packages/nodejs-hosted-git-info
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-23362

Browse Source
This commit is contained in:
wang_yue111 2021-03-29 16:26:23 +08:00
parent 640e2869c4
commit 68c72c9910
4 changed files with 151 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
CVE-2021-23362-pre1.patch Normal file
View File

@ -0,0 +1,53 @@
From bc60d363413aca8e81be6d81d2cd491945b84478 Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Mon, 29 Mar 2021 15:30:44 +0800
Subject: [PATCH] Preserve case of user and project names
Fixes: #16
---
index.js | 7 ++++---
test/basic.js | 4 ++++
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/index.js b/index.js
index 453ce87..6fcef6d 100644
--- a/index.js
+++ b/index.js
@@ -29,6 +29,7 @@ module.exports.fromUrl = function (giturl) {
isGitHubShorthand(giturl) ? 'github:' + giturl : giturl
)
var parsed = parseGitUrl(url)
+ var shortcutMatch = url.match(new RegExp('^([^:]+):([^/]+)[/](.+)$'))
var matches = Object.keys(gitHosts).map(function (gitHostName) {
var gitHostInfo = gitHosts[gitHostName]
var auth = null
@@ -39,9 +40,9 @@ module.exports.fromUrl = function (giturl) {
var user = null
var project = null
var defaultRepresentation = null
- if (parsed.protocol === gitHostName + ':') {
- user = decodeURIComponent(parsed.host)
- project = parsed.path && decodeURIComponent(parsed.path.replace(/^[/](.*?)(?:[.]git)?$/, '$1'))
+ if (shortcutMatch && shortcutMatch[1] === gitHostName) {
+ user = decodeURIComponent(shortcutMatch[2])
+ project = decodeURIComponent(shortcutMatch[3])
defaultRepresentation = 'shortcut'
} else {
if (parsed.host !== gitHostInfo.domain) return
diff --git a/test/basic.js b/test/basic.js
index 0b93f50..3902264 100644
--- a/test/basic.js
+++ b/test/basic.js
@@ -11,5 +11,9 @@ test('basic', function (t) {
t.is(HostedGit.fromUrl('git@github.com:abc/def').getDefaultRepresentation(), 'sshurl', 'match ssh connect strings')
t.is(HostedGit.fromUrl('git://github.com/abc/def').getDefaultRepresentation(), 'git', 'match git urls')
t.is(HostedGit.fromUrl('github:abc/def').getDefaultRepresentation(), 'shortcut', 'match shortcuts')
+
+ t.is(HostedGit.fromUrl('dEf/AbC').https(), 'git+https://github.com/dEf/AbC.git', 'mixed case shortcut')
+ t.is(HostedGit.fromUrl('gitlab:dEf/AbC').https(), 'git+https://gitlab.com/dEf/AbC.git', 'mixed case prefixed shortcut')
+ t.is(HostedGit.fromUrl('git://github.com/dEf/AbC.git').https(), 'git+https://github.com/dEf/AbC.git', 'mixed case url')
t.end()
})
--
2.23.0

48
CVE-2021-23362-pre2.patch Normal file
View File

@ -0,0 +1,48 @@
From 8aaf60116edf5240d80b9f715c971b9982ba071f Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Mon, 29 Mar 2021 15:54:11 +0800
Subject: [PATCH] Fix shortcuts ending in .git and gists w/o usernames
---
index.js | 4 ++--
test/basic.js | 2 ++
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/index.js b/index.js
index 6fcef6d..7f5ad1a 100644
--- a/index.js
+++ b/index.js
@@ -29,7 +29,7 @@ module.exports.fromUrl = function (giturl) {
isGitHubShorthand(giturl) ? 'github:' + giturl : giturl
)
var parsed = parseGitUrl(url)
- var shortcutMatch = url.match(new RegExp('^([^:]+):([^/]+)[/](.+)$'))
+ var shortcutMatch = url.match(new RegExp('^([^:]+):(?:(?:[^@:]+(?:[^@]+)?@)?([^/]*))[/](.+?)(?:[.]git)?($|#)'))
var matches = Object.keys(gitHosts).map(function (gitHostName) {
var gitHostInfo = gitHosts[gitHostName]
var auth = null
@@ -41,7 +41,7 @@ module.exports.fromUrl = function (giturl) {
var project = null
var defaultRepresentation = null
if (shortcutMatch && shortcutMatch[1] === gitHostName) {
- user = decodeURIComponent(shortcutMatch[2])
+ user = shortcutMatch[2] && decodeURIComponent(shortcutMatch[2])
project = decodeURIComponent(shortcutMatch[3])
defaultRepresentation = 'shortcut'
} else {
diff --git a/test/basic.js b/test/basic.js
index 3902264..f04133d 100644
--- a/test/basic.js
+++ b/test/basic.js
@@ -14,6 +14,8 @@ test('basic', function (t) {
t.is(HostedGit.fromUrl('dEf/AbC').https(), 'git+https://github.com/dEf/AbC.git', 'mixed case shortcut')
t.is(HostedGit.fromUrl('gitlab:dEf/AbC').https(), 'git+https://gitlab.com/dEf/AbC.git', 'mixed case prefixed shortcut')
+ t.is(HostedGit.fromUrl('gitlab:dEf/AbC.git').https(), 'git+https://gitlab.com/dEf/AbC.git', 'mixed case prefixed shortcut')
t.is(HostedGit.fromUrl('git://github.com/dEf/AbC.git').https(), 'git+https://github.com/dEf/AbC.git', 'mixed case url')
+ t.is(HostedGit.fromUrl('gist:123').https(), 'git+https://gist.github.com/123.git', 'non-user shortcut')
t.end()
})
--
2.23.0

