From 97f39da3c79c82aff152d745016b2d531e49c866 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Thu, 21 Apr 2022 15:23:32 +0800
Subject: [PATCH] Fix CVE-2022-0436

---
 CVE-2022-0436.patch | 84 +++++++++++++++++++++++++++++++++++++++++++++
 nodejs-grunt.spec   |  7 +++-
 2 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-0436.patch

diff --git a/CVE-2022-0436.patch b/CVE-2022-0436.patch
new file mode 100644
index 0000000..95d2c78
--- /dev/null
+++ b/CVE-2022-0436.patch
@@ -0,0 +1,84 @@
+From aad3d4521c3098fb255fb2db8f2e1d691a033665 Mon Sep 17 00:00:00 2001
+From: Vlad Filippov <vlad.filippov@gmail.com>
+Date: Sun, 10 Apr 2022 23:16:06 -0400
+Subject: [PATCH] Update dependencies, tests...
+
+
+diff --git a/lib/grunt/file.js b/lib/grunt/file.js
+index 863617f..f0a2d6e 100644
+--- a/lib/grunt/file.js
++++ b/lib/grunt/file.js
+@@ -303,8 +303,11 @@ file.write = function(filepath, contents, options) {
+ // Read a file, optionally processing its content, then write the output.
+ // Or read a directory, recursively creating directories, reading files,
+ // processing content, writing output.
++// Handles symlinks by coping them as files or directories.
+ file.copy = function copy(srcpath, destpath, options) {
+-  if (file.isDir(srcpath)) {
++  if (file._isSymbolicLink(srcpath)) {
++    file._copySymbolicLink(srcpath, destpath);
++  } else if (file.isDir(srcpath)) {
+     // Copy a directory, recursively.
+     // Explicitly create new dest directory.
+     file.mkdir(destpath);
+@@ -452,6 +455,24 @@ file.isPathCwd = function() {
+   }
+ };
+ 
++file._isSymbolicLink = function() {
++  var filepath = path.join.apply(path, arguments);
++  return fs.lstatSync(filepath).isSymbolicLink();
++};
++
++file._copySymbolicLink = function(srcpath, destpath) {
++  var destdir = path.join(destpath, '..');
++  var fileBase = path.basename(srcpath);
++  // Use the correct relative path for the symlink
++  if (!grunt.file.isPathAbsolute(srcpath)) {
++    srcpath = path.relative(destdir, srcpath) || '.';
++  }
++  file.mkdir(destdir);
++  var mode = grunt.file.isDir(srcpath) ? 'dir' : 'file';
++  var destpath = path.join(destpath, fileBase);
++  return fs.symlinkSync(srcpath, destpath, mode);
++};
++
+ // Test to see if a filepath is contained within the CWD.
+ file.isPathInCwd = function() {
+   var filepath = path.join.apply(path, arguments);
+diff --git a/test/grunt/file_test.js b/test/grunt/file_test.js
+index 5110f04..41f1c2d 100644
+--- a/test/grunt/file_test.js
++++ b/test/grunt/file_test.js
+@@ -888,5 +888,28 @@ exports.file = {
+       test.ok(grunt.file.isPathInCwd(path.resolve('deep')), 'subdirectory is in cwd');
+       test.done();
+     },
++    'symbolicLinkCopy': function(test) {
++      test.expect(4);
++      var srcfile = new Tempdir();
++      fs.symlinkSync(path.resolve('test/fixtures/octocat.png'), path.join(srcfile.path, 'octocat.png'), 'file');
++      // test symlink copy for files
++      var destdir = new Tempdir();
++      grunt.file.copy(path.join(srcfile.path, 'octocat.png'), destdir.path);
++      test.ok(fs.lstatSync(path.join(srcfile.path, 'octocat.png')).isSymbolicLink());
++      test.ok(fs.lstatSync(path.join(destdir.path, 'octocat.png')).isSymbolicLink());
++
++      // test symlink copy for directories
++      var srcdir = new Tempdir();
++      var destdir = new Tempdir();
++      var fixtures = path.resolve('test/fixtures');
++      var symlinkSource = path.join(srcdir.path, path.basename(fixtures));
++      console.log('symlinkSource', symlinkSource);
++      fs.symlinkSync(fixtures, symlinkSource, 'dir');
++
++      grunt.file.copy(symlinkSource, destdir.path);
++      test.ok(fs.lstatSync(symlinkSource).isSymbolicLink());
++      test.ok(fs.lstatSync(path.join(destdir.path, path.basename(fixtures))).isSymbolicLink());
++      test.done();
++    },
+   }
+ };
+-- 
+2.27.0
+
diff --git a/nodejs-grunt.spec b/nodejs-grunt.spec
index 019f340..f55662e 100644
--- a/nodejs-grunt.spec
+++ b/nodejs-grunt.spec
@@ -1,13 +1,15 @@
 %global enable_tests 1
 Name:                nodejs-grunt
 Version:             1.0.1
-Release:             2
+Release:             3
 Summary:             Grunt is a JavaScript library used for automation and running tasks
 License:             MIT
 URL:                 https://github.com/gruntjs/grunt
 Source0:             https://github.com/gruntjs/grunt/archive/v%{version}/grunt-%{version}.tar.gz
 Patch0:              CVE-2020-7729-pre.patch
 Patch1:              CVE-2020-7729.patch
+# https://github.com/gruntjs/grunt/commit/aad3d45
+Patch2:              CVE-2022-0436.patch
 BuildArch:           noarch
 ExclusiveArch:       %{nodejs_arches} noarch
 BuildRequires:       nodejs-packaging
@@ -58,6 +60,9 @@ grunt nodeunit:all
 %{nodejs_sitelib}/grunt
 
 %changelog
+* Thu Apr 21 2022 wangkai <wangkai385@h-partners.com> - 1.0.1-3
+- Fix CVE-2022-0436
+
 * Wed Feb 23 2022 yaoxin <yaoxin30@huawei.com> - 1.0.1-2
 - Fix CVE-2020-7729