packages/nodejs-tough-cookie
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!3 Fix CVE-2023-26136

Browse Source 
From: @starlet-dx 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001
This commit is contained in:
openeuler-ci-bot 2023-12-13 01:20:22 +00:00 committed by Gitee
commit 96c3923798
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 81 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
CVE-2023-26136.patch Normal file
View File

@ -0,0 +1,75 @@
From: Colin Casey <casey.colin@gmail.com>
Date: Mon, 5 Jun 2023 12:13:22 -0300
Subject: Prevent prototype pollution in cookie memstore (#283)
All occurrences of new object creation in `memstore.js` have been changed from `{}` (i.e.; `Object.create(Object.prototype)` to `Object.create(null)` so that we are using object instances that do not have a prototype property that can be polluted.
Origin: https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e
Bug: https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
Bug: https://github.com/salesforce/tough-cookie/issues/282
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-26136
---
lib/memstore.js | 6 +++---
test/cookie_jar_test.js | 25 +++++++++++++++++++++++++
2 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/lib/memstore.js b/lib/memstore.js
index 89ceb69..3486a6f 100644
--- a/lib/memstore.js
+++ b/lib/memstore.js
@@ -36,7 +36,7 @@ var util = require('util');
function MemoryCookieStore() {
Store.call(this);
- this.idx = {};
+ this.idx = Object.create(null);
}
util.inherits(MemoryCookieStore, Store);
exports.MemoryCookieStore = MemoryCookieStore;
@@ -109,10 +109,10 @@ MemoryCookieStore.prototype.findCookies = function(domain, path, cb) {
MemoryCookieStore.prototype.putCookie = function(cookie, cb) {
if (!this.idx[cookie.domain]) {
- this.idx[cookie.domain] = {};
+ this.idx[cookie.domain] = Object.create(null);
}
if (!this.idx[cookie.domain][cookie.path]) {
- this.idx[cookie.domain][cookie.path] = {};
+ this.idx[cookie.domain][cookie.path] = Object.create(null);
}
this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
cb(null);
diff --git a/test/cookie_jar_test.js b/test/cookie_jar_test.js
index 9d0691d..26ad159 100644
--- a/test/cookie_jar_test.js
+++ b/test/cookie_jar_test.js
@@ -480,4 +480,29 @@ vows
}
}
})
+ .addBatch({
+ "Issue #282 - Prototype pollution": {
+ "when setting a cookie with the domain __proto__": {
+ topic: function() {
+ const jar = new tough.CookieJar(undefined, {
+ rejectPublicSuffixes: false
+ });
+ // try to pollute the prototype
+ jar.setCookieSync(
+ "Slonser=polluted; Domain=__proto__; Path=/notauth",
+ "https://__proto__/admin"
+ );
+ jar.setCookieSync(
+ "Auth=Lol; Domain=google.com; Path=/notauth",
+ "https://google.com/"
+ );
+ this.callback();
+ },
+ "results in a cookie that is not affected by the attempted prototype pollution": function() {
+ const pollutedObject = {};
+ assert(pollutedObject["/notauth"] === undefined);
+ }
+ }
+ }
+ })
.export(module);

7
nodejs-tough-cookie.spec
View File

@ -2,13 +2,15 @@
%global srcname tough-cookie
Name: nodejs-%{srcname}
Version: 2.3.2
Release: 2
Release: 3
Summary: RFC6265 Cookies and Cookie Jar for Node.js
License: MIT
URL: https://github.com/salesforce/tough-cookie
Source0: https://github.com/salesforce/tough-cookie/archive/v%{version}/tough-cookie-%{version}.tar.gz
Patch0: nodejs-tough-cookie-expiry.patch
Patch1: nodejs-tough-cookie-assert.patch
# https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e
Patch2: CVE-2023-26136.patch
BuildArch: noarch
ExclusiveArch: %{nodejs_arches} noarch
BuildRequires: nodejs-packaging
@ -44,6 +46,9 @@ vows --spec test/*_test.js
%{nodejs_sitelib}/%{srcname}
%changelog
* Tue Dec 12 2023 yaoxin <yao_xin001@hoperun.com> - 2.3.2-3
- Fix CVE-2023-26136
* Wed Sep 16 2020 leiju <leiju4@huawei.com> - 2.3.2-2
- Fix build failure