From c515a2167b9d55276c6e4706f915e2589768c240 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Wed, 23 Feb 2022 17:02:21 +0800 Subject: [PATCH] Fix CVE-2020-7729 --- CVE-2020-7729-pre.patch | 49 +++++++++++++++++++++++++++++++ CVE-2020-7729.patch | 64 +++++++++++++++++++++++++++++++++++++++++ nodejs-grunt.spec | 9 ++++-- 3 files changed, 120 insertions(+), 2 deletions(-) create mode 100644 CVE-2020-7729-pre.patch create mode 100644 CVE-2020-7729.patch diff --git a/CVE-2020-7729-pre.patch b/CVE-2020-7729-pre.patch new file mode 100644 index 0000000..f4a2755 --- /dev/null +++ b/CVE-2020-7729-pre.patch @@ -0,0 +1,49 @@ +From 3484b83a87e1f5ea689aa5aece9f9ae96151d3ff Mon Sep 17 00:00:00 2001 +From: Kyle Robinson Young +Date: Wed, 13 Apr 2016 18:06:59 -0700 +Subject: [PATCH] Fix for readYAML error messages + +--- + lib/grunt/file.js | 2 +- + test/grunt/file_test.js | 8 +++++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/lib/grunt/file.js b/lib/grunt/file.js +index 303e0ab4..f8a694e5 100644 +--- a/lib/grunt/file.js ++++ b/lib/grunt/file.js +@@ -262,7 +262,7 @@ file.readYAML = function(filepath, options) { + return result; + } catch (e) { + grunt.verbose.error(); +- throw grunt.util.error('Unable to parse "' + filepath + '" file (' + e.problem + ').', e); ++ throw grunt.util.error('Unable to parse "' + filepath + '" file (' + e.message + ').', e); + } + }; + +diff --git a/test/grunt/file_test.js b/test/grunt/file_test.js +index 91466f28..19889e61 100644 +--- a/test/grunt/file_test.js ++++ b/test/grunt/file_test.js +@@ -452,7 +452,7 @@ exports.file = { + test.done(); + }, + 'readYAML': function(test) { +- test.expect(3); ++ test.expect(4); + var obj; + obj = grunt.file.readYAML('test/fixtures/utf8.yaml'); + test.deepEqual(obj, this.object, 'file should be read as utf8 by default and parsed correctly.'); +@@ -460,6 +460,12 @@ exports.file = { + obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml', {encoding: 'iso-8859-1'}); + test.deepEqual(obj, this.object, 'file should be read using the specified encoding.'); + ++ test.throws(function() { ++ obj = grunt.file.readYAML('test/fixtures/error.yaml'); ++ }, function(err) { ++ return err.message.indexOf('undefined') === -1; ++ }, 'error thrown should not contain undefined.'); ++ + grunt.file.defaultEncoding = 'iso-8859-1'; + obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml'); + test.deepEqual(obj, this.object, 'changing the default encoding should work.'); diff --git a/CVE-2020-7729.patch b/CVE-2020-7729.patch new file mode 100644 index 0000000..a6e32f3 --- /dev/null +++ b/CVE-2020-7729.patch @@ -0,0 +1,64 @@ +From e350cea1724eb3476464561a380fb6a64e61e4e7 Mon Sep 17 00:00:00 2001 +From: Vlad Filippov +Date: Mon, 17 Aug 2020 11:28:59 -0400 +Subject: [PATCH] Switch to use `safeLoad` for loading YML files via + `file.readYAML`. + +For previous behaviour please use the following: + +``` +readYAML('test/fixtures/utf8.yaml', null, {unsafeLoad: true}); +``` +--- + lib/grunt/file.js | 13 +++++++++++-- + test/grunt/file_test.js | 7 +++++-- + 2 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/lib/grunt/file.js b/lib/grunt/file.js +index eefeddb2..7e0e2fb7 100644 +--- a/lib/grunt/file.js ++++ b/lib/grunt/file.js +@@ -241,12 +241,21 @@ file.readJSON = function(filepath, options) { + }; + + // Read a YAML file, parse its contents, return an object. +-file.readYAML = function(filepath, options) { ++file.readYAML = function(filepath, options, yamlOptions) { ++ if (!options) { options = {}; } ++ if (!yamlOptions) { yamlOptions = {}; } ++ + var src = file.read(filepath, options); + var result; + grunt.verbose.write('Parsing ' + filepath + '...'); + try { +- result = YAML.load(src); ++ // use the recommended way of reading YAML files ++ // https://github.com/nodeca/js-yaml#safeload-string---options- ++ if (yamlOptions.unsafeLoad) { ++ result = YAML.load(src); ++ } else { ++ result = YAML.safeLoad(src); ++ } + grunt.verbose.ok(); + return result; + } catch (e) { +diff --git a/test/grunt/file_test.js b/test/grunt/file_test.js +index e833fb2d..b192cad9 100644 +--- a/test/grunt/file_test.js ++++ b/test/grunt/file_test.js +@@ -452,10 +452,13 @@ exports.file = { + test.done(); + }, + 'readYAML': function(test) { +- test.expect(4); ++ test.expect(5); + var obj; + obj = grunt.file.readYAML('test/fixtures/utf8.yaml'); +- test.deepEqual(obj, this.object, 'file should be read as utf8 by default and parsed correctly.'); ++ test.deepEqual(obj, this.object, 'file should be safely read as utf8 by default and parsed correctly.'); ++ ++ obj = grunt.file.readYAML('test/fixtures/utf8.yaml', null, {unsafeLoad: true}); ++ test.deepEqual(obj, this.object, 'file should be unsafely read as utf8 by default and parsed correctly.'); + + obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml', {encoding: 'iso-8859-1'}); + test.deepEqual(obj, this.object, 'file should be read using the specified encoding.'); diff --git a/nodejs-grunt.spec b/nodejs-grunt.spec index c909787..019f340 100644 --- a/nodejs-grunt.spec +++ b/nodejs-grunt.spec @@ -1,11 +1,13 @@ %global enable_tests 1 Name: nodejs-grunt Version: 1.0.1 -Release: 1 +Release: 2 Summary: Grunt is a JavaScript library used for automation and running tasks License: MIT URL: https://github.com/gruntjs/grunt Source0: https://github.com/gruntjs/grunt/archive/v%{version}/grunt-%{version}.tar.gz +Patch0: CVE-2020-7729-pre.patch +Patch1: CVE-2020-7729.patch BuildArch: noarch ExclusiveArch: %{nodejs_arches} noarch BuildRequires: nodejs-packaging @@ -25,7 +27,7 @@ your job becomes. After you've configured it, a task runner can do most of that mundane work for you with basically zero effort. %prep -%autosetup -n grunt-%{version} +%autosetup -n grunt-%{version} -p1 %nodejs_fixdep coffee-script '^1.3' %nodejs_fixdep dateformat '*' %nodejs_fixdep eventemitter2 '~0.4' @@ -56,5 +58,8 @@ grunt nodeunit:all %{nodejs_sitelib}/grunt %changelog +* Wed Feb 23 2022 yaoxin - 1.0.1-2 +- Fix CVE-2020-7729 + * Thu Aug 20 2020 Anan Fu - 1.0.1-1 - package init