Update to version 6.11.1

Fixes CVE-2024-24750, CVE-2024-30260, and CVE-2024-30261. Resolves: RHEL-32207 RHEL-31865 RHEL-31864
2024-04-03 16:37:43 +02:00 · 2024-04-03 16:37:43 +02:00 · 61cbc8f25a
commit 61cbc8f25a
parent e00662e8cd
6 changed files with 13 additions and 347 deletions
--- a/0001-feat-allow-customization-of-build-environment.patch
+++ b/0001-feat-allow-customization-of-build-environment.patch
@ -1,123 +0,0 @@
 From 9dfb61b331b09552250cea7268fc632335816661 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
 Date: Thu, 2 Nov 2023 15:09:10 +0100
 Subject: [PATCH] feat: allow customization of build environment
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 This allows for the WASM artifacts to be built elsewhere than only in
 the alpine-based node container.
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 ---
 build/wasm.js | 72 +++++++++++++++++++++------------------------------
 1 file changed, 29 insertions(+), 43 deletions(-)
 diff --git a/build/wasm.js b/build/wasm.js
 index fd90ac26..2b63f3c7 100644
 --- a/build/wasm.js
 +++ b/build/wasm.js
@@ -9,6 +9,18 @@ const WASM_SRC = resolve(__dirname, '../deps/llhttp')
 const WASM_OUT = resolve(__dirname, '../lib/llhttp')
 const DOCKERFILE = resolve(__dirname, './Dockerfile')
 +// These are defined by build environment
 +const WASM_CC = process.env.WASM_CC || 'clang'
 +let WASM_CFLAGS = process.env.WASM_CFLAGS || '--sysroot=/usr/share/wasi-sysroot -target wasm32-unknown-wasi'
 +let WASM_LDFLAGS = process.env.WASM_LDFLAGS || ''
 +const WASM_LDLIBS = process.env.WASM_LDLIBS || ''
 +
 +// These are relevant for undici and should not be overridden
 +WASM_CFLAGS += ' -Ofast -fno-exceptions -fvisibility=hidden -mexec-model=reactor'
 +WASM_LDFLAGS += ' -Wl,-error-limit=0 -Wl,-O3 -Wl,--lto-O3 -Wl,--strip-all'
 +WASM_LDFLAGS += ' -Wl,--allow-undefined -Wl,--export-dynamic -Wl,--export-table'
 +WASM_LDFLAGS += ' -Wl,--export=malloc -Wl,--export=free -Wl,--no-entry'
 +
 let platform = process.env.WASM_PLATFORM
 if (!platform && process.argv[2]) {
   platform = execSync('docker info -f "{{.OSType}}/{{.Architecture}}"').toString().trim()
@@ -35,35 +47,25 @@ if (process.argv[2] === '--docker') {
   process.exit(0)
 }
 -// Gather information about the tools used for the build
 -const buildInfo = execSync('apk info -v').toString()
 -if (!buildInfo.includes('wasi-sdk')) {
 -  console.log('Failed to generate build environment information')
 -  process.exit(-1)
 +const hasApk = (function () {
 +  try { execSync('command -v apk'); return true } catch (error) { return false }
 +})()
 +if (hasApk) {
 +  // Gather information about the tools used for the build
 +  const buildInfo = execSync('apk info -v').toString()
 +  if (!buildInfo.includes('wasi-sdk')) {
 +    console.log('Failed to generate build environment information')
 +    process.exit(-1)
 +  }
 +  writeFileSync(join(WASM_OUT, 'wasm_build_env.txt'), buildInfo)
 }
 -writeFileSync(join(WASM_OUT, 'wasm_build_env.txt'), buildInfo)
 // Build wasm binary
 -execSync(`clang \
 - --sysroot=/usr/share/wasi-sysroot \
 - -target wasm32-unknown-wasi \
