--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-qs is vulnerable to prototype pollution, this affects web
applications using node-express (CVE-2022-24999)
[ Impact ]
Medium security issue
[ Tests ]
Patch adds a test to verify that bug is fixed
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just verity that key isn't __proto__ before updating object keys
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3734d04..774ba07 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-qs (6.9.4+ds-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: CVE-2022-24999)
+
+ -- Yadd <yadd@debian.org> Sat, 03 Dec 2022 20:22:12 +0100
+
node-qs (6.9.4+ds-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-24999.patch b/debian/patches/CVE-2022-24999.patch
new file mode 100644
index 0000000..45c26ca
--- /dev/null
+++ b/debian/patches/CVE-2022-24999.patch
@@ -0,0 +1,87 @@
+Description: `parse`: ignore `__proto__` keys
+Author: Jordan Harband <ljharb@gmail.com>
+Origin: upstream, https://github.com/ljharb/qs/pull/428
+Bug: https://security-tracker.debian.org/tracker/CVE-2022-24999
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-12-03
+
+--- a/lib/parse.js
++++ b/lib/parse.js
+@@ -135,7 +135,7 @@
+ ) {
+ obj = [];
+ obj[index] = leaf;
+- } else {
++ } else if (cleanRoot !== '__proto__') {
+ obj[cleanRoot] = leaf;
+ }
+ }
+--- a/test/parse.js
++++ b/test/parse.js
+@@ -768,5 +768,65 @@
+ st.end();
+ });
+
++ t.test('dunder proto is ignored', function (st) {
++ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42';
++ var result = qs.parse(payload, { allowPrototypes: true });
++
++ st.deepEqual(
++ result,
++ {
++ categories: {
++ length: '42'
++ }
++ },
++ 'silent [[Prototype]] payload'
++ );
++
++ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true });
++
++ st.deepEqual(
++ plainResult,
++ {
++ __proto__: null,
++ categories: {
++ __proto__: null,
++ length: '42'
++ }
++ },
++ 'silent [[Prototype]] payload: plain objects'
++ );
++
++ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true });
++
++ st.notOk(Array.isArray(query.categories), 'is not an array');
++ st.notOk(query.categories instanceof Array, 'is not instanceof an array');
++ st.deepEqual(query.categories, { some: { json: 'toInject' } });
++ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array');
++
++ st.deepEqual(
++ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }),
++ {
++ foo: {
++ bar: 'stuffs'
++ }
++ },
++ 'hidden values'
++ );
++
++ st.deepEqual(
++ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }),
++ {
++ __proto__: null,
++ foo: {
++ __proto__: null,
++ bar: 'stuffs'
++ }
++ },
++ 'hidden values: plain objects'
++ );
++
++ st.end();
++ });
++
+ t.end();
+ });
diff --git a/debian/patches/series b/debian/patches/series
index aa71f6e..d1bf800 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
use-lodash-forEach-in-test.diff
+CVE-2022-24999.patch
--- End Message ---