import nodejs-14.17.5-1.module+el8.4.0+12247+e2879e58
This commit is contained in:
parent
f064590a86
commit
2b6d510aa0
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/icu4c-67_1-src.tgz
|
||||
SOURCES/node-v14.15.4-stripped.tar.gz
|
||||
SOURCES/icu4c-69_1-src.tgz
|
||||
SOURCES/node-v14.17.5-stripped.tar.gz
|
||||
|
@ -1,2 +1,2 @@
|
||||
6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
|
||||
5defcd39ec57a7d529ae6343b9022f2c0e5e6e5f SOURCES/node-v14.15.4-stripped.tar.gz
|
||||
620a71c84428758376baa0fb81a581c3daa866ce SOURCES/icu4c-69_1-src.tgz
|
||||
cdb2e0bdf9693d85a58d7b8576a4595618e0909e SOURCES/node-v14.17.5-stripped.tar.gz
|
||||
|
@ -1,92 +0,0 @@
|
||||
From d4d05ceb418c525b0d07e76b81b8694ac2f5b309 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Bevenius <daniel.bevenius@gmail.com>
|
||||
Date: Wed, 16 Sep 2020 06:12:54 +0200
|
||||
Subject: [PATCH] [deps] V8: cherry-pick 71736859756b2bd0444bdb0a87a
|
||||
|
||||
Original commit message:
|
||||
|
||||
[heap] Add large_object_threshold to AllocateRaw
|
||||
|
||||
This commit adds a check in Heap::AllocateRaw when setting the
|
||||
large_object variable, when the AllocationType is of type kCode, to
|
||||
take into account the size of the CodeSpace's area size.
|
||||
|
||||
The motivation for this change is that without this check it is
|
||||
possible that size_in_bytes is less than 128, and hence not considered
|
||||
a large object, but it might be larger than the available space
|
||||
in code_space->AreaSize(), which will cause the object to be created
|
||||
in the CodeLargeObjectSpace. This will later cause a segmentation fault
|
||||
when calling the following chain of functions:
|
||||
|
||||
if (!large_object) {
|
||||
MemoryChunk::FromHeapObject(heap_object)
|
||||
->GetCodeObjectRegistry()
|
||||
->RegisterNewlyAllocatedCodeObject(heap_object.address());
|
||||
}
|
||||
|
||||
We (Red Hat) ran into this issue when running Node.js v12.16.1 in
|
||||
combination with yarn on aarch64 (this was the only architecture that
|
||||
this happed on).
|
||||
|
||||
Bug: v8:10808
|
||||
Change-Id: I0c396b0eb64bc4cc91d9a3be521254f3130eac7b
|
||||
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2390665
|
||||
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
|
||||
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
|
||||
Cr-Commit-Position: refs/heads/master@{#69876}
|
||||
|
||||
Refs: https://github.com/v8/v8/commit/71736859756b2bd0444bdb0a87a61a0b090cbba2
|
||||
---
|
||||
deps/v8/src/heap/heap-inl.h | 13 +++--
|
||||
deps/v8/src/heap/heap.h | 6 ++-
|
||||
4 files changed, 83 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/deps/v8/src/heap/heap-inl.h b/deps/v8/src/heap/heap-inl.h
|
||||
index 39f5ec6c66e..b56ebc03d58 100644
|
||||
--- a/deps/v8/src/heap/heap-inl.h
|
||||
+++ b/deps/v8/src/heap/heap-inl.h
|
||||
@@ -192,7 +192,12 @@ AllocationResult Heap::AllocateRaw(int size_in_bytes, AllocationType type,
|
||||
IncrementObjectCounters();
|
||||
#endif
|
||||
|
||||
- bool large_object = size_in_bytes > kMaxRegularHeapObjectSize;
|
||||
+ size_t large_object_threshold =
|
||||
+ AllocationType::kCode == type
|
||||
+ ? std::min(kMaxRegularHeapObjectSize, code_space()->AreaSize())
|
||||
+ : kMaxRegularHeapObjectSize;
|
||||
+ bool large_object =
|
||||
+ static_cast<size_t>(size_in_bytes) > large_object_threshold;
|
||||
|
||||
HeapObject object;
|
||||
AllocationResult allocation;
|
||||
@@ -225,10 +230,10 @@ AllocationResult Heap::AllocateRaw(int size_in_bytes, AllocationType type,
|
||||
allocation = old_space_->AllocateRaw(size_in_bytes, alignment, origin);
|
||||
}
|
||||
} else if (AllocationType::kCode == type) {
|
||||
- if (size_in_bytes <= code_space()->AreaSize() && !large_object) {
|
||||
- allocation = code_space_->AllocateRawUnaligned(size_in_bytes);
|
||||
- } else {
|
||||
+ if (large_object) {
|
||||
allocation = code_lo_space_->AllocateRaw(size_in_bytes);
|
||||
+ } else {
|
||||
+ allocation = code_space_->AllocateRawUnaligned(size_in_bytes);
|
||||
}
|
||||
} else if (AllocationType::kMap == type) {
|
||||
allocation = map_space_->AllocateRawUnaligned(size_in_bytes);
|
||||
diff --git a/deps/v8/src/heap/heap.h b/deps/v8/src/heap/heap.h
|
||||
index 888d174c02f..0165fa6970f 100644
|
||||
--- a/deps/v8/src/heap/heap.h
|
||||
+++ b/deps/v8/src/heap/heap.h
|
||||
@@ -1404,8 +1404,10 @@ class Heap {
|
||||
// Heap object allocation tracking. ==========================================
|
||||
// ===========================================================================
|
||||
|
||||
- void AddHeapObjectAllocationTracker(HeapObjectAllocationTracker* tracker);
|
||||
- void RemoveHeapObjectAllocationTracker(HeapObjectAllocationTracker* tracker);
|
||||
+ V8_EXPORT_PRIVATE void AddHeapObjectAllocationTracker(
|
||||
+ HeapObjectAllocationTracker* tracker);
|
||||
+ V8_EXPORT_PRIVATE void RemoveHeapObjectAllocationTracker(
|
||||
+ HeapObjectAllocationTracker* tracker);
|
||||
bool has_heap_object_allocation_tracker() const {
|
||||
return !allocation_trackers_.empty();
|
||||
}
|
@ -1,13 +0,0 @@
|
||||
diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
|
||||
index d720681628..727362aac0 100644
|
||||
--- a/deps/npm/node_modules/y18n/index.js
|
||||
+++ b/deps/npm/node_modules/y18n/index.js
|
||||
@@ -11,7 +11,7 @@ function Y18N (opts) {
|
||||
this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
|
||||
|
||||
// internal stuff.
|
||||
- this.cache = {}
|
||||
+ this.cache = Object.create(null)
|
||||
this.writeQueue = []
|
||||
}
|
||||
|
624
SOURCES/0004-always-available-fips-options.patch
Normal file
624
SOURCES/0004-always-available-fips-options.patch
Normal file
@ -0,0 +1,624 @@
|
||||
From 7c7f5159fcc71d915dfcc5f97ab18d5f8912f1b5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
|
||||
Date: Tue, 25 Aug 2020 14:04:54 +0200
|
||||
Subject: [PATCH] crypto: make FIPS related options always awailable
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
There is no reason to hide FIPS functionality behind build flags.
|
||||
OpenSSL always provide the information about FIPS availability via
|
||||
`FIPS_mode()` function.