 - -Ofast \
 - -fno-exceptions \
 - -fvisibility=hidden \
 - -mexec-model=reactor \
 - -Wl,-error-limit=0 \
 - -Wl,-O3 \
 - -Wl,--lto-O3 \
 - -Wl,--strip-all \
 - -Wl,--allow-undefined \
 - -Wl,--export-dynamic \
 - -Wl,--export-table \
 - -Wl,--export=malloc \
 - -Wl,--export=free \
 - -Wl,--no-entry \
 +execSync(`${WASM_CC} ${WASM_CFLAGS} ${WASM_LDFLAGS} \
  ${join(WASM_SRC, 'src')}/*.c \
  -I${join(WASM_SRC, 'include')} \
 - -o ${join(WASM_OUT, 'llhttp.wasm')}`, { stdio: 'inherit' })
 + -o ${join(WASM_OUT, 'llhttp.wasm')} \
 + ${WASM_LDLIBS}`, { stdio: 'inherit' })
 const base64Wasm = readFileSync(join(WASM_OUT, 'llhttp.wasm')).toString('base64')
 writeFileSync(
@@ -72,27 +74,11 @@ writeFileSync(
 )
 // Build wasm simd binary
 -execSync(`clang \
 - --sysroot=/usr/share/wasi-sysroot \
 - -target wasm32-unknown-wasi \
 - -msimd128 \
 - -Ofast \
 - -fno-exceptions \
 - -fvisibility=hidden \
 - -mexec-model=reactor \
 - -Wl,-error-limit=0 \
 - -Wl,-O3 \
 - -Wl,--lto-O3 \
 - -Wl,--strip-all \
 - -Wl,--allow-undefined \
 - -Wl,--export-dynamic \
 - -Wl,--export-table \
 - -Wl,--export=malloc \
 - -Wl,--export=free \
 - -Wl,--no-entry \
 +execSync(`${WASM_CC} ${WASM_CFLAGS} -msimd128 ${WASM_LDFLAGS} \
  ${join(WASM_SRC, 'src')}/*.c \
  -I${join(WASM_SRC, 'include')} \
 - -o ${join(WASM_OUT, 'llhttp_simd.wasm')}`, { stdio: 'inherit' })
 + -o ${join(WASM_OUT, 'llhttp_simd.wasm')} \
 + ${WASM_LDLIBS}`, { stdio: 'inherit' })
 const base64WasmSimd = readFileSync(join(WASM_OUT, 'llhttp_simd.wasm')).toString('base64')
 writeFileSync(
 -- 
 2.41.0
--- a/0002-Support-building-for-externally-shared-js-builtins-2.patch
+++ b/0002-Support-building-for-externally-shared-js-builtins-2.patch
@ -1,155 +0,0 @@
 From 834aec2a4fba9d4b734862530f465dcf90a998bb Mon Sep 17 00:00:00 2001
 From: Zephyr Lykos <self@mochaa.ws>
 Date: Sun, 28 Jan 2024 18:50:22 +0800
 Subject: [PATCH] Support building for externally shared js builtins (#2643)
 Signed-off-by: rpm-build <rpm-build>
 ---
 CONTRIBUTING.md | 10 ++++++++++
 build/wasm.js   | 41 ++++++++++++++++++++++++++++++-----------
 lib/client.js   |  4 ++--
 package.json    |  1 +
 4 files changed, 43 insertions(+), 13 deletions(-)
 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
 index 3a7f3ff..7a91026 100644
 --- a/CONTRIBUTING.md
 +++ b/CONTRIBUTING.md
@@ -6,6 +6,7 @@
   * [Test](#test)
   * [Coverage](#coverage)
   * [Update `WPTs`](#update-wpts)
 +  * [Building for externally shared node builtins](#external-builds)
 * [Developer's Certificate of Origin 1.1](#developers-certificate-of-origin)
   * [Moderation Policy](#moderation-policy)
@@ -165,6 +166,15 @@ npm run test
 npm run coverage
 ```
 +<a id="external-builds"></a>
 +### Building for externally shared node builtins
 +
 +If you are packaging `undici` for a distro, this might help if you would like to use
 +an unbundled version instead of bundling one in `libnode.so`.
 +
 +To enable this, pass `EXTERNAL_PATH=/path/to/global/node_modules/undici` to `build/wasm.js`.
 +You shall also pass this path to `--shared-builtin-undici/undici-path` in Node.js's `configure.py`.
