fix CVE-2021-23362

2021-03-29 16:26:23 +08:00 · 2021-03-29 16:26:23 +08:00 · 68c72c9910
commit 68c72c9910
parent 640e2869c4
4 changed files with 151 additions and 1 deletions
--- a/CVE-2021-23362-pre1.patch
+++ b/CVE-2021-23362-pre1.patch
@ -0,0 +1,53 @@
+From bc60d363413aca8e81be6d81d2cd491945b84478 Mon Sep 17 00:00:00 2001
+From: wang_yue111 <648774160@qq.com>
+Date: Mon, 29 Mar 2021 15:30:44 +0800
+Subject: [PATCH] Preserve case of user and project names
+
+Fixes: #16
+---
+ index.js      | 7 ++++---
+ test/basic.js | 4 ++++
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/index.js b/index.js
+index 453ce87..6fcef6d 100644
+--- a/index.js
+++ b/index.js
+@@ -29,6 +29,7 @@ module.exports.fromUrl = function (giturl) {
+     isGitHubShorthand(giturl) ? 'github:' + giturl : giturl
+   )
+   var parsed = parseGitUrl(url)
+  var shortcutMatch = url.match(new RegExp('^([^:]+):([^/]+)[/](.+)$'))
+   var matches = Object.keys(gitHosts).map(function (gitHostName) {
+     var gitHostInfo = gitHosts[gitHostName]
+     var auth = null
+@@ -39,9 +40,9 @@ module.exports.fromUrl = function (giturl) {
+     var user = null
+     var project = null
+     var defaultRepresentation = null
+-    if (parsed.protocol === gitHostName + ':') {
+-      user = decodeURIComponent(parsed.host)
+-      project = parsed.path && decodeURIComponent(parsed.path.replace(/^[/](.*?)(?:[.]git)?$/, '$1'))
+    if (shortcutMatch && shortcutMatch[1] === gitHostName) {
+      user = decodeURIComponent(shortcutMatch[2])
+      project = decodeURIComponent(shortcutMatch[3])
+       defaultRepresentation = 'shortcut'
+     } else {
+       if (parsed.host !== gitHostInfo.domain) return
+diff --git a/test/basic.js b/test/basic.js
+index 0b93f50..3902264 100644
+--- a/test/basic.js
+++ b/test/basic.js
+@@ -11,5 +11,9 @@ test('basic', function (t) {
+   t.is(HostedGit.fromUrl('git@github.com:abc/def').getDefaultRepresentation(), 'sshurl', 'match ssh connect strings')
+   t.is(HostedGit.fromUrl('git://github.com/abc/def').getDefaultRepresentation(), 'git', 'match git urls')
+   t.is(HostedGit.fromUrl('github:abc/def').getDefaultRepresentation(), 'shortcut', 'match shortcuts')
+
+  t.is(HostedGit.fromUrl('dEf/AbC').https(), 'git+https://github.com/dEf/AbC.git', 'mixed case shortcut')
+  t.is(HostedGit.fromUrl('gitlab:dEf/AbC').https(), 'git+https://gitlab.com/dEf/AbC.git', 'mixed case prefixed shortcut')
+  t.is(HostedGit.fromUrl('git://github.com/dEf/AbC.git').https(), 'git+https://github.com/dEf/AbC.git', 'mixed case url')
+   t.end()
+ })
+-- 
+2.23.0
+
--- a/CVE-2021-23362-pre2.patch
+++ b/CVE-2021-23362-pre2.patch
@ -0,0 +1,48 @@
+From 8aaf60116edf5240d80b9f715c971b9982ba071f Mon Sep 17 00:00:00 2001
+From: wang_yue111 <648774160@qq.com>
+Date: Mon, 29 Mar 2021 15:54:11 +0800
+Subject: [PATCH] Fix shortcuts ending in .git and gists w/o usernames
+
+---
+ index.js      | 4 ++--
+ test/basic.js | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/index.js b/index.js
+index 6fcef6d..7f5ad1a 100644
+--- a/index.js
+++ b/index.js
+@@ -29,7 +29,7 @@ module.exports.fromUrl = function (giturl) {
+     isGitHubShorthand(giturl) ? 'github:' + giturl : giturl
+   )
+   var parsed = parseGitUrl(url)
+-  var shortcutMatch = url.match(new RegExp('^([^:]+):([^/]+)[/](.+)$'))
+  var shortcutMatch = url.match(new RegExp('^([^:]+):(?:(?:[^@:]+(?:[^@]+)?@)?([^/]*))[/](.+?)(?:[.]git)?($|#)'))
+   var matches = Object.keys(gitHosts).map(function (gitHostName) {
+     var gitHostInfo = gitHosts[gitHostName]
+     var auth = null
+@@ -41,7 +41,7 @@ module.exports.fromUrl = function (giturl) {
+     var project = null
+     var defaultRepresentation = null
+     if (shortcutMatch && shortcutMatch[1] === gitHostName) {
