-2.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From 834aec2a4fba9d4b734862530f465dcf90a998bb Mon Sep 17 00:00:00 2001
-From: Zephyr Lykos <self@mochaa.ws>
-Date: Sun, 28 Jan 2024 18:50:22 +0800
-Subject: [PATCH] Support building for externally shared js builtins (#2643)
-
-Signed-off-by: rpm-build <rpm-build>
----
- CONTRIBUTING.md | 10 ++++++++++
- build/wasm.js   | 41 ++++++++++++++++++++++++++++++-----------
- lib/client.js   |  4 ++--
- package.json    |  1 +
- 4 files changed, 43 insertions(+), 13 deletions(-)
-
-diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
-index 3a7f3ff..7a91026 100644
---- a/CONTRIBUTING.md
-+++ b/CONTRIBUTING.md
-@@ -6,6 +6,7 @@
-   * [Test](#test)
-   * [Coverage](#coverage)
-   * [Update `WPTs`](#update-wpts)
-+  * [Building for externally shared node builtins](#external-builds)
- * [Developer's Certificate of Origin 1.1](#developers-certificate-of-origin)
-   * [Moderation Policy](#moderation-policy)
- 
-@@ -165,6 +166,15 @@ npm run test
- npm run coverage
- ```
- 
-+<a id="external-builds"></a>
-+### Building for externally shared node builtins
-+
-+If you are packaging `undici` for a distro, this might help if you would like to use
-+an unbundled version instead of bundling one in `libnode.so`.
-+
-+To enable this, pass `EXTERNAL_PATH=/path/to/global/node_modules/undici` to `build/wasm.js`.
-+You shall also pass this path to `--shared-builtin-undici/undici-path` in Node.js's `configure.py`.
-+
- <a id="developers-certificate-of-origin"></a>
- ## Developer's Certificate of Origin 1.1
- 
-diff --git a/build/wasm.js b/build/wasm.js
-index 2b63f3c..1104cfe 100644
---- a/build/wasm.js
-+++ b/build/wasm.js
-@@ -2,7 +2,7 @@
- 
- const { execSync } = require('child_process')
- const { writeFileSync, readFileSync } = require('fs')
--const { join, resolve } = require('path')
-+const { join, resolve, basename } = require('path')
- 
- const ROOT = resolve(__dirname, '../')
- const WASM_SRC = resolve(__dirname, '../deps/llhttp')
-@@ -15,6 +15,8 @@ let WASM_CFLAGS = process.env.WASM_CFLAGS || '--sysroot=/usr/share/wasi-sysroot
- let WASM_LDFLAGS = process.env.WASM_LDFLAGS || ''
- const WASM_LDLIBS = process.env.WASM_LDLIBS || ''
- 
-+const EXTERNAL_PATH = process.env.EXTERNAL_PATH
-+
- // These are relevant for undici and should not be overridden
- WASM_CFLAGS += ' -Ofast -fno-exceptions -fvisibility=hidden -mexec-model=reactor'
- WASM_LDFLAGS += ' -Wl,-error-limit=0 -Wl,-O3 -Wl,--lto-O3 -Wl,--strip-all'
-@@ -60,6 +62,23 @@ if (hasApk) {
-   writeFileSync(join(WASM_OUT, 'wasm_build_env.txt'), buildInfo)
- }
- 
-+const writeWasmChunk = EXTERNAL_PATH
-+  ? (path, dest) => {
-+      const base64 = readFileSync(join(WASM_OUT, path)).toString('base64')
-+      writeFileSync(join(WASM_OUT, dest), `
-+const { Buffer } = require('node:buffer')
-+
-+module.exports = Buffer.from('${base64}', 'base64')
-+`)
-+    }
-+  : (path, dest) => {
-+      writeFileSync(join(WASM_OUT, dest), `
-+const { fs } = require('node:fs')
-+
-+module.exports = fs.readFileSync(require.resolve('./${basename(path)}'))
-+`)
-+    }
-+
- // Build wasm binary
- execSync(`${WASM_CC} ${WASM_CFLAGS} ${WASM_LDFLAGS} \
-  ${join(WASM_SRC, 'src')}/*.c \