 +
 <a id="developers-certificate-of-origin"></a>
 ## Developer's Certificate of Origin 1.1
 diff --git a/build/wasm.js b/build/wasm.js
 index 2b63f3c..1104cfe 100644
 --- a/build/wasm.js
 +++ b/build/wasm.js
@@ -2,7 +2,7 @@
 const { execSync } = require('child_process')
 const { writeFileSync, readFileSync } = require('fs')
 -const { join, resolve } = require('path')
 +const { join, resolve, basename } = require('path')
 const ROOT = resolve(__dirname, '../')
 const WASM_SRC = resolve(__dirname, '../deps/llhttp')
@@ -15,6 +15,8 @@ let WASM_CFLAGS = process.env.WASM_CFLAGS || '--sysroot=/usr/share/wasi-sysroot
 let WASM_LDFLAGS = process.env.WASM_LDFLAGS || ''
 const WASM_LDLIBS = process.env.WASM_LDLIBS || ''
 +const EXTERNAL_PATH = process.env.EXTERNAL_PATH
 +
 // These are relevant for undici and should not be overridden
 WASM_CFLAGS += ' -Ofast -fno-exceptions -fvisibility=hidden -mexec-model=reactor'
 WASM_LDFLAGS += ' -Wl,-error-limit=0 -Wl,-O3 -Wl,--lto-O3 -Wl,--strip-all'
@@ -60,6 +62,23 @@ if (hasApk) {
   writeFileSync(join(WASM_OUT, 'wasm_build_env.txt'), buildInfo)
 }
 +const writeWasmChunk = EXTERNAL_PATH
 +  ? (path, dest) => {
 +      const base64 = readFileSync(join(WASM_OUT, path)).toString('base64')
 +      writeFileSync(join(WASM_OUT, dest), `
 +const { Buffer } = require('node:buffer')
 +
 +module.exports = Buffer.from('${base64}', 'base64')
 +`)
 +    }
 +  : (path, dest) => {
 +      writeFileSync(join(WASM_OUT, dest), `
 +const { fs } = require('node:fs')
 +
 +module.exports = fs.readFileSync(require.resolve('./${basename(path)}'))
 +`)
 +    }
 +
 // Build wasm binary
 execSync(`${WASM_CC} ${WASM_CFLAGS} ${WASM_LDFLAGS} \
  ${join(WASM_SRC, 'src')}/*.c \
@@ -67,11 +86,7 @@ execSync(`${WASM_CC} ${WASM_CFLAGS} ${WASM_LDFLAGS} \
  -o ${join(WASM_OUT, 'llhttp.wasm')} \
  ${WASM_LDLIBS}`, { stdio: 'inherit' })
 -const base64Wasm = readFileSync(join(WASM_OUT, 'llhttp.wasm')).toString('base64')
 -writeFileSync(
 -  join(WASM_OUT, 'llhttp-wasm.js'),
 -  `module.exports = '${base64Wasm}'\n`
 -)
 +writeWasmChunk('llhttp.wasm', 'llhttp-wasm.js')
 // Build wasm simd binary
 execSync(`${WASM_CC} ${WASM_CFLAGS} -msimd128 ${WASM_LDFLAGS} \
@@ -80,8 +95,12 @@ execSync(`${WASM_CC} ${WASM_CFLAGS} -msimd128 ${WASM_LDFLAGS} \
  -o ${join(WASM_OUT, 'llhttp_simd.wasm')} \
  ${WASM_LDLIBS}`, { stdio: 'inherit' })
 -const base64WasmSimd = readFileSync(join(WASM_OUT, 'llhttp_simd.wasm')).toString('base64')
 -writeFileSync(
 -  join(WASM_OUT, 'llhttp_simd-wasm.js'),
 -  `module.exports = '${base64WasmSimd}'\n`
 -)
 +writeWasmChunk('llhttp_simd.wasm', 'llhttp_simd-wasm.js')
 +
 +if (EXTERNAL_PATH) {
 +  writeFileSync(join(ROOT, 'loader.js'), `
 +'use strict'
 +
 +module.exports = require('node:module').createRequire('${EXTERNAL_PATH}/loader.js')('./index-fetch.js')
 +`)
 +}
 diff --git a/lib/client.js b/lib/client.js
 index 22cb390..12798ac 100644
 --- a/lib/client.js
 +++ b/lib/client.js
@@ -493,7 +493,7 @@ async function lazyllhttp () {
   let mod
   try {
 -    mod = await WebAssembly.compile(Buffer.from(require('./llhttp/llhttp_simd-wasm.js'), 'base64'))
 +    mod = await WebAssembly.compile(require('./llhttp/llhttp_simd-wasm.js'))
   } catch (e) {
     /* istanbul ignore next */
@@ -501,7 +501,7 @@ async function lazyllhttp () {
     // being enabled, but the occurring of this other error
     // * https://github.com/emscripten-core/emscripten/issues/11495
     // got me to remove that check to avoid breaking Node 12.