+-      user = decodeURIComponent(shortcutMatch[2])
+      user = shortcutMatch[2] && decodeURIComponent(shortcutMatch[2])
+       project = decodeURIComponent(shortcutMatch[3])
+       defaultRepresentation = 'shortcut'
+     } else {
+diff --git a/test/basic.js b/test/basic.js
+index 3902264..f04133d 100644
+--- a/test/basic.js
+++ b/test/basic.js
+@@ -14,6 +14,8 @@ test('basic', function (t) {
+ 
+   t.is(HostedGit.fromUrl('dEf/AbC').https(), 'git+https://github.com/dEf/AbC.git', 'mixed case shortcut')
+   t.is(HostedGit.fromUrl('gitlab:dEf/AbC').https(), 'git+https://gitlab.com/dEf/AbC.git', 'mixed case prefixed shortcut')
+  t.is(HostedGit.fromUrl('gitlab:dEf/AbC.git').https(), 'git+https://gitlab.com/dEf/AbC.git', 'mixed case prefixed shortcut')
+   t.is(HostedGit.fromUrl('git://github.com/dEf/AbC.git').https(), 'git+https://github.com/dEf/AbC.git', 'mixed case url')
+  t.is(HostedGit.fromUrl('gist:123').https(), 'git+https://gist.github.com/123.git', 'non-user shortcut')
+   t.end()
+ })
+-- 
+2.23.0
+
--- a/CVE-2021-23362.patch
+++ b/CVE-2021-23362.patch
@ -0,0 +1,39 @@
+From 924cfd1d1cd473b773a6d43a6537f877338d9f99 Mon Sep 17 00:00:00 2001
+From: wang_yue111 <648774160@qq.com>
+Date: Mon, 29 Mar 2021 16:02:39 +0800
+Subject: [PATCH] fix: simplify the regular expression for shortcut matching
+
+PR-URL: https://github.com/npm/hosted-git-info/pull/76
+Credit: @nlf
+Close: #76
+Reviewed-by: @isaacs
+
+---
+ index.js | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/index.js b/index.js
+index 7f5ad1a..722dd1d 100644
+--- a/index.js
+++ b/index.js
+@@ -29,7 +29,7 @@ module.exports.fromUrl = function (giturl) {
+     isGitHubShorthand(giturl) ? 'github:' + giturl : giturl
+   )
+   var parsed = parseGitUrl(url)
+-  var shortcutMatch = url.match(new RegExp('^([^:]+):(?:(?:[^@:]+(?:[^@]+)?@)?([^/]*))[/](.+?)(?:[.]git)?($|#)'))
+  var shortcutMatch = url.match(/^([^:]+):(?:[^@]+@)?(?:([^/]*)\/)?([^#]+)/)
+   var matches = Object.keys(gitHosts).map(function (gitHostName) {
+     var gitHostInfo = gitHosts[gitHostName]
+     var auth = null
+@@ -42,7 +42,7 @@ module.exports.fromUrl = function (giturl) {
+     var defaultRepresentation = null
+     if (shortcutMatch && shortcutMatch[1] === gitHostName) {
+       user = shortcutMatch[2] && decodeURIComponent(shortcutMatch[2])
+-      project = decodeURIComponent(shortcutMatch[3])
+      project = decodeURIComponent(shortcutMatch[3].replace(/\.git$/, ''))
+       defaultRepresentation = 'shortcut'
+     } else {
+       if (parsed.host !== gitHostInfo.domain) return
+-- 
+2.23.0
+
--- a/nodejs-hosted-git-info.spec
+++ b/nodejs-hosted-git-info.spec
@ -3,10 +3,14 @@
 %global enable_tests 1
 Name:                nodejs-hosted-git-info
 Version:             2.1.4
-Release:             1
+Release:             2
 Summary:             Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
 Url:                 https://github.com/npm/hosted-git-info
 Source0:             https://registry.npmjs.org/%{npm_name}/-/%{npm_name}-%{version}.tgz
+Patch0000:           CVE-2021-23362-pre1.patch
+Patch0001:           CVE-2021-23362-pre2.patch
+Patch0002:           CVE-2021-23362.patch
+
 License:             ISC
 BuildArch:           noarch
 ExclusiveArch:	     %{nodejs_arches} noarch
@ -19,6 +23,9 @@ Provides metadata and conversions from repository urls for Github, Bitbucket and

 %prep
 %setup -q -n package
+%patch0000 -p1
+%patch0001 -p1
+%patch0002 -p1

 %build

@ -40,5 +47,8 @@ tap test/*.js
 %license LICENSE

 %changelog
+* Mon Mar 29 2021 wangyue <wangyue92@huawei.com> - 2.1.4-2
+- fix CVE-2021-23362
+
 * Thu Aug 20 2020 yaokai <yaokai13@huawei.com> - 2.1.4-1
 - package init