|
||||
|
||||
This makes the user experience more consistent, because the OpenSSL
|
||||
library is always queried and the `crypto.getFips()` always returns
|
||||
OpenSSL settings.
|
||||
|
||||
Fixes #34903
|
||||
|
||||
PR-URL: https://github.com/nodejs/node/pull/36341
|
||||
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
||||
Reviewed-By: Michael Dawson <midawson@redhat.com>
|
||||
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
|
||||
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
doc/api/cli.md | 8 +--
|
||||
lib/crypto.js | 22 ++----
|
||||
node.gypi | 3 -
|
||||
src/node.cc | 6 +-
|
||||
src/node_config.cc | 2 -
|
||||
src/node_crypto.cc | 45 +++++++-----
|
||||
src/node_options.cc | 2 -
|
||||
src/node_options.h | 2 -
|
||||
test/parallel/test-cli-node-print-help.js | 7 +-
|
||||
test/parallel/test-crypto-fips.js | 71 +++++++++----------
|
||||
...rocess-env-allowed-flags-are-documented.js | 11 +--
|
||||
11 files changed, 74 insertions(+), 105 deletions(-)
|
||||
|
||||
diff --git a/doc/api/cli.md b/doc/api/cli.md
|
||||
index a8ef339..c41bd49 100644
|
||||
--- a/doc/api/cli.md
|
||||
+++ b/doc/api/cli.md
|
||||
@@ -182,8 +182,8 @@ code from strings throw an exception instead. This does not affect the Node.js
|
||||
added: v6.0.0
|
||||
-->
|
||||
|
||||
-Enable FIPS-compliant crypto at startup. (Requires Node.js to be built with
|
||||
-`./configure --openssl-fips`.)
|
||||
+Enable FIPS-compliant crypto at startup. (Requires Node.js to be built
|
||||
+against FIPS-compatible OpenSSL.)
|
||||
|
||||
### `--enable-source-maps`
|
||||
<!-- YAML
|
||||
@@ -543,8 +543,8 @@ added: v6.9.0
|
||||
-->
|
||||
|
||||
Load an OpenSSL configuration file on startup. Among other uses, this can be
|
||||
-used to enable FIPS-compliant crypto if Node.js is built with
|
||||
-`./configure --openssl-fips`.
|
||||
+used to enable FIPS-compliant crypto if Node.js is built
|
||||
+against FIPS-enabled OpenSSL.
|
||||
|
||||
### `--pending-deprecation`
|
||||
<!-- YAML
|
||||
diff --git a/lib/crypto.js b/lib/crypto.js
|
||||
index a41b02d..5c15ab3 100644
|
||||
--- a/lib/crypto.js
|
||||
+++ b/lib/crypto.js
|
||||
@@ -37,12 +37,10 @@ assertCrypto();
|
||||
|
||||
const {
|
||||
ERR_CRYPTO_FIPS_FORCED,
|
||||
- ERR_CRYPTO_FIPS_UNAVAILABLE
|
||||
} = require('internal/errors').codes;
|
||||
const constants = internalBinding('constants').crypto;
|
||||
const { getOptionValue } = require('internal/options');
|
||||
const pendingDeprecation = getOptionValue('--pending-deprecation');
|
||||
-const { fipsMode } = internalBinding('config');
|
||||
const fipsForced = getOptionValue('--force-fips');
|
||||
const {
|
||||
getFipsCrypto,
|
||||
@@ -193,10 +191,8 @@ module.exports = {
|
||||
sign: signOneShot,
|
||||
setEngine,
|
||||
timingSafeEqual,
|
||||
- getFips: !fipsMode ? getFipsDisabled :
|
||||
- fipsForced ? getFipsForced : getFipsCrypto,
|
||||
- setFips: !fipsMode ? setFipsDisabled :
|
||||
- fipsForced ? setFipsForced : setFipsCrypto,
|
||||
+ getFips: fipsForced ? getFipsForced : getFipsCrypto,
|
||||
+ setFips: fipsForced ? setFipsForced : setFipsCrypto,
|
||||
verify: verifyOneShot,
|
||||
|
||||
// Classes
|
||||
@@ -215,19 +211,11 @@ module.exports = {
|
||||
Verify
|
||||
};
|
||||
|
||||
-function setFipsDisabled() {
|
||||
- throw new ERR_CRYPTO_FIPS_UNAVAILABLE();
|
||||
-}
|
||||
-
|
||||
function setFipsForced(val) {
|
||||
if (val) return;
|
||||
throw new ERR_CRYPTO_FIPS_FORCED();
|
||||
}
|
||||
|
||||
-function getFipsDisabled() {
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
function getFipsForced() {
|
||||
return 1;
|
||||
}
|
||||
@@ -249,10 +237,8 @@ ObjectDefineProperties(module.exports, {
|
||||
},
|
||||
// crypto.fips is deprecated. DEP0093. Use crypto.getFips()/crypto.setFips()
|
||||
fips: {
|
||||
- get: !fipsMode ? getFipsDisabled :
|
||||
- fipsForced ? getFipsForced : getFipsCrypto,
|
||||
- set: !fipsMode ? setFipsDisabled :
|
||||
- fipsForced ? setFipsForced : setFipsCrypto
|
||||
+ get: fipsForced ? getFipsForced : getFipsCrypto,
|
||||
+ set: fipsForced ? setFipsForced : setFipsCrypto
|
||||
},
|
||||
DEFAULT_ENCODING: {
|
||||
enumerable: false,
|
||||
diff --git a/node.gypi b/node.gypi
|
||||
index 070f212..45f6a9f 100644
|
||||
--- a/node.gypi
|
||||
+++ b/node.gypi
|
||||
@@ -319,9 +319,6 @@
|
||||
[ 'node_use_openssl=="true"', {
|
||||
'defines': [ 'HAVE_OPENSSL=1' ],
|
||||
'conditions': [
|
||||
- ['openssl_fips != "" or openssl_is_fips=="true"', {
|
||||
- 'defines': [ 'NODE_FIPS_MODE' ],
|
||||
- }],
|
||||
[ 'node_shared_openssl=="false"', {
|
||||
'dependencies': [
|
||||
'./deps/openssl/openssl.gyp:openssl',
|
||||
diff --git a/src/node.cc b/src/node.cc
|
||||
index 905afd8..c04d199 100644
|
||||
--- a/src/node.cc
|
||||
+++ b/src/node.cc
|
||||
@@ -1035,11 +1035,11 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {
|
||||
if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
|
||||
crypto::UseExtraCaCerts(extra_ca_certs);
|
||||
}
|
||||
-#ifdef NODE_FIPS_MODE
|
||||
// In the case of FIPS builds we should make sure
|
||||
// the random source is properly initialized first.
|
||||
- OPENSSL_init();
|
||||
-#endif // NODE_FIPS_MODE
|
||||
+ if (FIPS_mode()) {
|
||||
+ OPENSSL_init();
|
||||
+ }
|
||||
// V8 on Windows doesn't have a good source of entropy. Seed it from
|
||||
// OpenSSL's pool.
|
||||
V8::SetEntropySource(crypto::EntropySource);
|
||||
diff --git a/src/node_config.cc b/src/node_config.cc
|
||||
index 6ee3164..e229eee 100644
|
||||
--- a/src/node_config.cc
|
||||
+++ b/src/node_config.cc
|
||||
@@ -42,9 +42,7 @@ static void Initialize(Local<Object> target,
|
||||
READONLY_FALSE_PROPERTY(target, "hasOpenSSL");
|
||||
#endif // HAVE_OPENSSL
|
||||
|
||||
-#ifdef NODE_FIPS_MODE
|
||||
READONLY_TRUE_PROPERTY(target, "fipsMode");
|
||||
-#endif
|
||||
|
||||
#ifdef NODE_HAVE_I18N_SUPPORT
|
||||
|
||||
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
|
||||
index 31e8276..721c9d1 100644
|
||||
--- a/src/node_crypto.cc
|
||||
+++ b/src/node_crypto.cc
|
||||
@@ -51,6 +51,11 @@
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/pkcs12.h>
|
||||
+// The FIPS-related functions are only available
|
||||
+// when the OpenSSL itself was compiled with FIPS support.