 -    mod = await WebAssembly.compile(Buffer.from(llhttpWasmData || require('./llhttp/llhttp-wasm.js'), 'base64'))
 +    mod = await WebAssembly.compile(llhttpWasmData || require('./llhttp/llhttp-wasm.js'))
   }
   return await WebAssembly.instantiate(mod, {
 diff --git a/package.json b/package.json
 index 68ee4da..140e852 100644
 --- a/package.json
 +++ b/package.json
@@ -65,6 +65,7 @@
     "*.d.ts",
     "index.js",
     "index-fetch.js",
 +    "loader.js",
     "lib",
     "types",
     "docs"
 -- 
 2.43.0
--- a/0002-chore-refine-esbuild-node-detection.patch
+++ b/0002-chore-refine-esbuild-node-detection.patch
@ -1,58 +0,0 @@
 From b285b94aa4a9f4a03524a3af71865666b4683e6d Mon Sep 17 00:00:00 2001
 From: Zephyr Lykos <git@mochaa.ws>
 Date: Wed, 31 Jan 2024 15:26:16 +0800
 Subject: [PATCH] chore: refine esbuild & node detection
 When using the loader for external builtins, `esbuildDetection` is
 undefined. This commit defines `__UNDICI_IS_NODE__` on `globalThis`
 in the loader and deletes it after loading Undici. `esbuildDetection`
 has also been extracted as a variable at the top level of the module,
 to support deleting `__UNDICI_IS_NODE__` on `globalThis` to avoid
 polluting the global namespace.
 ---
 build/wasm.js      | 2 ++
 lib/fetch/index.js | 8 ++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)
 diff --git a/build/wasm.js b/build/wasm.js
 index 1104cfec..cd227256 100644
 --- a/build/wasm.js
 +++ b/build/wasm.js
@@ -101,6 +101,8 @@ if (EXTERNAL_PATH) {
   writeFileSync(join(ROOT, 'loader.js'), `
 'use strict'
 +globalThis.__UNDICI_IS_NODE__ = true
 module.exports = require('node:module').createRequire('${EXTERNAL_PATH}/loader.js')('./index-fetch.js')
 +delete globalThis.__UNDICI_IS_NODE__
 `)
 }
 diff --git a/lib/fetch/index.js b/lib/fetch/index.js
 index dea20696..52129884 100644
 --- a/lib/fetch/index.js
 +++ b/lib/fetch/index.js
@@ -64,6 +64,10 @@ const { webidl } = require('./webidl')
 const { STATUS_CODES } = require('http')
 const GET_OR_HEAD = ['GET', 'HEAD']
 +const defaultUserAgent = typeof __UNDICI_IS_NODE__ !== 'undefined' || typeof esbuildDetection !== 'undefined'
 +  ? 'node'
 +  : 'undici'
 +
 /** @type {import('buffer').resolveObjectURL} */
 let resolveObjectURL
 let ReadableStream = globalThis.ReadableStream
@@ -1352,8 +1356,8 @@ async function httpNetworkOrCacheFetch (
   //    14. If httpRequest’s header list does not contain `User-Agent`, then
   //    user agents should append `User-Agent`/default `User-Agent` value to
   //    httpRequest’s header list.
 -  if (!httpRequest.headersList.contains('user-agent')) {
 -    httpRequest.headersList.append('user-agent', typeof esbuildDetection === 'undefined' ? 'undici' : 'node')
 +  if (!httpRequest.headersList.contains('user-agent', true)) {
 +    httpRequest.headersList.append('user-agent', defaultUserAgent)