-@@ -67,11 +86,7 @@ execSync(`${WASM_CC} ${WASM_CFLAGS} ${WASM_LDFLAGS} \
-  -o ${join(WASM_OUT, 'llhttp.wasm')} \
-  ${WASM_LDLIBS}`, { stdio: 'inherit' })
- 
--const base64Wasm = readFileSync(join(WASM_OUT, 'llhttp.wasm')).toString('base64')
--writeFileSync(
--  join(WASM_OUT, 'llhttp-wasm.js'),
--  `module.exports = '${base64Wasm}'\n`
--)
-+writeWasmChunk('llhttp.wasm', 'llhttp-wasm.js')
- 
- // Build wasm simd binary
- execSync(`${WASM_CC} ${WASM_CFLAGS} -msimd128 ${WASM_LDFLAGS} \
-@@ -80,8 +95,12 @@ execSync(`${WASM_CC} ${WASM_CFLAGS} -msimd128 ${WASM_LDFLAGS} \
-  -o ${join(WASM_OUT, 'llhttp_simd.wasm')} \
-  ${WASM_LDLIBS}`, { stdio: 'inherit' })
- 
--const base64WasmSimd = readFileSync(join(WASM_OUT, 'llhttp_simd.wasm')).toString('base64')
--writeFileSync(
--  join(WASM_OUT, 'llhttp_simd-wasm.js'),
--  `module.exports = '${base64WasmSimd}'\n`
--)
-+writeWasmChunk('llhttp_simd.wasm', 'llhttp_simd-wasm.js')
-+
-+if (EXTERNAL_PATH) {
-+  writeFileSync(join(ROOT, 'loader.js'), `
-+'use strict'
-+
-+module.exports = require('node:module').createRequire('${EXTERNAL_PATH}/loader.js')('./index-fetch.js')
-+`)
-+}
-diff --git a/lib/client.js b/lib/client.js
-index 22cb390..12798ac 100644
---- a/lib/client.js
-+++ b/lib/client.js
-@@ -493,7 +493,7 @@ async function lazyllhttp () {
- 
-   let mod
-   try {
--    mod = await WebAssembly.compile(Buffer.from(require('./llhttp/llhttp_simd-wasm.js'), 'base64'))
-+    mod = await WebAssembly.compile(require('./llhttp/llhttp_simd-wasm.js'))
-   } catch (e) {
-     /* istanbul ignore next */
- 
-@@ -501,7 +501,7 @@ async function lazyllhttp () {
-     // being enabled, but the occurring of this other error
-     // * https://github.com/emscripten-core/emscripten/issues/11495
-     // got me to remove that check to avoid breaking Node 12.
--    mod = await WebAssembly.compile(Buffer.from(llhttpWasmData || require('./llhttp/llhttp-wasm.js'), 'base64'))
-+    mod = await WebAssembly.compile(llhttpWasmData || require('./llhttp/llhttp-wasm.js'))
-   }
- 
-   return await WebAssembly.instantiate(mod, {
-diff --git a/package.json b/package.json
-index 68ee4da..140e852 100644
---- a/package.json
-+++ b/package.json
-@@ -65,6 +65,7 @@
-     "*.d.ts",
-     "index.js",
-     "index-fetch.js",
-+    "loader.js",
-     "lib",
-     "types",
-     "docs"
--- 
-2.43.0
-
diff --git a/0002-chore-refine-esbuild-node-detection.patch b/0002-chore-refine-esbuild-node-detection.patch
deleted file mode 100644
index c72e61c..0000000
--- a/0002-chore-refine-esbuild-node-detection.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From b285b94aa4a9f4a03524a3af71865666b4683e6d Mon Sep 17 00:00:00 2001
-From: Zephyr Lykos <git@mochaa.ws>
-Date: Wed, 31 Jan 2024 15:26:16 +0800
-Subject: [PATCH] chore: refine esbuild & node detection
-
-When using the loader for external builtins, `esbuildDetection` is
-undefined. This commit defines `__UNDICI_IS_NODE__` on `globalThis`
-in the loader and deletes it after loading Undici. `esbuildDetection`
-has also been extracted as a variable at the top level of the module,
-to support deleting `__UNDICI_IS_NODE__` on `globalThis` to avoid
-polluting the global namespace.