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+#include <openssl/fips.h>
|
||||
+#endif // OPENSSL_FIPS
|
||||
|
||||
#include <cerrno>
|
||||
#include <climits> // INT_MAX
|
||||
@@ -101,6 +106,7 @@ using v8::String;
|
||||
using v8::Uint32;
|
||||
using v8::Uint8Array;
|
||||
using v8::Undefined;
|
||||
+using v8::TryCatch;
|
||||
using v8::Value;
|
||||
|
||||
#ifdef OPENSSL_NO_OCB
|
||||
@@ -3706,12 +3712,10 @@ void CipherBase::Init(const char* cipher_type,
|
||||
HandleScope scope(env()->isolate());
|
||||
MarkPopErrorOnReturn mark_pop_error_on_return;
|
||||
|
||||
-#ifdef NODE_FIPS_MODE
|
||||
if (FIPS_mode()) {
|
||||
return env()->ThrowError(
|
||||
"crypto.createCipher() is not supported in FIPS mode.");
|
||||
}
|
||||
-#endif // NODE_FIPS_MODE
|
||||
|
||||
const EVP_CIPHER* const cipher = EVP_get_cipherbyname(cipher_type);
|
||||
if (cipher == nullptr)
|
||||
@@ -3897,13 +3901,11 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len,
|
||||
return false;
|
||||
}
|
||||
|
||||
-#ifdef NODE_FIPS_MODE
|
||||
// TODO(tniessen) Support CCM decryption in FIPS mode
|
||||
if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher && FIPS_mode()) {
|
||||
env()->ThrowError("CCM decryption not supported in FIPS mode");
|
||||
return false;
|
||||
}
|
||||
-#endif
|
||||
|
||||
// Tell OpenSSL about the desired length.
|
||||
if (!EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len,
|
||||
@@ -4778,7 +4780,6 @@ static AllocatedBuffer Node_SignFinal(Environment* env,
|
||||
}
|
||||
|
||||
static inline bool ValidateDSAParameters(EVP_PKEY* key) {
|
||||
-#ifdef NODE_FIPS_MODE
|
||||
/* Validate DSA2 parameters from FIPS 186-4 */
|
||||
if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key)) {
|
||||
DSA* dsa = EVP_PKEY_get0_DSA(key);
|
||||
@@ -4794,7 +4795,6 @@ static inline bool ValidateDSAParameters(EVP_PKEY* key) {
|
||||
(L == 2048 && N == 256) ||
|
||||
(L == 3072 && N == 256);
|
||||
}
|
||||
-#endif // NODE_FIPS_MODE
|
||||
|
||||
return true;
|
||||
}
|
||||
@@ -7032,7 +7032,6 @@ void InitCryptoOnce() {
|
||||
settings = nullptr;
|
||||
#endif
|
||||
|
||||
-#ifdef NODE_FIPS_MODE
|
||||
/* Override FIPS settings in cnf file, if needed. */
|
||||
unsigned long err = 0; // NOLINT(runtime/int)
|
||||
if (per_process::cli_options->enable_fips_crypto ||
|
||||
@@ -7042,12 +7041,10 @@ void InitCryptoOnce() {
|
||||
}
|
||||
}
|
||||
if (0 != err) {
|
||||
- fprintf(stderr,
|
||||
- "openssl fips failed: %s\n",
|
||||
- ERR_error_string(err, nullptr));
|
||||
- UNREACHABLE();
|
||||
+ auto* isolate = Isolate::GetCurrent();
|
||||
+ auto* env = Environment::GetCurrent(isolate);
|
||||
+ return ThrowCryptoError(env, err);
|
||||
}
|
||||
-#endif // NODE_FIPS_MODE
|
||||
|
||||
|
||||
// Turn off compression. Saves memory and protects against CRIME attacks.
|
||||
@@ -7093,7 +7090,6 @@ void SetEngine(const FunctionCallbackInfo<Value>& args) {
|
||||
}
|
||||
#endif // !OPENSSL_NO_ENGINE
|
||||
|
||||
-#ifdef NODE_FIPS_MODE
|
||||
void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
|
||||
args.GetReturnValue().Set(FIPS_mode() ? 1 : 0);
|
||||
}
|
||||
@@ -7111,7 +7107,16 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
|
||||
return ThrowCryptoError(env, err);
|
||||
}
|
||||
}
|
||||
-#endif /* NODE_FIPS_MODE */
|
||||
+
|
||||
+void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) {
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ const auto enabled = FIPS_selftest() ? 1 : 0;
|
||||
+#else // OPENSSL_FIPS
|
||||
+ const auto enabled = 0;
|
||||
+#endif // OPENSSL_FIPS
|
||||
+
|
||||
+ args.GetReturnValue().Set(enabled);
|
||||
+}
|
||||
|
||||
namespace {
|
||||
// SecureBuffer uses openssl to allocate a Uint8Array using
|
||||
@@ -7147,10 +7152,17 @@ void Initialize(Local<Object> target,
|
||||
Local<Value> unused,
|
||||
Local<Context> context,
|
||||
void* priv) {
|
||||
+ Environment* env = Environment::GetCurrent(context);
|
||||
+
|
||||
static uv_once_t init_once = UV_ONCE_INIT;
|
||||
+ TryCatch try_catch{env->isolate()};
|
||||
uv_once(&init_once, InitCryptoOnce);
|
||||
|
||||
- Environment* env = Environment::GetCurrent(context);
|
||||
+ if (try_catch.HasCaught() && !try_catch.HasTerminated()) {
|
||||
+ try_catch.ReThrow();
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
SecureContext::Initialize(env, target);
|
||||
target->Set(env->context(),
|
||||
FIXED_ONE_BYTE_STRING(env->isolate(), "KeyObjectHandle"),
|
||||
@@ -7179,10 +7191,9 @@ void Initialize(Local<Object> target,
|
||||
env->SetMethod(target, "setEngine", SetEngine);
|
||||
#endif // !OPENSSL_NO_ENGINE
|
||||
|
||||
-#ifdef NODE_FIPS_MODE
|
||||
env->SetMethodNoSideEffect(target, "getFipsCrypto", GetFipsCrypto);
|
||||
env->SetMethod(target, "setFipsCrypto", SetFipsCrypto);
|
||||
-#endif
|
||||
+ env->SetMethodNoSideEffect(target, "testFipsCrypto", TestFipsCrypto);
|
||||
|
||||
env->SetMethod(target, "pbkdf2", PBKDF2);
|
||||
env->SetMethod(target, "generateKeyPairRSA", GenerateKeyPairRSA);
|
||||
diff --git a/src/node_options.cc b/src/node_options.cc
|
||||
index 0102329..1ad44f4 100644
|
||||
--- a/src/node_options.cc
|
||||
+++ b/src/node_options.cc
|
||||
@@ -753,7 +753,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
|
||||
&PerProcessOptions::ssl_openssl_cert_store);
|
||||
Implies("--use-openssl-ca", "[ssl_openssl_cert_store]");
|
||||
ImpliesNot("--use-bundled-ca", "[ssl_openssl_cert_store]");
|
||||
-#if NODE_FIPS_MODE
|
||||
AddOption("--enable-fips",
|
||||
"enable FIPS crypto at startup",
|
||||
&PerProcessOptions::enable_fips_crypto,
|
||||
@@ -762,7 +761,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
|
||||
"force FIPS crypto (cannot be disabled)",
|
||||
&PerProcessOptions::force_fips_crypto,
|
||||
kAllowedInEnvironment);
|
||||
-#endif
|
||||
#endif
|
||||
AddOption("--use-largepages",
|
||||
"Map the Node.js static code to large pages. Options are "
|
||||
diff --git a/src/node_options.h b/src/node_options.h
|
||||
index 58a21e0..f22b254 100644
|
||||
--- a/src/node_options.h
|
||||
+++ b/src/node_options.h
|
||||
@@ -243,10 +243,8 @@ class PerProcessOptions : public Options {
|
||||
#endif
|
||||
bool use_openssl_ca = false;
|
||||
bool use_bundled_ca = false;
|
||||
-#if NODE_FIPS_MODE
|
||||
bool enable_fips_crypto = false;
|
||||
bool force_fips_crypto = false;
|
||||
-#endif
|
||||
#endif
|
||||
|
||||
// Per-process because reports can be triggered outside a known V8 context.
