packages/nodejs-jison
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2020-8178

Browse Source
This commit is contained in:
houyingchao 2022-02-23 11:34:32 +08:00
parent f4d0fc7015
commit ebc5a5e04b
2 changed files with 60 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
CVE-2020-8178.patch Normal file
View File

@ -0,0 +1,54 @@
From 64c18e3e654b55e3414894295127337705217139 Mon Sep 17 00:00:00 2001
From: toufik-airane <toufik.airane@gmail.com>
Date: Fri, 12 Jun 2020 21:06:44 +0200
Subject: [PATCH] Fix OS Command Injection on Jison
Fix OS Command Injection on Jison for huntr.dev.
https://www.huntr.dev/app/bounties/open/1-npm-jison
---
ports/csharp/Jison/Jison/csharp.js | 4 ++--
ports/php/php.js | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/ports/csharp/Jison/Jison/csharp.js b/ports/csharp/Jison/Jison/csharp.js
index 76c5d8ad..fdcd7b48 100644
--- a/ports/csharp/Jison/Jison/csharp.js
+++ b/ports/csharp/Jison/Jison/csharp.js
@@ -1,6 +1,6 @@
var fs = require('fs'),
util = require('util'),
- exec = require('child_process').exec,
+ execFile = require('child_process').execFile,
path = require('path');
GLOBAL.convertToSyntax = function (types, body) {
@@ -16,7 +16,7 @@ function puts(error, stdout, stderr) {
console.log("Executing: " + "jison " + process.argv[2]);
-exec("jison " + process.argv[2], function (error) {
+execFile("jison ", [process.argv[2]], function (error) {
if (error) {
console.log(error);
return;
diff --git a/ports/php/php.js b/ports/php/php.js
index 5e9f8425..e9b48499 100644
--- a/ports/php/php.js
+++ b/ports/php/php.js
@@ -1,6 +1,6 @@
var fs = require('fs'),
util = require('util'),
- exec = require('child_process').exec,
+ execFile = require('child_process').execFile,
path = require('path');
GLOBAL.convertToSyntax = function (types, body) {
@@ -16,7 +16,7 @@ function puts(error, stdout, stderr) {
console.log("Executing: " + "jison " + process.argv[2]);
-exec("jison " + process.argv[2], function (error) {
+execFile("jison ", [process.argv[2]], function (error) {
if (error) {
console.log(error);
return;

8
nodejs-jison.spec
View File

@ -5,11 +5,12 @@
%global shortcommit %(c=%{commit}; echo ${c:0:7}) %global shortcommit %(c=%{commit}; echo ${c:0:7})
Name: nodejs-jison Name: nodejs-jison
Version: 0.4.18 Version: 0.4.18
Release: 1 Release: 2
Summary: A parser generator with Bison's API Summary: A parser generator with Bison's API
License: MIT License: MIT
URL: https://github.com/zaach/jison URL: https://github.com/zaach/jison
Source0: https://github.com/zaach/jison/archive/%{commit}/jison-%{shortcommit}.tar.gz Source0: https://github.com/zaach/jison/archive/%{commit}/jison-%{shortcommit}.tar.gz
Patch0: CVE-2020-8178.patch
BuildArch: noarch BuildArch: noarch
ExclusiveArch: %{nodejs_arches} noarch ExclusiveArch: %{nodejs_arches} noarch
BuildRequires: nodejs-packaging npm(cjson) npm(ebnf-parser) npm(escodegen) npm(esprima) BuildRequires: nodejs-packaging npm(cjson) npm(ebnf-parser) npm(escodegen) npm(esprima)
@ -21,7 +22,7 @@ BuildRequires: npm(test)
%{summary}. %{summary}.
%prep %prep
%autosetup -n jison-%{commit} %autosetup -n jison-%{commit} -p1
chmod -x lib/jison.js chmod -x lib/jison.js
rm -rf node_modules rm -rf node_modules
%nodejs_fixdep cjson %nodejs_fixdep cjson
@ -56,5 +57,8 @@ ln -s %{nodejs_sitelib}/jison/lib/cli.js \
%{_bindir}/jison %{_bindir}/jison
%changelog %changelog
* Wed Feb 23 2022 houyingchao <houyingchao@huawei.com> - 0.4.18-2
- Fix CVE-2020-8178
* Thu Aug 20 2020 yaokai <yaokai13@huawei.com> - 0.4.18-1 * Thu Aug 20 2020 yaokai <yaokai13@huawei.com> - 0.4.18-1
- Package init - Package init