Bug#950773: buster-pu: package node-dot-prop/4.1.1-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
node-dot-prop is vulnerable to a prototype pollution. This upstream
patch fixes the problem.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 84868fc..f7509b9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-dot-prop (4.1.1-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Add fix for prototype pollution (Closes: CVE-2020-8116)
+
+ -- Xavier Guimard <yadd@debian.org> Thu, 06 Feb 2020 06:33:11 +0100
+
node-dot-prop (4.1.1-1) unstable; urgency=low
* Initial release (Closes: #868441)
diff --git a/debian/patches/CVE-2020-8116.diff b/debian/patches/CVE-2020-8116.diff
new file mode 100644
index 0000000..b7d34f1
--- /dev/null
+++ b/debian/patches/CVE-2020-8116.diff
@@ -0,0 +1,90 @@
+Description: Prevent setting/getting some problematic path components
+ Fixes CVE-2020-8116
+Author: Sindre Sorhus <sindresorhus@gmail.com>
+Origin: upstream, https://github.com/sindresorhus/dot-prop/commit/3039c8c0
+Bug: https://hackerone.com/reports/719856
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-02-06
+
+--- a/index.js
++++ b/index.js
+@@ -1,6 +1,14 @@
+ 'use strict';
+ const isObj = require('is-obj');
+
++const disallowedKeys = [
++ '__proto__',
++ 'prototype',
++ 'constructor'
++];
++
++const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment));
++
+ function getPathSegments(path) {
+ const pathArr = path.split('.');
+ const parts = [];
+@@ -15,6 +23,9 @@
+
+ parts.push(p);
+ }
++ if (!isValidPath(parts)) {
++ return [];
++ }
+
+ return parts;
+ }
+@@ -26,6 +37,9 @@
+ }
+
+ const pathArr = getPathSegments(path);
++ if (pathArray.length === 0) {
++ return;
++ }
+
+ for (let i = 0; i < pathArr.length; i++) {
+ if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) {
+@@ -57,6 +71,9 @@
+ }
+
+ const pathArr = getPathSegments(path);
++ if (pathArray.length === 0) {
++ return;
++ }
+
+ for (let i = 0; i < pathArr.length; i++) {
+ const p = pathArr[i];
+@@ -79,6 +96,9 @@
+ }
+
+ const pathArr = getPathSegments(path);
++ if (pathArray.length === 0) {
++ return;
++ }
+
+ for (let i = 0; i < pathArr.length; i++) {
+ const p = pathArr[i];
+--- a/readme.md
++++ b/readme.md
+@@ -79,6 +79,8 @@
+
+ Use `\\.` if you have a `.` in the key.
+
++The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`.
++
+ #### value
+
+ Type: `any`
+--- a/test.js
++++ b/test.js
+@@ -193,3 +193,10 @@
+ t.is(m.has({'foo.baz': {bar: true}}, 'foo\\.baz.bar'), true);
+ t.is(m.has({'fo.ob.az': {bar: true}}, 'fo\\.ob\\.az.bar'), true);
+ });
++
++test('prevent setting/getting `__proto__`', t => {
++ dotProp.set({}, '__proto__.unicorn', 'x');
++ t.not({}.unicorn, 'x'); // eslint-disable-line no-use-extend-native/no-use-extend-native
++
++ t.is(dotProp.get({}, '__proto__'), undefined);
++});
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..3100f1e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2020-8116.diff
Reply to: