!2 Fix CVE-2020-7729

From: @starlet-dx Reviewed-by: @solarhu Signed-off-by: @solarhu
2022-02-24 07:02:55 +00:00 · 2022-02-24 07:02:55 +00:00 · 8d3c65f6d5
commit 8d3c65f6d5
parent 6cbc8537b1 c515a2167b
3 changed files with 120 additions and 2 deletions
--- a/CVE-2020-7729-pre.patch
+++ b/CVE-2020-7729-pre.patch
@ -0,0 +1,49 @@
+From 3484b83a87e1f5ea689aa5aece9f9ae96151d3ff Mon Sep 17 00:00:00 2001
+From: Kyle Robinson Young <kyle@dontkry.com>
+Date: Wed, 13 Apr 2016 18:06:59 -0700
+Subject: [PATCH] Fix for readYAML error messages
+
+---
+ lib/grunt/file.js       | 2 +-
+ test/grunt/file_test.js | 8 +++++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/lib/grunt/file.js b/lib/grunt/file.js
+index 303e0ab4..f8a694e5 100644
+--- a/lib/grunt/file.js
+++ b/lib/grunt/file.js
+@@ -262,7 +262,7 @@ file.readYAML = function(filepath, options) {
+     return result;
+   } catch (e) {
+     grunt.verbose.error();
+-    throw grunt.util.error('Unable to parse "' + filepath + '" file (' + e.problem + ').', e);
+    throw grunt.util.error('Unable to parse "' + filepath + '" file (' + e.message + ').', e);
+   }
+ };
+ 
+diff --git a/test/grunt/file_test.js b/test/grunt/file_test.js
+index 91466f28..19889e61 100644
+--- a/test/grunt/file_test.js
+++ b/test/grunt/file_test.js
+@@ -452,7 +452,7 @@ exports.file = {
+     test.done();
+   },
+   'readYAML': function(test) {
+-    test.expect(3);
+    test.expect(4);
+     var obj;
+     obj = grunt.file.readYAML('test/fixtures/utf8.yaml');
+     test.deepEqual(obj, this.object, 'file should be read as utf8 by default and parsed correctly.');
+@@ -460,6 +460,12 @@ exports.file = {
+     obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml', {encoding: 'iso-8859-1'});
+     test.deepEqual(obj, this.object, 'file should be read using the specified encoding.');
+ 
+    test.throws(function() {
+      obj = grunt.file.readYAML('test/fixtures/error.yaml');
+    }, function(err) {
+      return err.message.indexOf('undefined') === -1;
+    }, 'error thrown should not contain undefined.');
+
+     grunt.file.defaultEncoding = 'iso-8859-1';
+     obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml');
+     test.deepEqual(obj, this.object, 'changing the default encoding should work.');
--- a/CVE-2020-7729.patch
+++ b/CVE-2020-7729.patch
@ -0,0 +1,64 @@
+From e350cea1724eb3476464561a380fb6a64e61e4e7 Mon Sep 17 00:00:00 2001
+From: Vlad Filippov <vlad.filippov@gmail.com>
+Date: Mon, 17 Aug 2020 11:28:59 -0400
+Subject: [PATCH] Switch to use `safeLoad` for loading YML files via
+ `file.readYAML`.
+
+For previous behaviour please use the following:
+
+```
+readYAML('test/fixtures/utf8.yaml', null, {unsafeLoad: true});
+```
+---
+ lib/grunt/file.js       | 13 +++++++++++--
+ test/grunt/file_test.js |  7 +++++--
+ 2 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/lib/grunt/file.js b/lib/grunt/file.js
+index eefeddb2..7e0e2fb7 100644
+--- a/lib/grunt/file.js
+++ b/lib/grunt/file.js
+@@ -241,12 +241,21 @@ file.readJSON = function(filepath, options) {
+ };
+ 
+ // Read a YAML file, parse its contents, return an object.
+-file.readYAML = function(filepath, options) {
+file.readYAML = function(filepath, options, yamlOptions) {
+  if (!options) { options = {}; }
+  if (!yamlOptions) { yamlOptions = {}; }
+
+   var src = file.read(filepath, options);
+   var result;
+   grunt.verbose.write('Parsing ' + filepath + '...');
+   try {
+-    result = YAML.load(src);
+    // use the recommended way of reading YAML files
+    // https://github.com/nodeca/js-yaml#safeload-string---options-
+    if (yamlOptions.unsafeLoad) {
+      result = YAML.load(src);
+    } else {
+      result = YAML.safeLoad(src);
+    }
+     grunt.verbose.ok();
+     return result;
+   } catch (e) {
+diff --git a/test/grunt/file_test.js b/test/grunt/file_test.js
+index e833fb2d..b192cad9 100644
+--- a/test/grunt/file_test.js
+++ b/test/grunt/file_test.js
+@@ -452,10 +452,13 @@ exports.file = {
+     test.done();
+   },
+   'readYAML': function(test) {
+-    test.expect(4);
+    test.expect(5);
+     var obj;
+     obj = grunt.file.readYAML('test/fixtures/utf8.yaml');
+-    test.deepEqual(obj, this.object, 'file should be read as utf8 by default and parsed correctly.');
+    test.deepEqual(obj, this.object, 'file should be safely read as utf8 by default and parsed correctly.');
+
+    obj = grunt.file.readYAML('test/fixtures/utf8.yaml', null, {unsafeLoad: true});
+    test.deepEqual(obj, this.object, 'file should be unsafely read as utf8 by default and parsed correctly.');
+ 
+     obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml', {encoding: 'iso-8859-1'});
+     test.deepEqual(obj, this.object, 'file should be read using the specified encoding.');
--- a/nodejs-grunt.spec
+++ b/nodejs-grunt.spec
@ -1,11 +1,13 @@
 %global enable_tests 1
 Name:                nodejs-grunt
 Version:             1.0.1
-Release:             1
+Release:             2
 Summary:             Grunt is a JavaScript library used for automation and running tasks
 License:             MIT
 URL:                 https://github.com/gruntjs/grunt
 Source0:             https://github.com/gruntjs/grunt/archive/v%{version}/grunt-%{version}.tar.gz
+Patch0:              CVE-2020-7729-pre.patch
+Patch1:              CVE-2020-7729.patch
 BuildArch:           noarch
 ExclusiveArch:       %{nodejs_arches} noarch
 BuildRequires:       nodejs-packaging
@ -25,7 +27,7 @@ your job becomes. After you've configured it, a task runner can do most
 of that mundane work for you with basically zero effort.

 %prep
-%autosetup -n grunt-%{version}
+%autosetup -n grunt-%{version} -p1
 %nodejs_fixdep coffee-script '^1.3'
 %nodejs_fixdep dateformat '*'
 %nodejs_fixdep eventemitter2 '~0.4'
@ -56,5 +58,8 @@ grunt nodeunit:all
 %{nodejs_sitelib}/grunt

 %changelog
+* Wed Feb 23 2022 yaoxin <yaoxin30@huawei.com> - 1.0.1-2
+- Fix CVE-2020-7729
+
 * Thu Aug 20 2020 Anan Fu <fuanan3@huawei.com> - 1.0.1-1
 - package init