|
||||
diff --git a/test/parallel/test-cli-node-print-help.js b/test/parallel/test-cli-node-print-help.js
|
||||
index ab8cd10..7e7c77f 100644
|
||||
--- a/test/parallel/test-cli-node-print-help.js
|
||||
+++ b/test/parallel/test-cli-node-print-help.js
|
||||
@@ -8,8 +8,6 @@ const common = require('../common');
|
||||
|
||||
const assert = require('assert');
|
||||
const { exec } = require('child_process');
|
||||
-const { internalBinding } = require('internal/test/binding');
|
||||
-const { fipsMode } = internalBinding('config');
|
||||
let stdOut;
|
||||
|
||||
|
||||
@@ -28,9 +26,8 @@ function validateNodePrintHelp() {
|
||||
const cliHelpOptions = [
|
||||
{ compileConstant: HAVE_OPENSSL,
|
||||
flags: [ '--openssl-config=...', '--tls-cipher-list=...',
|
||||
- '--use-bundled-ca', '--use-openssl-ca' ] },
|
||||
- { compileConstant: fipsMode,
|
||||
- flags: [ '--enable-fips', '--force-fips' ] },
|
||||
+ '--use-bundled-ca', '--use-openssl-ca',
|
||||
+ '--enable-fips', '--force-fips' ] },
|
||||
{ compileConstant: NODE_HAVE_I18N_SUPPORT,
|
||||
flags: [ '--icu-data-dir=...', 'NODE_ICU_DATA' ] },
|
||||
{ compileConstant: HAVE_INSPECTOR,
|
||||
diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
|
||||
index eae3134..a1ed645 100644
|
||||
--- a/test/parallel/test-crypto-fips.js
|
||||
+++ b/test/parallel/test-crypto-fips.js
|
||||
@@ -9,27 +9,20 @@ const spawnSync = require('child_process').spawnSync;
|
||||
const path = require('path');
|
||||
const fixtures = require('../common/fixtures');
|
||||
const { internalBinding } = require('internal/test/binding');
|
||||
-const { fipsMode } = internalBinding('config');
|
||||
+const { testFipsCrypto } = internalBinding('crypto');
|
||||
|
||||
const FIPS_ENABLED = 1;
|
||||
const FIPS_DISABLED = 0;
|
||||
-const FIPS_ERROR_STRING =
|
||||
- 'Error [ERR_CRYPTO_FIPS_UNAVAILABLE]: Cannot set FIPS mode in a ' +
|
||||
- 'non-FIPS build.';
|
||||
const FIPS_ERROR_STRING2 =
|
||||
'Error [ERR_CRYPTO_FIPS_FORCED]: Cannot set FIPS mode, it was forced with ' +
|
||||
'--force-fips at startup.';
|
||||
-const OPTION_ERROR_STRING = 'bad option';
|
||||
+const FIPS_UNSUPPORTED_ERROR_STRING = 'fips mode not supported';
|
||||
|
||||
const CNF_FIPS_ON = fixtures.path('openssl_fips_enabled.cnf');
|
||||
const CNF_FIPS_OFF = fixtures.path('openssl_fips_disabled.cnf');
|
||||
|
||||
let num_children_ok = 0;
|
||||
|
||||
-function compiledWithFips() {
|
||||
- return fipsMode ? true : false;
|
||||
-}
|
||||
-
|
||||
function sharedOpenSSL() {
|
||||
return process.config.variables.node_shared_openssl;
|
||||
}
|
||||
@@ -75,17 +68,17 @@ testHelper(
|
||||
|
||||
// --enable-fips should turn FIPS mode on
|
||||
testHelper(
|
||||
- compiledWithFips() ? 'stdout' : 'stderr',
|
||||
+ testFipsCrypto() ? 'stdout' : 'stderr',
|
||||
['--enable-fips'],
|
||||
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
|
||||
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
|
||||
'require("crypto").getFips()',
|
||||
process.env);
|
||||
|
||||
// --force-fips should turn FIPS mode on
|
||||
testHelper(
|
||||
- compiledWithFips() ? 'stdout' : 'stderr',
|
||||
+ testFipsCrypto() ? 'stdout' : 'stderr',
|
||||
['--force-fips'],
|
||||
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
|
||||
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
|
||||
'require("crypto").getFips()',
|
||||
process.env);
|
||||
|
||||
@@ -106,7 +99,7 @@ if (!sharedOpenSSL()) {
|
||||
testHelper(
|
||||
'stdout',
|
||||
[`--openssl-config=${CNF_FIPS_ON}`],
|
||||
- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
|
||||
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
|
||||
'require("crypto").getFips()',
|
||||
process.env);
|
||||
|
||||
@@ -114,7 +107,7 @@ if (!sharedOpenSSL()) {
|
||||
testHelper(
|
||||
'stdout',
|
||||
[],
|
||||
- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
|
||||
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
|
||||
'require("crypto").getFips()',
|
||||
Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_ON }));
|
||||
|
||||
@@ -122,7 +115,7 @@ if (!sharedOpenSSL()) {
|
||||
testHelper(
|
||||
'stdout',
|
||||
[`--openssl-config=${CNF_FIPS_ON}`],
|
||||
- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
|
||||
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
|
||||
'require("crypto").getFips()',
|
||||
Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
|
||||
}
|
||||
@@ -136,50 +129,50 @@ testHelper(
|
||||
|
||||
// --enable-fips should take precedence over OpenSSL config file
|
||||
testHelper(
|
||||
- compiledWithFips() ? 'stdout' : 'stderr',
|
||||
+ testFipsCrypto() ? 'stdout' : 'stderr',
|
||||
['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`],
|
||||
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
|
||||
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
|
||||
'require("crypto").getFips()',
|
||||
process.env);
|
||||
|
||||
// OPENSSL_CONF should _not_ make a difference to --enable-fips
|
||||
testHelper(
|
||||
- compiledWithFips() ? 'stdout' : 'stderr',
|
||||
+ testFipsCrypto() ? 'stdout' : 'stderr',
|
||||
['--enable-fips'],
|
||||
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
|
||||
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
|
||||
'require("crypto").getFips()',
|
||||
Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
|
||||
|
||||
// --force-fips should take precedence over OpenSSL config file
|
||||
testHelper(
|
||||
- compiledWithFips() ? 'stdout' : 'stderr',
|
||||
+ testFipsCrypto() ? 'stdout' : 'stderr',
|
||||
['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`],
|
||||
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
|
||||
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
|
||||
'require("crypto").getFips()',
|
||||
process.env);
|
||||
|
||||
// Using OPENSSL_CONF should not make a difference to --force-fips
|
||||
testHelper(
|
||||
- compiledWithFips() ? 'stdout' : 'stderr',
|
||||
+ testFipsCrypto() ? 'stdout' : 'stderr',
|
||||
['--force-fips'],
|
||||
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
