!9 Fix CVE-2024-21503

From: @yanjianqing_kylin 
Reviewed-by: @shinwell_hu 
Signed-off-by: @shinwell_hu

CVE-2024-21503.patch

@@ -0,0 +1,80 @@
+From 3ecd05252df7c043d077a8c7ecaa573465e0cc8a Mon Sep 17 00:00:00 2001
+From: Jelle Zijlstra <jelle.zijlstra@gmail.com>
+Date: Fri, 15 Mar 2024 12:06:12 -0700
+Subject: [PATCH ]  CVE-2024-21503
+Fix catastrophic performance in lines_with_leading_tabs_expanded() (#4278)
+
+---
+ src/black/strings.py | 18 ++++++------------
+ tests/test_black.py  | 11 +++++++++++
+ 2 files changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/src/black/strings.py b/src/black/strings.py
+index 0e0f968..baa8816 100644
+--- a/src/black/strings.py
++++ b/src/black/strings.py
+@@ -14,7 +14,6 @@ STRING_PREFIX_CHARS: Final = "furbFURB"  # All possible string prefix characters
+ STRING_PREFIX_RE: Final = re.compile(
+     r"^([" + STRING_PREFIX_CHARS + r"]*)(.*)$", re.DOTALL
+ )
+-FIRST_NON_WHITESPACE_RE: Final = re.compile(r"\s*\t+\s*(\S)")
+ UNICODE_ESCAPE_RE: Final = re.compile(
+     r"(?P<backslashes>\\+)(?P<body>"
+     r"(u(?P<u>[a-fA-F0-9]{4}))"  # Character with 16-bit hex value xxxx
+@@ -51,18 +50,13 @@ def lines_with_leading_tabs_expanded(s: str) -> List[str]:
+     """
+     lines = []
+     for line in s.splitlines():
+-        # Find the index of the first non-whitespace character after a string of
+-        # whitespace that includes at least one tab
+-        match = FIRST_NON_WHITESPACE_RE.match(line)
+-        if match:
+-            first_non_whitespace_idx = match.start(1)
+-
+-            lines.append(
+-                line[:first_non_whitespace_idx].expandtabs()
+-                + line[first_non_whitespace_idx:]
+-            )
+-        else:
++        stripped_line = line.lstrip()
++        if not stripped_line or stripped_line == line:
+             lines.append(line)
++        else:
++            prefix_length = len(line) - len(stripped_line)
++            prefix = line[:prefix_length].expandtabs()
++            lines.append(prefix + stripped_line)
+     if s.endswith("\n"):
+         lines.append("")
+     return lines
+diff --git a/tests/test_black.py b/tests/test_black.py
+index 41f87cd..1814fb7 100644
+--- a/tests/test_black.py
++++ b/tests/test_black.py
+@@ -47,6 +47,7 @@ from black.debug import DebugVisitor
+ from black.mode import Mode, Preview
+ from black.output import color_diff, diff
+ from black.report import Report
++from black.strings import lines_with_leading_tabs_expanded
+ 
+ # Import other test classes
+ from tests.util import (
+@@ -2054,6 +2055,16 @@ class BlackTestCase(BlackBaseTestCase):
+             b"Cannot use line-ranges in the pyproject.toml file." in result.stderr_bytes
+         )
+ 
++    def test_lines_with_leading_tabs_expanded(self) -> None:
++        # See CVE-2024-21503. Mostly test that this completes in a reasonable
++        # time.
++        payload = "\t" * 10_000
++        assert lines_with_leading_tabs_expanded(payload) == [payload]
++
++        tab = " " * 8
++        assert lines_with_leading_tabs_expanded("\tx") == [f"{tab}x"]
++        assert lines_with_leading_tabs_expanded("\t\tx") == [f"{tab}{tab}x"]
++        assert lines_with_leading_tabs_expanded("\tx\n  y") == [f"{tab}x", "  y"]
+ 
+ class TestCaching:
+     def test_get_cache_dir(
+-- 
+2.37.2.windows.2
+

python-black.spec

@@ -1,13 +1,18 @@
-Name:           black
-Version:        23.3.0
-Release:        3
+%global _empty_manifest_terminate_build 0
+%global pypi_name black
+
+Name:           python-%{pypi_name}
+Version:        24.2.0
+Release:        2
 Summary:        The uncompromising code formatter
 License:        MIT
 URL:            https://github.com/psf/black
-Source:         %{pypi_source black}
+Source0:        %{url}/archive/%{version}/%{pypi_name}-%{version}.tar.gz
 
 BuildArch:      noarch
 
+Patch0: CVE-2024-21503.patch
+
 BuildRequires:  python3-devel
 
 # Base build requires
@@ -28,15 +33,15 @@ You will save time and mental energy for more important matters.}
 %description %_description
 
 
-%package -n     python3-black
+%package -n     python3-%{pypi_name}
 Summary:        %{summary}
-Recommends:     black+d = %{version}-%{release}
+%{?python_provide:%python_provide python3-%{pypi_name}}
 
-%description -n python3-black %_description
+%description -n python3-%{pypi_name} %_description
 
 
 %prep
-%autosetup -n black-%{version} -p1
+%autosetup -p1 -n %{pypi_name}-%{version}
 
 %build
 %pyproject_build
@@ -49,21 +54,34 @@ for exe in black blackd; do
   ln -sr %{buildroot}%{_bindir}/${exe}{,-%{python3_version}}
 done
 
-%files -n black
+%files -n python3-%{pypi_name}
 %license LICENSE
 %doc README.md
 %{_bindir}/black
 %{_bindir}/black-%{python3_version}
 %{_bindir}/blackd
 %{_bindir}/blackd-%{python3_version}
-%{python3_sitelib}/__pycache__/*
-%{python3_sitelib}/black-%{version}.dist-info/*
 %{python3_sitelib}/_black_version.py
-%{python3_sitelib}/black/*
-%{python3_sitelib}/blackd/*
+%{python3_sitelib}/__pycache__/*
+%{python3_sitelib}/black*
 %{python3_sitelib}/blib2to3/*
 
 %changelog
+* Wed Apr 17 2024 yanjianqing <yanjianqing@kylinos.cn> - 24.2.0-2
+- Fix CVE-2024-21503
+
+* Fri Feb 23 2024 chendexi <chendexi@kylinos.cn> - 24.2.0-1
+- Update package to version 24.2.0
+
+* Mon Jun 19 2023 jiangxinyu <jiangxinyu@kylinos.cn> - 23.11.0-1
+- Update package to version 23.11.0
+
+* Mon Jul 10 2023 Dongxing Wang <dxwangk@isoftstone.com> - 23.3.0-5
+- Add the black extra package file list
+
+* Fri Jul 7 2023 Dongxing Wang <dxwangk@isoftstone.com> - 23.3.0-4
+- Fix the black package name
+
 * Wed Jul 5 2023 li-miaomiao_zhr <mmlidc@isoftstone.com> - 23.3.0-3
 - Change the software packaging name to "python3 black"