   }
   //    15. If httpRequest’s cache mode is "default" and httpRequest’s header
 -- 
 2.43.0
--- a/nodejs-undici.spec
+++ b/nodejs-undici.spec
@ -6,7 +6,7 @@
 Name:       nodejs-%{npm_name}
 Summary:    An HTTP/1.1 client, written from scratch for Node.js
-Version:    5.28.3
+Version:    6.11.1
 Release:    %autorelease
 License:    MIT
@ -18,11 +18,6 @@ Source2:    %{npm_name}-%{version}-nm-dev.tgz
 Source3:    %{npm_name}-%{version}-bundled-licenses.txt
 Source4:    %{npm_name}-sources.sh
 # Upstream proposal: https://github.com/nodejs/undici/pull/2403
 Patch0:     0001-feat-allow-customization-of-build-environment.patch
 Patch1:     0002-Support-building-for-externally-shared-js-builtins-2.patch
 Patch2:     0002-chore-refine-esbuild-node-detection.patch
 # Binary artifacts in this package are aimed at the wasm32-wasi "architecture".
 %global     _binaries_in_noarch_packages_terminate_build 0
 BuildArch:  noarch
@ -73,6 +68,10 @@ mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}
 tar -C   %{buildroot}%{nodejs_sitelib}/%{npm_name} -xzf %{npm_name}-%{version}.tgz --strip-components=1
 cp -prt  %{buildroot}%{nodejs_sitelib}/%{npm_name} node_modules_prod node_modules
 # Built (WASM) files are no longer packaged with npm pack
 install -p -Dt %{buildroot}%{nodejs_sitelib}/%{npm_name}/lib/llhttp/ lib/llhttp/*.wasm lib/llhttp/*.js
 install -p -Dt %{buildroot}%{nodejs_sitelib}/%{npm_name}/            loader.js
 %check
 %{__nodejs} -e 'require("./")'
--- a/8
+++ b/8
@ -1,4 +1,4 @@
-SHA512 (undici-5.28.3-stripped.tar.gz) = 8ac2c4737694760d6ef42f807ffa6ea84970bfd45a352f88b04b2d4453aca63060d01b8fd07bc34dcf6ec57979be5e499bb1d874f1f5b7de22bf01f518d273d2
+SHA512 (undici-6.11.1-stripped.tar.gz) = 851d95aa77e8ce2c4c7dd73be5989b1e235465e9f122a7b685e0e22a4eab0ccd169a0f01f09891234285f1dd04f4e5c9000ccbe8e68a4bad31c7f7dbf4b7c7a7
-SHA512 (undici-5.28.3-nm-prod.tgz) = 2cf834e47f9a30b961ba736c9db687d5840659af04521dca9e07ede8233ab6b2383180b175549aca5ce060e4f7d0fb57fe9ada010a65f0ce1c67eae0c6fe5ccc
+SHA512 (undici-6.11.1-nm-prod.tgz) = f119e8d00db1292e5e79010b15dba703cc39f6e93b9b75d54e7bae7fba0d560308e13c9a7e55e61d86d22aaa03d5110311b37adf6b924c0f727b7922222963e4
-SHA512 (undici-5.28.3-nm-dev.tgz) = fb00684428f0a71b5cd4350baec98425cf48b78b6ca26b89ecf29b5c9313a119612adb10b06845be898484e4ec0515c791f189af4986e61a276e3ad9cf27ab2b
+SHA512 (undici-6.11.1-nm-dev.tgz) = c2008ac535dd14945ed9f818351a8653ae03bc35f39956ededff2a757d0bb3ca9d269120eb499ef6f3d3f7b729c183b5612cb7a3fcf010072ff0cc68b3357aba
-SHA512 (undici-5.28.3-bundled-licenses.txt) = 3e591adb16e09b1c6fb75eb97a6ac51cd06e0aeae2bd5950a15902346e2c9626cb50203bfd0e15c7e8c98af8f24b81c1ce6617c359e7c0e7d0a6366457c844ba
+SHA512 (undici-6.11.1-bundled-licenses.txt) = 3e591adb16e09b1c6fb75eb97a6ac51cd06e0aeae2bd5950a15902346e2c9626cb50203bfd0e15c7e8c98af8f24b81c1ce6617c359e7c0e7d0a6366457c844ba
--- a/undici-sources.sh
+++ b/undici-sources.sh
@ -69,7 +69,6 @@ repackage() {
    readonly repackage_rootdir="${2-undici-v${repackage_version}/}"
    tar -czf "undici-${repackage_version}-stripped.tar.gz" "${repackage_rootdir}"
    rm -rf "${repackage_rootdir}"
    echo "undici-${repackage_version}-stripped.tar.gz"
 }
@ -112,3 +111,7 @@ ${RPKG} $(test -n "${RELEASE}" && echo --release="${RELEASE}") new-sources $("$O
    "undici-${UNDICI_VERSION}-nm-prod.tgz" \
    "undici-${UNDICI_VERSION}-nm-dev.tgz" \
    "undici-${UNDICI_VERSION}-bundled-licenses.txt"
 printf '=== %s ===\n' 'Detecting bundled versions' >&2
 awk '/^#define LLHTTP_VERSION/{print $NF;}' "${rootdir}/deps/llhttp/include/llhttp.h" \
 | xargs printf 'llhttp: %d.%d.%d\n'