|
||||
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
|
||||
'require("crypto").getFips()',
|
||||
Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
|
||||
|
||||
// setFipsCrypto should be able to turn FIPS mode on
|
||||
testHelper(
|
||||
- compiledWithFips() ? 'stdout' : 'stderr',
|
||||
+ testFipsCrypto() ? 'stdout' : 'stderr',
|
||||
[],
|
||||
- compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
|
||||
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
|
||||
'(require("crypto").setFips(true),' +
|
||||
'require("crypto").getFips())',
|
||||
process.env);
|
||||
|
||||
// setFipsCrypto should be able to turn FIPS mode on and off
|
||||
testHelper(
|
||||
- compiledWithFips() ? 'stdout' : 'stderr',
|
||||
+ testFipsCrypto() ? 'stdout' : 'stderr',
|
||||
[],
|
||||
- compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
|
||||
+ testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
|
||||
'(require("crypto").setFips(true),' +
|
||||
'require("crypto").setFips(false),' +
|
||||
'require("crypto").getFips())',
|
||||
@@ -187,27 +180,27 @@ testHelper(
|
||||
|
||||
// setFipsCrypto takes precedence over OpenSSL config file, FIPS on
|
||||
testHelper(
|
||||
- compiledWithFips() ? 'stdout' : 'stderr',
|
||||
+ testFipsCrypto() ? 'stdout' : 'stderr',
|
||||
[`--openssl-config=${CNF_FIPS_OFF}`],
|
||||
- compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
|
||||
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
|
||||
'(require("crypto").setFips(true),' +
|
||||
'require("crypto").getFips())',
|
||||
process.env);
|
||||
|
||||
// setFipsCrypto takes precedence over OpenSSL config file, FIPS off
|
||||
testHelper(
|
||||
- compiledWithFips() ? 'stdout' : 'stderr',
|
||||
+ 'stdout',
|
||||
[`--openssl-config=${CNF_FIPS_ON}`],
|
||||
- compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
|
||||
+ FIPS_DISABLED,
|
||||
'(require("crypto").setFips(false),' +
|
||||
'require("crypto").getFips())',
|
||||
process.env);
|
||||
|
||||
// --enable-fips does not prevent use of setFipsCrypto API
|
||||
testHelper(
|
||||
- compiledWithFips() ? 'stdout' : 'stderr',
|
||||
+ testFipsCrypto() ? 'stdout' : 'stderr',
|
||||
['--enable-fips'],
|
||||
- compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING,
|
||||
+ testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
|
||||
'(require("crypto").setFips(false),' +
|
||||
'require("crypto").getFips())',
|
||||
process.env);
|
||||
@@ -216,15 +209,15 @@ testHelper(
|
||||
testHelper(
|
||||
'stderr',
|
||||
['--force-fips'],
|
||||
- compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
|
||||
+ testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
|
||||
'require("crypto").setFips(false)',
|
||||
process.env);
|
||||
|
||||
// --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)
|
||||
testHelper(
|
||||
- compiledWithFips() ? 'stdout' : 'stderr',
|
||||
+ testFipsCrypto() ? 'stdout' : 'stderr',
|
||||
['--force-fips'],
|
||||
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
|
||||
+ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
|
||||
'(require("crypto").setFips(true),' +
|
||||
'require("crypto").getFips())',
|
||||
process.env);
|
||||
@@ -233,7 +226,7 @@ testHelper(
|
||||
testHelper(
|
||||
'stderr',
|
||||
['--force-fips', '--enable-fips'],
|
||||
- compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
|
||||
+ testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
|
||||
'require("crypto").setFips(false)',
|
||||
process.env);
|
||||
|
||||
@@ -241,6 +234,6 @@ testHelper(
|
||||
testHelper(
|
||||
'stderr',
|
||||
['--enable-fips', '--force-fips'],
|
||||
- compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
|
||||
+ testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
|
||||
'require("crypto").setFips(false)',
|
||||
process.env);
|
||||
diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
|
||||
index 1c91444..1d1605d 100644
|
||||
--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
|
||||
+++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
|
||||
@@ -45,17 +45,8 @@ const conditionalOpts = [
|
||||
include: common.hasCrypto,
|
||||
filter: (opt) => {
|
||||
return ['--openssl-config', '--tls-cipher-list', '--use-bundled-ca',
|
||||
- '--use-openssl-ca' ].includes(opt);
|
||||
+ '--use-openssl-ca', '--enable-fips', '--force-fips' ].includes(opt);
|
||||
}
|
||||
- }, {
|
||||
- // We are using openssl_is_fips from the configuration because it could be
|
||||
- // the case that OpenSSL is FIPS compatible but fips has not been enabled
|
||||
- // (starting node with --enable-fips). If we use common.hasFipsCrypto
|
||||
- // that would only tells us if fips has been enabled, but in this case we
|
||||
- // want to check options which will be available regardless of whether fips
|
||||
- // is enabled at runtime or not.
|
||||
- include: process.config.variables.openssl_is_fips,
|
||||
- filter: (opt) => opt.includes('-fips')
|
||||
}, {
|
||||
include: common.hasIntl,
|
||||
filter: (opt) => opt === '--icu-data-dir'
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,99 +0,0 @@
|
||||
From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
|
||||
From: isaacs <i@izs.me>
|
||||
Date: Tue, 8 Dec 2020 14:21:50 -0800
|
||||
Subject: [PATCH] do not allow invalid hazardous string as section name
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/npm/node_modules/ini/ini.js | 8 +++++
|
||||
deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
|
||||
2 files changed, 53 insertions(+)
|
||||
create mode 100644 deps/npm/node_modules/ini/test/proto.js
|
||||
|
||||
diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
|
||||
index 590195d..0401258 100644
|
||||
--- a/deps/npm/node_modules/ini/ini.js
|
||||
+++ b/deps/npm/node_modules/ini/ini.js
|
||||
@@ -80,6 +80,12 @@ function decode (str) {
|
||||
if (!match) return
|
||||
if (match[1] !== undefined) {
|
||||
section = unsafe(match[1])
|
||||
+ if (section === '__proto__') {
|
||||
+ // not allowed
|
||||
+ // keep parsing the section, but don't attach it.
