From 376ea0df4f1b12588df8bd58e3435da095586ac4 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Tue, 22 Feb 2022 16:24:09 +0800
Subject: [PATCH] fix CVE-2020-28282

---
 CVE-2020-28282.patch  | 55 +++++++++++++++++++++++++++++++++++++++++++
 nodejs-getobject.spec |  7 +++++-
 2 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-28282.patch

diff --git a/CVE-2020-28282.patch b/CVE-2020-28282.patch
new file mode 100644
index 0000000..996f93a
--- /dev/null
+++ b/CVE-2020-28282.patch
@@ -0,0 +1,55 @@
+From 84071748fa407caa8f824e0d0b9c1cde9ec56633 Mon Sep 17 00:00:00 2001
+From: Vlad Filippov <vlad.filippov@gmail.com>
+Date: Wed, 10 Mar 2021 23:07:02 -0500
+Subject: [PATCH] Do not allow setting of __proto__
+
+---
+ lib/getobject.js       | 4 ++++
+ package.json           | 2 +-
+ test/namespace_test.js | 8 ++++++++
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/lib/getobject.js b/lib/getobject.js
+index e4006fe..7d6aa12 100644
+--- a/lib/getobject.js
++++ b/lib/getobject.js
+@@ -41,6 +41,10 @@ getobject.get = function(obj, parts, create) {
+ // as we go.
+ getobject.set = function(obj, parts, value) {
+   parts = getParts(parts);
++  if (parts.includes('__proto__')) {
++    // do not allow setting of __proto__. See CVE-2020-28282.
++    return;
++  }
+ 
+   var prop = parts.pop();
+   obj = getobject.get(obj, parts, true);
+diff --git a/package.json b/package.json
+index 2562e1d..07a7000 100644
+--- a/package.json
++++ b/package.json
+@@ -29,7 +29,7 @@
+   },
+   "devDependencies": {
+     "grunt-contrib-jshint": "~0.1.1",
+-    "grunt-contrib-nodeunit": "~0.1.2",
++    "grunt-contrib-nodeunit": "~2.1.0",
+     "grunt-contrib-watch": "~0.2.0",
+     "grunt": "~0.4.1"
+   },
+diff --git a/test/namespace_test.js b/test/namespace_test.js
+index 2e1c2ae..a776b8e 100644
+--- a/test/namespace_test.js
++++ b/test/namespace_test.js
+@@ -49,3 +49,11 @@ exports.exists = function(test) {
+   test.equal(getobject.exists(obj, 'a.b.x'), false, 'nonexistent property should not exist.');
+   test.done();
+ };
++
++exports.proto = function(test) {
++  var obj = {};
++  test.equal(getobject.exists(obj, 'isAdmin'), false);
++  getobject.set(obj, '__proto__.isAdmin', true);
++  test.equal(getobject.exists(obj, 'isAdmin'), false);
++  test.done();
++};
diff --git a/nodejs-getobject.spec b/nodejs-getobject.spec
index 19c0e6c..9334e57 100644
--- a/nodejs-getobject.spec
+++ b/nodejs-getobject.spec
@@ -2,11 +2,12 @@
 %global enable_tests 0
 Name:                nodejs-getobject
 Version:             0.1.0
-Release:             1
+Release:             2
 Summary:             Get and set deep objects easily
 License:             MIT
 URL:                 https://github.com/cowboy/node-getobject
 Source0:             http://registry.npmjs.org/getobject/-/getobject-%{version}.tgz
+Patch0:              CVE-2020-28282.patch
 BuildArch:           noarch
 ExclusiveArch:       %{nodejs_arches} noarch
 ExclusiveArch:       %{ix86} x86_64 %{arm} noarch
@@ -19,6 +20,7 @@ BuildRequires:       npm(grunt-cli) npm(grunt-contrib-nodeunit) npm(grunt-contri
 
 %prep
 %setup -q -n package
+%patch0 -p1
 
 %build
 
@@ -39,5 +41,8 @@ cp -pr package.json lib/ \
 %{nodejs_sitelib}/getobject
 
 %changelog
+* Tue Feb 22 2022 yaoxin <yaoxin30@huawei.com> - 0.1.0-2
+- Fix CVE-2020-28282
+
 * Thu Aug 20 2020 Anan Fu <fuanan3@huawei.com> - 0.1.0-1
 - package init