fix CVE-2020-28282

2022-02-22 16:24:09 +08:00 · 2022-02-22 16:24:09 +08:00 · 376ea0df4f
commit 376ea0df4f
parent 33cbc8175e
2 changed files with 61 additions and 1 deletions
--- a/CVE-2020-28282.patch
+++ b/CVE-2020-28282.patch
@ -0,0 +1,55 @@
+From 84071748fa407caa8f824e0d0b9c1cde9ec56633 Mon Sep 17 00:00:00 2001
+From: Vlad Filippov <vlad.filippov@gmail.com>
+Date: Wed, 10 Mar 2021 23:07:02 -0500
+Subject: [PATCH] Do not allow setting of __proto__
+
+---
+ lib/getobject.js       | 4 ++++
+ package.json           | 2 +-
+ test/namespace_test.js | 8 ++++++++
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/lib/getobject.js b/lib/getobject.js
+index e4006fe..7d6aa12 100644
+--- a/lib/getobject.js
+++ b/lib/getobject.js
+@@ -41,6 +41,10 @@ getobject.get = function(obj, parts, create) {
+ // as we go.
+ getobject.set = function(obj, parts, value) {
+   parts = getParts(parts);
+  if (parts.includes('__proto__')) {
+    // do not allow setting of __proto__. See CVE-2020-28282.
+    return;
+  }
+ 
+   var prop = parts.pop();
+   obj = getobject.get(obj, parts, true);
+diff --git a/package.json b/package.json
+index 2562e1d..07a7000 100644
+--- a/package.json
+++ b/package.json
+@@ -29,7 +29,7 @@
+   },
+   "devDependencies": {
+     "grunt-contrib-jshint": "~0.1.1",
+-    "grunt-contrib-nodeunit": "~0.1.2",
+    "grunt-contrib-nodeunit": "~2.1.0",
+     "grunt-contrib-watch": "~0.2.0",
+     "grunt": "~0.4.1"
+   },
+diff --git a/test/namespace_test.js b/test/namespace_test.js
+index 2e1c2ae..a776b8e 100644
+--- a/test/namespace_test.js
+++ b/test/namespace_test.js
+@@ -49,3 +49,11 @@ exports.exists = function(test) {
+   test.equal(getobject.exists(obj, 'a.b.x'), false, 'nonexistent property should not exist.');
+   test.done();
+ };
+
+exports.proto = function(test) {
+  var obj = {};
+  test.equal(getobject.exists(obj, 'isAdmin'), false);
+  getobject.set(obj, '__proto__.isAdmin', true);
+  test.equal(getobject.exists(obj, 'isAdmin'), false);
+  test.done();
+};
--- a/nodejs-getobject.spec
+++ b/nodejs-getobject.spec
@ -2,11 +2,12 @@
 %global enable_tests 0
 Name:                nodejs-getobject
 Version:             0.1.0
-Release:             1
+Release:             2
 Summary:             Get and set deep objects easily
 License:             MIT
 URL:                 https://github.com/cowboy/node-getobject
 Source0:             http://registry.npmjs.org/getobject/-/getobject-%{version}.tgz
+Patch0:              CVE-2020-28282.patch
 BuildArch:           noarch
 ExclusiveArch:       %{nodejs_arches} noarch
 ExclusiveArch:       %{ix86} x86_64 %{arm} noarch
@ -19,6 +20,7 @@ BuildRequires:       npm(grunt-cli) npm(grunt-contrib-nodeunit) npm(grunt-contri

 %prep
 %setup -q -n package
+%patch0 -p1

 %build

@ -39,5 +41,8 @@ cp -pr package.json lib/ \
 %{nodejs_sitelib}/getobject

 %changelog
+* Tue Feb 22 2022 yaoxin <yaoxin30@huawei.com> - 0.1.0-2
+- Fix CVE-2020-28282
+
 * Thu Aug 20 2020 Anan Fu <fuanan3@huawei.com> - 0.1.0-1
 - package init