|
||||
+ p = {}
|
||||
+ return
|
||||
+ }
|
||||
p = out[section] = out[section] || {}
|
||||
return
|
||||
}
|
||||
@@ -94,6 +100,7 @@ function decode (str) {
|
||||
// Convert keys with '[]' suffix to an array
|
||||
if (key.length > 2 && key.slice(-2) === '[]') {
|
||||
key = key.substring(0, key.length - 2)
|
||||
+ if (key === '__proto__') return
|
||||
if (!p[key]) {
|
||||
p[key] = []
|
||||
} else if (!Array.isArray(p[key])) {
|
||||
@@ -125,6 +132,7 @@ function decode (str) {
|
||||
var l = parts.pop()
|
||||
var nl = l.replace(/\\\./g, '.')
|
||||
parts.forEach(function (part, _, __) {
|
||||
+ if (part === '__proto__') return
|
||||
if (!p[part] || typeof p[part] !== 'object') p[part] = {}
|
||||
p = p[part]
|
||||
})
|
||||
diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
|
||||
new file mode 100644
|
||||
index 0000000..ab35533
|
||||
--- /dev/null
|
||||
+++ b/deps/npm/node_modules/ini/test/proto.js
|
||||
@@ -0,0 +1,45 @@
|
||||
+var ini = require('../')
|
||||
+var t = require('tap')
|
||||
+
|
||||
+var data = `
|
||||
+__proto__ = quux
|
||||
+foo = baz
|
||||
+[__proto__]
|
||||
+foo = bar
|
||||
+[other]
|
||||
+foo = asdf
|
||||
+[kid.__proto__.foo]
|
||||
+foo = kid
|
||||
+[arrproto]
|
||||
+hello = snyk
|
||||
+__proto__[] = you did a good job
|
||||
+__proto__[] = so you deserve arrays
|
||||
+thanks = true
|
||||
+`
|
||||
+var res = ini.parse(data)
|
||||
+t.deepEqual(res, {
|
||||
+ foo: 'baz',
|
||||
+ other: {
|
||||
+ foo: 'asdf',
|
||||
+ },
|
||||
+ kid: {
|
||||
+ foo: {
|
||||
+ foo: 'kid',
|
||||
+ },
|
||||
+ },
|
||||
+ arrproto: {
|
||||
+ hello: 'snyk',
|
||||
+ thanks: true,
|
||||
+ },
|
||||
+})
|
||||
+t.equal(res.__proto__, Object.prototype)
|
||||
+t.equal(res.kid.__proto__, Object.prototype)
|
||||
+t.equal(res.kid.foo.__proto__, Object.prototype)
|
||||
+t.equal(res.arrproto.__proto__, Object.prototype)
|
||||
+t.equal(Object.prototype.foo, undefined)
|
||||
+t.equal(Object.prototype[0], undefined)
|
||||
+t.equal(Object.prototype['0'], undefined)
|
||||
+t.equal(Object.prototype[1], undefined)
|
||||
+t.equal(Object.prototype['1'], undefined)
|
||||
+t.equal(Array.prototype[0], undefined)
|
||||
+t.equal(Array.prototype[1], undefined)
|
||||
--
|
||||
2.29.2
|
||||
|
180
SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch
Normal file
180
SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch
Normal file
@ -0,0 +1,180 @@
|
||||
https://github.com/jbgutierrez/path-parse/pull/10
|
||||
|
||||
From 72c38e3a36b8ed2ec03960ac659aa114cbe6a420 Mon Sep 17 00:00:00 2001
|
||||
From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>
|
||||
Date: Thu, 13 May 2021 10:53:50 -0400
|
||||
Subject: [PATCH 1/2] fixed regexes to avoid ReDoS attacks
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/npm/node_modules/path-parse/index.js | 6 +++---
|
||||
deps/npm/node_modules/path-parse/redos.js | 20 ++++++++++++++++++++
|
||||
2 files changed, 23 insertions(+), 3 deletions(-)
|
||||
create mode 100644 deps/npm/node_modules/path-parse/redos.js
|
||||
|
||||
diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js
|
||||
index 3b7601f..e6b2af1 100644
|
||||
--- a/deps/npm/node_modules/path-parse/index.js
|
||||
+++ b/deps/npm/node_modules/path-parse/index.js
|
||||
@@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32';
|
||||
// Regex to split a windows path into three parts: [*, device, slash,
|
||||
// tail] windows-only
|
||||
var splitDeviceRe =
|
||||
- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/;
|
||||
+ /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;
|
||||
|
||||
// Regex to split the tail part of the above into [*, dir, basename, ext]
|
||||
var splitTailRe =
|
||||
- /^([\s\S]*?)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
|
||||
+ /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
|
||||
|
||||
var win32 = {};
|
||||
|
||||
@@ -51,7 +51,7 @@ win32.parse = function(pathString) {
|
||||
// Split a filename into [root, dir, basename, ext], unix version
|
||||
// 'root' is just a slash, or nothing.
|
||||
var splitPathRe =
|
||||
- /^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
|
||||
+ /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
|
||||
var posix = {};
|
||||
|
||||
|
||||
diff --git a/deps/npm/node_modules/path-parse/redos.js b/deps/npm/node_modules/path-parse/redos.js
|
||||
new file mode 100644
|
||||
index 0000000..261947f
|
||||
--- /dev/null
|
||||
+++ b/deps/npm/node_modules/path-parse/redos.js
|
||||
@@ -0,0 +1,20 @@
|
||||
+var pathParse = require('.');
|
||||
+
|
||||
+function build_attack(n) {
|
||||
+ var ret = ""
|
||||
+ for (var i = 0; i < n; i++) {
|
||||
+ ret += "/"
|
||||
+ }
|
||||
+ return ret + "◎";
|
||||
+}
|
||||
+
|
||||
+for(var i = 1; i <= 5000000; i++) {
|
||||
+ if (i % 10000 == 0) {
|
||||
+ var time = Date.now();
|
||||
+ var attack_str = build_attack(i)
|
||||
+ pathParse.posix(attack_str);
|
||||
+ pathParse.win32(attack_str);
|
||||
+ var time_cost = Date.now() - time;
|
||||
+ console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
|
||||
+ }
|
||||
+}
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
||||
From 44d1c9cd047988bb819707c726d9640f8aabe04d Mon Sep 17 00:00:00 2001
|
||||
From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>
|
||||
Date: Thu, 13 May 2021 11:51:45 -0400
|
||||
Subject: [PATCH 2/2] streamlined regexes, simplified parse() returns
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/npm/node_modules/path-parse/index.js | 52 ++++++++---------------
|
||||
1 file changed, 17 insertions(+), 35 deletions(-)
|
||||
|
||||
diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js
|
||||
index e6b2af1..f062d0a 100644
|
||||
--- a/deps/npm/node_modules/path-parse/index.js
|
||||
+++ b/deps/npm/node_modules/path-parse/index.js
|
||||
@@ -2,29 +2,14 @@
|
||||
|
||||
var isWindows = process.platform === 'win32';
|
||||
|
||||
-// Regex to split a windows path into three parts: [*, device, slash,
|
||||
-// tail] windows-only
|
||||
-var splitDeviceRe =
|
||||
- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;
|
||||
-
|
||||
-// Regex to split the tail part of the above into [*, dir, basename, ext]
|
||||
-var splitTailRe =
|
||||
- /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
|
||||
+// Regex to split a windows path into into [dir, root, basename, name, ext]
|
||||
+var splitWindowsRe =
|
||||
+ /^(((?:[a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?[\\\/]?)(?:[^\\\/]*[\\\/])*)((\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))[\\\/]*$/;
|
||||
|
||||
var win32 = {};
|
||||
|
||||
-// Function to split a filename into [root, dir, basename, ext]
|
||||
function win32SplitPath(filename) {
|
||||
- // Separate device+slash from tail
|
||||
- var result = splitDeviceRe.exec(filename),
|
||||
- device = (result[1] || '') + (result[2] || ''),
|
||||
- tail = result[3] || '';
|
||||
- // Split the tail into dir, basename and extension
|
||||
- var result2 = splitTailRe.exec(tail),
|
||||
- dir = result2[1],
|
||||
- basename = result2[2],
|
||||
- ext = result2[3];
|
||||
- return [device, dir, basename, ext];
|
||||
+ return splitWindowsRe.exec(filename).slice(1);
|
||||
}
|
||||
|
||||
win32.parse = function(pathString) {
|
||||
@@ -34,24 +19,24 @@ win32.parse = function(pathString) {
|
||||
);
|
||||
}
|
||||
var allParts = win32SplitPath(pathString);
|
||||
- if (!allParts || allParts.length !== 4) {
|
||||
+ if (!allParts || allParts.length !== 5) {
|
||||
throw new TypeError("Invalid path '" + pathString + "'");
|
||||
}
|
||||
return {
|
||||
- root: allParts[0],
|
||||
- dir: allParts[0] + allParts[1].slice(0, -1),
|
||||
+ root: allParts[1],
|
||||
+ dir: allParts[0] === allParts[1] ? allParts[0] : allParts[0].slice(0, -1),
|
||||
base: allParts[2],
|
||||
- ext: allParts[3],
|
||||
- name: allParts[2].slice(0, allParts[2].length - allParts[3].length)
|
||||
+ ext: allParts[4],
|
||||
+ name: allParts[3]
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
|
||||
-// Split a filename into [root, dir, basename, ext], unix version
|
||||
+// Split a filename into [dir, root, basename, name, ext], unix version
|
||||
// 'root' is just a slash, or nothing.
