From 54eaeb0fa996dfaa7efeae5fb9a6c5d0a08c9d6a Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Tue, 26 Mar 2024 16:24:18 +0800 Subject: [PATCH] Fix CVE-2022-24999 (cherry picked from commit f62d633f73752801030dd43fd282898334e44eb1) --- CVE-2022-24999.patch | 96 ++++++++++++++++++++++++++++++++++++++++++++ nodejs-qs.spec | 8 +++- 2 files changed, 102 insertions(+), 2 deletions(-) create mode 100644 CVE-2022-24999.patch diff --git a/CVE-2022-24999.patch b/CVE-2022-24999.patch new file mode 100644 index 0000000..73f52c7 --- /dev/null +++ b/CVE-2022-24999.patch @@ -0,0 +1,96 @@ +From 8b4cc14cda94a5c89341b77e5fe435ec6c41be2d Mon Sep 17 00:00:00 2001 +From: Jordan Harband +Date: Mon, 27 Dec 2021 19:15:57 -0800 +Subject: [PATCH] [Fix] `parse`: ignore `__proto__` keys + +Origin: https://github.com/ljharb/qs/pull/428 + +--- + lib/parse.js | 2 +- + test/parse.js | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 61 insertions(+), 1 deletion(-) + +diff --git a/lib/parse.js b/lib/parse.js +index c833315c..a4ac4fa0 100644 +--- a/lib/parse.js ++++ b/lib/parse.js +@@ -136,7 +136,7 @@ var parseObject = function (chain, val, options, valuesParsed) { + ) { + obj = []; + obj[index] = leaf; +- } else { ++ } else if (cleanRoot !== '__proto__') { + obj[cleanRoot] = leaf; + } + } +diff --git a/test/parse.js b/test/parse.js +index 7a3cfdef..7d61023e 100644 +--- a/test/parse.js ++++ b/test/parse.js +@@ -629,6 +629,66 @@ test('parse()', function (t) { + st.end(); + }); + ++ t.test('dunder proto is ignored', function (st) { ++ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42'; ++ var result = qs.parse(payload, { allowPrototypes: true }); ++ ++ st.deepEqual( ++ result, ++ { ++ categories: { ++ length: '42' ++ } ++ }, ++ 'silent [[Prototype]] payload' ++ ); ++ ++ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true }); ++ ++ st.deepEqual( ++ plainResult, ++ { ++ __proto__: null, ++ categories: { ++ __proto__: null, ++ length: '42' ++ } ++ }, ++ 'silent [[Prototype]] payload: plain objects' ++ ); ++ ++ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true }); ++ ++ st.notOk(Array.isArray(query.categories), 'is not an array'); ++ st.notOk(query.categories instanceof Array, 'is not instanceof an array'); ++ st.deepEqual(query.categories, { some: { json: 'toInject' } }); ++ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array'); ++ ++ st.deepEqual( ++ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }), ++ { ++ foo: { ++ bar: 'stuffs' ++ } ++ }, ++ 'hidden values' ++ ); ++ ++ st.deepEqual( ++ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }), ++ { ++ __proto__: null, ++ foo: { ++ __proto__: null, ++ bar: 'stuffs' ++ } ++ }, ++ 'hidden values: plain objects' ++ ); ++ ++ st.end(); ++ }); ++ + t.test('can return null objects', { skip: !Object.create }, function (st) { + var expected = Object.create(null); + expected.a = Object.create(null); diff --git a/nodejs-qs.spec b/nodejs-qs.spec index 1674c80..9773d22 100644 --- a/nodejs-qs.spec +++ b/nodejs-qs.spec @@ -2,11 +2,12 @@ %global enable_tests 1 Name: nodejs-qs Version: 6.5.1 -Release: 1 +Release: 2 Summary: Query string parser for Node.js License: BSD URL: https://github.com/ljharb/qs Source0: https://registry.npmjs.org/qs/-/qs-%{version}.tgz +Patch0: CVE-2022-24999.patch BuildArch: noarch ExclusiveArch: %{nodejs_arches} noarch BuildRequires: nodejs-packaging @@ -21,7 +22,7 @@ commonly desired behavior (and twice as fast). Used by express, connect and others. %prep -%setup -q -n package +%autosetup -n package -p1 %build @@ -45,5 +46,8 @@ install -p -m644 lib/*.js %{buildroot}%{nodejs_sitelib}/qs/lib %{nodejs_sitelib}/qs %changelog +* Tue Mar 26 2024 wangkai <13474090681@163.com> - 6.5.1-2 +- Fix CVE-2022-24999 + * Fri Aug 14 2020 wangyue - 6.5.1-1 - Package init