----
- build/wasm.js      | 2 ++
- lib/fetch/index.js | 8 ++++++--
- 2 files changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/build/wasm.js b/build/wasm.js
-index 1104cfec..cd227256 100644
---- a/build/wasm.js
-+++ b/build/wasm.js
-@@ -101,6 +101,8 @@ if (EXTERNAL_PATH) {
-   writeFileSync(join(ROOT, 'loader.js'), `
- 'use strict'
- 
-+globalThis.__UNDICI_IS_NODE__ = true
- module.exports = require('node:module').createRequire('${EXTERNAL_PATH}/loader.js')('./index-fetch.js')
-+delete globalThis.__UNDICI_IS_NODE__
- `)
- }
-diff --git a/lib/fetch/index.js b/lib/fetch/index.js
-index dea20696..52129884 100644
---- a/lib/fetch/index.js
-+++ b/lib/fetch/index.js
-@@ -64,6 +64,10 @@ const { webidl } = require('./webidl')
- const { STATUS_CODES } = require('http')
- const GET_OR_HEAD = ['GET', 'HEAD']
- 
-+const defaultUserAgent = typeof __UNDICI_IS_NODE__ !== 'undefined' || typeof esbuildDetection !== 'undefined'
-+  ? 'node'
-+  : 'undici'
-+
- /** @type {import('buffer').resolveObjectURL} */
- let resolveObjectURL
- let ReadableStream = globalThis.ReadableStream
-@@ -1352,8 +1356,8 @@ async function httpNetworkOrCacheFetch (
-   //    14. If httpRequest’s header list does not contain `User-Agent`, then
-   //    user agents should append `User-Agent`/default `User-Agent` value to
-   //    httpRequest’s header list.
--  if (!httpRequest.headersList.contains('user-agent')) {
--    httpRequest.headersList.append('user-agent', typeof esbuildDetection === 'undefined' ? 'undici' : 'node')
-+  if (!httpRequest.headersList.contains('user-agent', true)) {
-+    httpRequest.headersList.append('user-agent', defaultUserAgent)
-   }
- 
-   //    15. If httpRequest’s cache mode is "default" and httpRequest’s header
--- 
-2.43.0
-
diff --git a/nodejs-undici.spec b/nodejs-undici.spec
index e68b77d..12dde2d 100644
--- a/nodejs-undici.spec
+++ b/nodejs-undici.spec
@@ -6,7 +6,7 @@
 
 Name:       nodejs-%{npm_name}
 Summary:    An HTTP/1.1 client, written from scratch for Node.js
-Version:    5.28.3
+Version:    6.11.1
 Release:    %autorelease
 
 License:    MIT
@@ -18,11 +18,6 @@ Source2:    %{npm_name}-%{version}-nm-dev.tgz
 Source3:    %{npm_name}-%{version}-bundled-licenses.txt
 Source4:    %{npm_name}-sources.sh
 