|
||||
var splitPathRe =
|
||||
- /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
|
||||
+ /^((\/?)(?:[^\/]*\/)*)((\.{1,2}|[^\/]+?|)(\.[^.\/]*|))[\/]*$/;
|
||||
var posix = {};
|
||||
|
||||
|
||||
@@ -67,19 +52,16 @@ posix.parse = function(pathString) {
|
||||
);
|
||||
}
|
||||
var allParts = posixSplitPath(pathString);
|
||||
- if (!allParts || allParts.length !== 4) {
|
||||
+ if (!allParts || allParts.length !== 5) {
|
||||
throw new TypeError("Invalid path '" + pathString + "'");
|
||||
}
|
||||
- allParts[1] = allParts[1] || '';
|
||||
- allParts[2] = allParts[2] || '';
|
||||
- allParts[3] = allParts[3] || '';
|
||||
-
|
||||
+
|
||||
return {
|
||||
- root: allParts[0],
|
||||
- dir: allParts[0] + allParts[1].slice(0, -1),
|
||||
+ root: allParts[1],
|
||||
+ dir: allParts[0].slice(0, -1),
|
||||
base: allParts[2],
|
||||
- ext: allParts[3],
|
||||
- name: allParts[2].slice(0, allParts[2].length - allParts[3].length)
|
||||
+ ext: allParts[4],
|
||||
+ name: allParts[3],
|
||||
};
|
||||
};
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -15,7 +15,7 @@
|
||||
# This is used by both the nodejs package and the npm subpackage thar
|
||||
# has a separate version - the name is special so that rpmdev-bumpspec
|
||||
# will bump this rather than adding .1 to the end.
|
||||
%global baserelease 2
|
||||
%global baserelease 1
|
||||
|
||||
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
||||
|
||||
@ -26,8 +26,8 @@
|
||||
# than a Fedora release lifecycle.
|
||||
%global nodejs_epoch 1
|
||||
%global nodejs_major 14
|
||||
%global nodejs_minor 15
|
||||
%global nodejs_patch 4
|
||||
%global nodejs_minor 17
|
||||
%global nodejs_patch 5
|
||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||
%if %{?with_libs} == 1
|
||||
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
||||
@ -45,7 +45,7 @@
|
||||
%global v8_major 8
|
||||
%global v8_minor 4
|
||||
%global v8_build 371
|
||||
%global v8_patch 19
|
||||
%global v8_patch 23
|
||||
# V8 presently breaks ABI at least every x.y release while never bumping SONAME
|
||||
%global v8_abi %{v8_major}.%{v8_minor}
|
||||
%global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
|
||||
@ -54,8 +54,8 @@
|
||||
# c-ares - from deps/cares/include/ares_version.h
|
||||
# https://github.com/nodejs/node/pull/9332
|
||||
%global c_ares_major 1
|
||||
%global c_ares_minor 16
|
||||
%global c_ares_patch 1
|
||||
%global c_ares_minor 17
|
||||
%global c_ares_patch 2
|
||||
%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
|
||||
|
||||
# llhttp - from deps/llhttp/include/llhttp.h
|
||||
@ -66,18 +66,18 @@
|
||||
|
||||
# libuv - from deps/uv/include/uv/version.h
|
||||
%global libuv_major 1
|
||||
%global libuv_minor 40
|
||||
%global libuv_minor 41
|
||||
%global libuv_patch 0
|
||||
%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
|
||||
|
||||
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
|
||||
%global nghttp2_major 1
|
||||
%global nghttp2_minor 41
|
||||
%global nghttp2_minor 42
|
||||
%global nghttp2_patch 0
|
||||
%global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
|
||||
|
||||
# ICU - from tools/icu/current_ver.dep
|
||||
%global icu_major 67
|
||||
%global icu_major 69
|
||||
%global icu_minor 1
|
||||
%global icu_version %{icu_major}.%{icu_minor}
|
||||
|
||||
@ -110,7 +110,7 @@
|
||||
%global npm_epoch 1
|
||||
%global npm_major 6
|
||||
%global npm_minor 14
|
||||
%global npm_patch 10
|
||||
%global npm_patch 14
|
||||
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
|
||||
|
||||
# uvwasi - from deps/uvwasi/include/uvwasi.h
|
||||
@ -165,15 +165,13 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
||||
Patch2: 0002-Install-both-binaries-and-use-libdir.patch
|
||||
%endif
|
||||
|
||||
# RHBZ#1915296 - yarn install crashes with nodejs:14 on aarch64
|
||||
Patch3: 0003-yarn-not-installable-on-aarch64.patch
|
||||
# Make FIPS always available
|
||||
# https://github.com/nodejs/node/issues/34903
|
||||
Patch3: 0004-always-available-fips-options.patch
|
||||
|
||||
# CVE-2020-7774
|
||||
Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
|
||||
|
||||
# CVE-2020-7788
|
||||
Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
|
||||
Patch4: 0005-CVE-2021-23343-nodejs-path-parse.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: brotli-devel
|
||||
@ -185,12 +183,12 @@ BuildRequires: gcc-c++ >= 6.3.0
|
||||
BuildRequires: nodejs-packaging
|
||||
BuildRequires: chrpath
|
||||
BuildRequires: libatomic
|
||||
BuildRequires: systemtap-sdt-devel
|
||||
|
||||
%if %{with bootstrap}
|
||||
Provides: bundled(libuv) = %{libuv_version}
|
||||
Provides: bundled(nghttp2) = %{nghttp2_version}
|
||||
%else
|
||||
BuildRequires: systemtap-sdt-devel
|
||||
BuildRequires: libuv-devel >= 1:%{libuv_version}
|
||||
Requires: libuv >= 1:%{libuv_version}
|
||||
BuildRequires: libnghttp2-devel >= %{nghttp2_version}
|
||||
@ -444,8 +442,8 @@ export LDFLAGS="%{build_ldflags}"
|
||||
--shared-brotli \
|
||||
--without-dtrace \
|
||||
--with-intl=small-icu \
|
||||
--debug-nghttp2 \
|
||||
--openssl-use-def-ca-store
|
||||
--openssl-use-def-ca-store \
|
||||
--openssl-default-cipher-list=PROFILE=SYSTEM
|
||||
%else
|
||||
%{__python3} configure.py --prefix=%{_prefix} \
