import nodejs-10.23.1-1.module+el8.3.0+9502+012d8a97

.gitignore

@@ -1,2 +1,2 @@
 SOURCES/icu4c-64_2-src.tgz
-SOURCES/node-v10.22.1-stripped.tar.gz
+SOURCES/node-v10.23.1-stripped.tar.gz

.nodejs.metadata

@@ -1,2 +1,2 @@
 3127155ecf2b75ab4835f501b7478e39c07bb852 SOURCES/icu4c-64_2-src.tgz
-a01d2d98c34466fa8fe50658fbddae1bcc11b486 SOURCES/node-v10.22.1-stripped.tar.gz
+21b2943f71c0aa6c9271da21c3f09f52451be8fa SOURCES/node-v10.23.1-stripped.tar.gz

SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch

@@ -0,0 +1,13 @@
+diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
+index d720681628..727362aac0 100644
+--- a/deps/npm/node_modules/y18n/index.js
++++ b/deps/npm/node_modules/y18n/index.js
+@@ -11,7 +11,7 @@ function Y18N (opts) {
+   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
+ 
+   // internal stuff.
+-  this.cache = {}
++  this.cache = Object.create(null)
+   this.writeQueue = []
+ }
+ 

SOURCES/0004-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch

@@ -1,103 +0,0 @@
-From 6aaa4f232f872ffbb60b8a2e2282748e22a9891f Mon Sep 17 00:00:00 2001
-From: Marco Carini <cmdcarini@gmail.com>
-Date: Mon, 3 Aug 2020 17:16:07 -0500
-Subject: [PATCH] dot-prop: patch 4.2.0 with fixes for CVE-2020-8116
-
-Signed-off-by: rpm-build <rpm-build>
----
- deps/npm/node_modules/dot-prop/index.js     | 18 ++++++++++++++++++
- deps/npm/node_modules/dot-prop/package.json |  6 +++---
- deps/npm/node_modules/dot-prop/readme.md    |  2 ++
- 3 files changed, 23 insertions(+), 3 deletions(-)
-
-diff --git a/deps/npm/node_modules/dot-prop/index.js b/deps/npm/node_modules/dot-prop/index.js
-index 15282bb..189831c 100644
---- a/deps/npm/node_modules/dot-prop/index.js
-+++ b/deps/npm/node_modules/dot-prop/index.js
-@@ -1,6 +1,14 @@
- 'use strict';
- const isObj = require('is-obj');
- 
-+const disallowedKeys = [
-+	'__proto__',
-+	'prototype',
-+	'constructor'
-+];
-+
-+const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment));
-+
- function getPathSegments(path) {
- 	const pathArr = path.split('.');
- 	const parts = [];
-@@ -16,6 +24,10 @@ function getPathSegments(path) {
- 		parts.push(p);
- 	}
- 
-+	if (!isValidPath(parts)) {
-+		return [];
-+	}
-+
- 	return parts;
- }
- 
-@@ -26,6 +38,9 @@ module.exports = {
- 		}
- 
- 		const pathArr = getPathSegments(path);
-+		if (pathArr.length === 0) {
-+			return;
-+		}
- 
- 		for (let i = 0; i < pathArr.length; i++) {
- 			if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) {
-@@ -58,6 +73,9 @@ module.exports = {
- 
- 		const root = obj;
- 		const pathArr = getPathSegments(path);
-+		if (pathArr.length === 0) {
-+			return;
-+		}
- 
- 		for (let i = 0; i < pathArr.length; i++) {
- 			const p = pathArr[i];
-diff --git a/deps/npm/node_modules/dot-prop/package.json b/deps/npm/node_modules/dot-prop/package.json
-index 40fefa3..93daf7d 100644
---- a/deps/npm/node_modules/dot-prop/package.json
-+++ b/deps/npm/node_modules/dot-prop/package.json
-@@ -37,9 +37,9 @@
-   "deprecated": false,
-   "description": "Get, set, or delete a property from a nested object using a dot path",
-   "devDependencies": {
--    "ava": "*",
-+    "ava": "1.4.1",
-     "matcha": "^0.7.0",
--    "xo": "*"
-+    "xo": "0.24.0"
-   },
-   "engines": {
-     "node": ">=4"
-@@ -73,7 +73,7 @@
-     "bench": "matcha bench.js",
-     "test": "xo && ava"
-   },
--  "version": "4.2.0",
-+  "version": "4.2.1",
-   "xo": {
-     "esnext": true
-   }
-diff --git a/deps/npm/node_modules/dot-prop/readme.md b/deps/npm/node_modules/dot-prop/readme.md
-index fab3b7a..0e18f78 100644
---- a/deps/npm/node_modules/dot-prop/readme.md
-+++ b/deps/npm/node_modules/dot-prop/readme.md
-@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key.
- 
- Use `\\.` if you have a `.` in the key.
- 
-+The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`.
-+
- #### value
- 
- Type: `any`
--- 
-2.26.2
-

SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch

@@ -0,0 +1,99 @@
+From cdd56e89bf13b495e5b97cc4416f61638617d7f4 Mon Sep 17 00:00:00 2001
+From: isaacs <i@izs.me>
+Date: Tue, 8 Dec 2020 14:21:50 -0800
+Subject: [PATCH] do not allow invalid hazardous string as section name
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/ini/ini.js        |  8 +++++
+ deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+ create mode 100644 deps/npm/node_modules/ini/test/proto.js
+
+diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
+index 590195d..0401258 100644
+--- a/deps/npm/node_modules/ini/ini.js
++++ b/deps/npm/node_modules/ini/ini.js
+@@ -80,6 +80,12 @@ function decode (str) {
+     if (!match) return
+     if (match[1] !== undefined) {
+       section = unsafe(match[1])
++      if (section === '__proto__') {
++        // not allowed
++        // keep parsing the section, but don't attach it.
++        p = {}
++        return
++      }
+       p = out[section] = out[section] || {}
+       return
+     }
+@@ -94,6 +100,7 @@ function decode (str) {
+     // Convert keys with '[]' suffix to an array
+     if (key.length > 2 && key.slice(-2) === '[]') {
+       key = key.substring(0, key.length - 2)
++      if (key === '__proto__') return
+       if (!p[key]) {
+         p[key] = []
+       } else if (!Array.isArray(p[key])) {
+@@ -125,6 +132,7 @@ function decode (str) {
+     var l = parts.pop()
+     var nl = l.replace(/\\\./g, '.')
+     parts.forEach(function (part, _, __) {
++      if (part === '__proto__') return
+       if (!p[part] || typeof p[part] !== 'object') p[part] = {}
+       p = p[part]
+     })
+diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
+new file mode 100644
+index 0000000..ab35533
+--- /dev/null
++++ b/deps/npm/node_modules/ini/test/proto.js
+@@ -0,0 +1,45 @@
++var ini = require('../')
++var t = require('tap')
++
++var data = `
++__proto__ = quux
++foo = baz
++[__proto__]
++foo = bar
++[other]
++foo = asdf
++[kid.__proto__.foo]
++foo = kid
++[arrproto]
++hello = snyk
++__proto__[] = you did a good job
++__proto__[] = so you deserve arrays
++thanks = true
++`
++var res = ini.parse(data)
++t.deepEqual(res, {
++  foo: 'baz',
++  other: {
++    foo: 'asdf',
++  },
++  kid: {
++    foo: {
++      foo: 'kid',
++    },
++  },
++  arrproto: {
++    hello: 'snyk',
++    thanks: true,
++  },
++})
++t.equal(res.__proto__, Object.prototype)
++t.equal(res.kid.__proto__, Object.prototype)
++t.equal(res.kid.foo.__proto__, Object.prototype)
++t.equal(res.arrproto.__proto__, Object.prototype)
++t.equal(Object.prototype.foo, undefined)
++t.equal(Object.prototype[0], undefined)
++t.equal(Object.prototype['0'], undefined)
++t.equal(Object.prototype[1], undefined)
++t.equal(Object.prototype['1'], undefined)
++t.equal(Array.prototype[0], undefined)
++t.equal(Array.prototype[1], undefined)
+-- 
+2.29.2
+

SPECS/nodejs.spec

@@ -24,7 +24,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 10
-%global nodejs_minor 22
+%global nodejs_minor 23
 %global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -57,7 +57,7 @@
 # http-parser - from deps/http_parser/http_parser.h
 %global http_parser_major 2
 %global http_parser_minor 9
-%global http_parser_patch 3
+%global http_parser_patch 4
 %global http_parser_version %{http_parser_major}.%{http_parser_minor}.%{http_parser_patch}
 
 # libuv - from deps/uv/include/uv/version.h
@@ -94,7 +94,7 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 6
+%global npm_patch 10
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # In order to avoid needing to keep incrementing the release version for the
@@ -103,7 +103,7 @@
 # base npm version number is increasing.
 %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
 
-# brotli - from deps/brotli/common/version.h
+# brotli - from deps/brotli/c/common/version.h
 # v10.x doesn't have --shared-brotli configure option, so we have to bundle it
 %global brotli_major 1
 %global brotli_minor 0
@@ -146,8 +146,11 @@ Patch2: 0002-Suppress-NPM-message-to-run-global-update.patch
 # https://github.com/nodejs/node/pull/30825
 Patch3: 0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
 
-# CVE-2020-8116
+# CVE-2020-7774
-Patch4: 0004-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch
+Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+
+# CVE-2020-7788
+Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
 
 BuildRequires: python2-devel
 BuildRequires: python3-devel
@@ -622,6 +625,15 @@ end
 
 
 %changelog
+* Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.23.1-1
+- January Security release
+- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
+- Rebase to 10.23.1
+- Resolves: RHBZ#1916461, RHBZ#1914789
+- Resolves: RHBZ#1914783, RHBZ#1916462, RHBZ#1916395, RHBZ#1916459
+- Resolves: RHBZ#1916691, RHBZ#1916689, RHBZ#1916388
+- Remove dot-prop patch, as it is fixed by npm rebase
+
 * Tue Sep 22 2020 Jan Staněk <jstanek@redhat.com> - 1:10.22.1-1
 - Security rebase to 10.22.1