-# Upstream proposal: https://github.com/nodejs/undici/pull/2403
-Patch0:     0001-feat-allow-customization-of-build-environment.patch
-Patch1:     0002-Support-building-for-externally-shared-js-builtins-2.patch
-Patch2:     0002-chore-refine-esbuild-node-detection.patch
-
 # Binary artifacts in this package are aimed at the wasm32-wasi "architecture".
 %global     _binaries_in_noarch_packages_terminate_build 0
 BuildArch:  noarch
@@ -73,6 +68,10 @@ mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}
 tar -C   %{buildroot}%{nodejs_sitelib}/%{npm_name} -xzf %{npm_name}-%{version}.tgz --strip-components=1
 cp -prt  %{buildroot}%{nodejs_sitelib}/%{npm_name} node_modules_prod node_modules
 
+# Built (WASM) files are no longer packaged with npm pack
+install -p -Dt %{buildroot}%{nodejs_sitelib}/%{npm_name}/lib/llhttp/ lib/llhttp/*.wasm lib/llhttp/*.js
+install -p -Dt %{buildroot}%{nodejs_sitelib}/%{npm_name}/            loader.js
+
 %check
 %{__nodejs} -e 'require("./")'
 
diff --git a/sources b/sources
index d8d7149..a4d405b 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,4 @@
-SHA512 (undici-5.28.3-stripped.tar.gz) = 8ac2c4737694760d6ef42f807ffa6ea84970bfd45a352f88b04b2d4453aca63060d01b8fd07bc34dcf6ec57979be5e499bb1d874f1f5b7de22bf01f518d273d2
-SHA512 (undici-5.28.3-nm-prod.tgz) = 2cf834e47f9a30b961ba736c9db687d5840659af04521dca9e07ede8233ab6b2383180b175549aca5ce060e4f7d0fb57fe9ada010a65f0ce1c67eae0c6fe5ccc
-SHA512 (undici-5.28.3-nm-dev.tgz) = fb00684428f0a71b5cd4350baec98425cf48b78b6ca26b89ecf29b5c9313a119612adb10b06845be898484e4ec0515c791f189af4986e61a276e3ad9cf27ab2b
-SHA512 (undici-5.28.3-bundled-licenses.txt) = 3e591adb16e09b1c6fb75eb97a6ac51cd06e0aeae2bd5950a15902346e2c9626cb50203bfd0e15c7e8c98af8f24b81c1ce6617c359e7c0e7d0a6366457c844ba
+SHA512 (undici-6.11.1-stripped.tar.gz) = 851d95aa77e8ce2c4c7dd73be5989b1e235465e9f122a7b685e0e22a4eab0ccd169a0f01f09891234285f1dd04f4e5c9000ccbe8e68a4bad31c7f7dbf4b7c7a7
+SHA512 (undici-6.11.1-nm-prod.tgz) = f119e8d00db1292e5e79010b15dba703cc39f6e93b9b75d54e7bae7fba0d560308e13c9a7e55e61d86d22aaa03d5110311b37adf6b924c0f727b7922222963e4
+SHA512 (undici-6.11.1-nm-dev.tgz) = c2008ac535dd14945ed9f818351a8653ae03bc35f39956ededff2a757d0bb3ca9d269120eb499ef6f3d3f7b729c183b5612cb7a3fcf010072ff0cc68b3357aba
+SHA512 (undici-6.11.1-bundled-licenses.txt) = 3e591adb16e09b1c6fb75eb97a6ac51cd06e0aeae2bd5950a15902346e2c9626cb50203bfd0e15c7e8c98af8f24b81c1ce6617c359e7c0e7d0a6366457c844ba
diff --git a/undici-sources.sh b/undici-sources.sh
index da8e3ec..03f114f 100755
--- a/undici-sources.sh
+++ b/undici-sources.sh
@@ -69,7 +69,6 @@ repackage() {
     readonly repackage_rootdir="${2-undici-v${repackage_version}/}"
 
     tar -czf "undici-${repackage_version}-stripped.tar.gz" "${repackage_rootdir}"
-    rm -rf "${repackage_rootdir}"
     echo "undici-${repackage_version}-stripped.tar.gz"
 }
 
@@ -112,3 +111,7 @@ ${RPKG} $(test -n "${RELEASE}" && echo --release="${RELEASE}") new-sources $("$O
     "undici-${UNDICI_VERSION}-nm-prod.tgz" \
     "undici-${UNDICI_VERSION}-nm-dev.tgz" \
     "undici-${UNDICI_VERSION}-bundled-licenses.txt"
+
+printf '=== %s ===\n' 'Detecting bundled versions' >&2
+awk '/^#define LLHTTP_VERSION/{print $NF;}' "${rootdir}/deps/llhttp/include/llhttp.h" \
+| xargs printf 'llhttp: %d.%d.%d\n'