39
CVE-2021-23362.patch Normal file
View File

@ -0,0 +1,39 @@
From 924cfd1d1cd473b773a6d43a6537f877338d9f99 Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Mon, 29 Mar 2021 16:02:39 +0800
Subject: [PATCH] fix: simplify the regular expression for shortcut matching
PR-URL: https://github.com/npm/hosted-git-info/pull/76
Credit: @nlf
Close: #76
Reviewed-by: @isaacs
---
index.js | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/index.js b/index.js
index 7f5ad1a..722dd1d 100644
--- a/index.js
+++ b/index.js
@@ -29,7 +29,7 @@ module.exports.fromUrl = function (giturl) {
isGitHubShorthand(giturl) ? 'github:' + giturl : giturl
)
var parsed = parseGitUrl(url)
- var shortcutMatch = url.match(new RegExp('^([^:]+):(?:(?:[^@:]+(?:[^@]+)?@)?([^/]*))[/](.+?)(?:[.]git)?($|#)'))
+ var shortcutMatch = url.match(/^([^:]+):(?:[^@]+@)?(?:([^/]*)\/)?([^#]+)/)
var matches = Object.keys(gitHosts).map(function (gitHostName) {
var gitHostInfo = gitHosts[gitHostName]
var auth = null
@@ -42,7 +42,7 @@ module.exports.fromUrl = function (giturl) {
var defaultRepresentation = null
if (shortcutMatch && shortcutMatch[1] === gitHostName) {
user = shortcutMatch[2] && decodeURIComponent(shortcutMatch[2])
- project = decodeURIComponent(shortcutMatch[3])
+ project = decodeURIComponent(shortcutMatch[3].replace(/\.git$/, ''))
defaultRepresentation = 'shortcut'
} else {
if (parsed.host !== gitHostInfo.domain) return
--
2.23.0

12
nodejs-hosted-git-info.spec
View File

@ -3,10 +3,14 @@
%global enable_tests 1 %global enable_tests 1
Name: nodejs-hosted-git-info Name: nodejs-hosted-git-info
Version: 2.1.4 Version: 2.1.4
Release: 1 Release: 2
Summary: Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab Summary: Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Url: https://github.com/npm/hosted-git-info Url: https://github.com/npm/hosted-git-info
Source0: https://registry.npmjs.org/%{npm_name}/-/%{npm_name}-%{version}.tgz Source0: https://registry.npmjs.org/%{npm_name}/-/%{npm_name}-%{version}.tgz
Patch0000: CVE-2021-23362-pre1.patch
Patch0001: CVE-2021-23362-pre2.patch
Patch0002: CVE-2021-23362.patch
License: ISC License: ISC
BuildArch: noarch BuildArch: noarch
ExclusiveArch: %{nodejs_arches} noarch ExclusiveArch: %{nodejs_arches} noarch
@ -19,6 +23,9 @@ Provides metadata and conversions from repository urls for Github, Bitbucket and
%prep %prep
%setup -q -n package %setup -q -n package
%patch0000 -p1
%patch0001 -p1
%patch0002 -p1
%build %build
@ -40,5 +47,8 @@ tap test/*.js
%license LICENSE %license LICENSE
%changelog %changelog
* Mon Mar 29 2021 wangyue <wangyue92@huawei.com> - 2.1.4-2
- fix CVE-2021-23362
* Thu Aug 20 2020 yaokai <yaokai13@huawei.com> - 2.1.4-1 * Thu Aug 20 2020 yaokai <yaokai13@huawei.com> - 2.1.4-1
- package init - package init