|
||||
--shared \
|
||||
@ -458,8 +456,8 @@ export LDFLAGS="%{build_ldflags}"
|
||||
--with-dtrace \
|
||||
--with-intl=small-icu \
|
||||
--with-icu-default-data-dir=%{icudatadir} \
|
||||
--debug-nghttp2 \
|
||||
--openssl-use-def-ca-store
|
||||
--openssl-use-def-ca-store \
|
||||
--openssl-default-cipher-list=PROFILE=SYSTEM
|
||||
%endif
|
||||
%else
|
||||
%if %{with bootstrap}
|
||||
@ -469,8 +467,8 @@ export LDFLAGS="%{build_ldflags}"
|
||||
--shared-brotli \
|
||||
--without-dtrace \
|
||||
--with-intl=small-icu \
|
||||
--debug-nghttp2 \
|
||||
--openssl-use-def-ca-store
|
||||
--openssl-use-def-ca-store \
|
||||
--openssl-default-cipher-list=PROFILE=SYSTEM
|
||||
%else
|
||||
%{__python3} configure.py --prefix=%{_prefix} \
|
||||
--shared-openssl \
|
||||
@ -481,8 +479,8 @@ export LDFLAGS="%{build_ldflags}"
|
||||
--with-dtrace \
|
||||
--with-intl=small-icu \
|
||||
--with-icu-default-data-dir=%{icudatadir} \
|
||||
--debug-nghttp2 \
|
||||
--openssl-use-def-ca-store
|
||||
--openssl-use-def-ca-store \
|
||||
--openssl-default-cipher-list=PROFILE=SYSTEM
|
||||
%endif
|
||||
%endif
|
||||
|
||||
@ -546,6 +544,7 @@ for header in %{buildroot}%{_includedir}/node/libplatform %{buildroot}%{_include
|
||||
header=$(basename ${header})
|
||||
ln -s %{_includedir}/node/${header} %{buildroot}%{_includedir}/${header}
|
||||
done
|
||||
ln -s ./node/cppgc %{buildroot}%{_includedir}/cppgc
|
||||
for soname in libv8 libv8_libbase libv8_libplatform; do
|
||||
ln -s %{_libdir}/libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/${soname}.so
|
||||
ln -s %{_libdir}/libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/${soname}.so.%{v8_major}
|
||||
@ -682,7 +681,7 @@ if st and st.type == "directory" then
|
||||
end
|
||||
end
|
||||
|
||||
-- Replace the npm HTML docs directory with a symlink
|
||||
-- Replace the npm docs directory with a symlink
|
||||
-- Drop this scriptlet when F31 is EOL
|
||||
path = "%{_prefix}/lib/node_modules/npm/html"
|
||||
st = posix.stat(path)
|
||||
@ -698,7 +697,7 @@ if st and st.type == "directory" then
|
||||
end
|
||||
end
|
||||
|
||||
-- Replace the npm HTML man directory with a symlink
|
||||
-- Replace the npm man directory with a symlink
|
||||
-- Drop this scriptlet when F31 is EOL
|
||||
path = "%{_prefix}/lib/node_modules/npm/man"
|
||||
st = posix.stat(path)
|
||||
@ -786,6 +785,7 @@ end
|
||||
%files -n v8-devel
|
||||
%{_includedir}/libplatform
|
||||
%{_includedir}/v8*.h
|
||||
%{_includedir}/cppgc
|
||||
%{_libdir}/libv8.so
|
||||
%{_libdir}/libv8_libbase.so
|
||||
%{_libdir}/libv8_libplatform.so
|
||||
@ -828,19 +828,54 @@ end
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Aug 17 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.17.5-1
|
||||
- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940,
|
||||
- CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
|
||||
- Resolves RHBZ#1847529 (make FIPS always available)
|
||||
- Resolves: RHBZ#1988599, RHBZ#1994000, RHBZ#1993998, RHBZ#1993095
|
||||
- Resolves: RHBZ#1994028, RHBZ#1994402, RHBZ#1994406, RHBZ#1994398
|
||||
- Resolves: RHBZ#1993924 (make FIPS always available)
|
||||
|
||||
* Mon Aug 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.17.3-3
|
||||
- Resolves: RHBZ#1991584, RHBZ#1991578
|
||||
- Resolves CVE-2021-23362 CVE-2021-27290
|
||||
- Bump for missing mentions of CVEs
|
||||
|
||||
* Thu Jul 08 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.17.3-2
|
||||
- Resolves: RHBZ#1980032, RHBZ#1978203
|
||||
- Resolves RHBZ#1842826
|
||||
- Don't use patch3
|
||||
|
||||
* Thu Jul 08 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.17.3-1
|
||||
- Resolves: RHBZ#1980032, RHBZ#1978203
|
||||
- Resolves RHBZ#1842826
|
||||
- Resolves CVE-2021-22918(libuv), use system cipher list
|
||||
|
||||
* Wed Mar 10 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.16.0-3
|
||||
- Resolves: RHBZ#1930775
|
||||
- Always build with systemtap
|
||||
|
||||
* Mon Mar 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.16.0-2
|
||||
- Resolves: RHBZ#1930775
|
||||
- remove --debug-nghttp2 option
|
||||
|
||||
* Mon Mar 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.16.0-1
|
||||
- Resolves: RHBZ#1932318, RHBZ#1932366
|
||||
- Rebase, remove ini patch
|
||||
|
||||
* Tue Jan 26 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.4-2
|
||||
- Add patch for yarn crash
|
||||
- Resolves: RHBZ#1916465
|
||||
- Resolves: RHBZ#1915296
|
||||
|
||||
* Tue Jan 19 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.4-1
|
||||
- Security rebase to 14.15.4
|
||||
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
|
||||
- Resolves: RHBZ#1916463, RHBZ#1914788
|
||||
- Resolves: RHBZ#1914785, RHBZ#1916387, RHBZ#1916389, RHBZ#1916390, RHBZ#1916690
|
||||
- Resolves: RHBZ#1913001, RHBZ#1912953
|
||||
- Resolves: RHBZ#1912636, RHBZ#1898602, RHBZ#1898768, RHBZ#1893987, RHBZ#1893184
|
||||
|
||||
* Thu Oct 29 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.0-1
|
||||
- Resolves: RHBZ#1858864
|
||||
- Update to LTS release
|
||||
- Rebase: RHBZ#1891809
|
||||
|
||||
* Mon Sep 21 2020 Jan Staněk <jstanek@redhat.com> - 1:14.11.0-1
|
||||
- Security update to 14.11.0
|
||||
|
Loading…
Reference in New Issue
Block a user