packages/nodejs-grunt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nodejs-grunt/CVE-2020-7729.patch
starlet-dx c515a2167b Fix CVE-2020-7729
2022-02-23 17:02:21 +08:00

65 lines
2.3 KiB
Diff
Raw Blame History

From e350cea1724eb3476464561a380fb6a64e61e4e7 Mon Sep 17 00:00:00 2001
From: Vlad Filippov <vlad.filippov@gmail.com>
Date: Mon, 17 Aug 2020 11:28:59 -0400
Subject: [PATCH] Switch to use `safeLoad` for loading YML files via
`file.readYAML`.
For previous behaviour please use the following:
```
readYAML('test/fixtures/utf8.yaml', null, {unsafeLoad: true});
```
---
lib/grunt/file.js | 13 +++++++++++--
test/grunt/file_test.js | 7 +++++--
2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/lib/grunt/file.js b/lib/grunt/file.js
index eefeddb2..7e0e2fb7 100644
--- a/lib/grunt/file.js
+++ b/lib/grunt/file.js
@@ -241,12 +241,21 @@ file.readJSON = function(filepath, options) {
};
// Read a YAML file, parse its contents, return an object.
-file.readYAML = function(filepath, options) {
+file.readYAML = function(filepath, options, yamlOptions) {
+ if (!options) { options = {}; }
+ if (!yamlOptions) { yamlOptions = {}; }
+
var src = file.read(filepath, options);
var result;
grunt.verbose.write('Parsing ' + filepath + '...');
try {
- result = YAML.load(src);
+ // use the recommended way of reading YAML files
+ // https://github.com/nodeca/js-yaml#safeload-string---options-
+ if (yamlOptions.unsafeLoad) {
+ result = YAML.load(src);
+ } else {
+ result = YAML.safeLoad(src);
+ }
grunt.verbose.ok();
return result;
} catch (e) {
diff --git a/test/grunt/file_test.js b/test/grunt/file_test.js
index e833fb2d..b192cad9 100644
--- a/test/grunt/file_test.js
+++ b/test/grunt/file_test.js
@@ -452,10 +452,13 @@ exports.file = {
test.done();
},
'readYAML': function(test) {
- test.expect(4);
+ test.expect(5);
var obj;
obj = grunt.file.readYAML('test/fixtures/utf8.yaml');
- test.deepEqual(obj, this.object, 'file should be read as utf8 by default and parsed correctly.');
+ test.deepEqual(obj, this.object, 'file should be safely read as utf8 by default and parsed correctly.');
+
+ obj = grunt.file.readYAML('test/fixtures/utf8.yaml', null, {unsafeLoad: true});
+ test.deepEqual(obj, this.object, 'file should be unsafely read as utf8 by default and parsed correctly.');
obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml', {encoding: 'iso-8859-1'});
test.deepEqual(obj, this.object, 'file should be read using the specified encoding.');
Reference in New Issue View Git Blame Copy Permalink