Bug#1040678: marked as done (bookworm-pu: package node-dottie/2.0.2-4+deb12u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 07 Oct 2023 09:59:38 +0000
with message-id <E1qp45y-00A49r-CP@coccia.debian.org>
and subject line Released with 12.2
has caused the Debian Bug report #1040678,
regarding bookworm-pu: package node-dottie/2.0.2-4+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1040678: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040678
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bookworm-pu: package node-dottie/2.0.2-4+deb12u1
• From: Yadd <yadd@debian.org>
• Date: Sun, 09 Jul 2023 09:09:43 +0400
• Message-id: <168887938372.1693996.5094067986672596069.reportbug@debian117>

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-dottie@packages.debian.org
Control: affects -1 + src:node-dottie

[ Reason ]
node-dottie is vulnerable to prototype pollution (#1040592,
CVE-2023-26132)

[ Impact ]
Medium security issue

[ Tests ]
Test updated passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Don't allow __proto__ modifications.
Patch includes also debian/tests/pkg-js/enable_proto file to allow
__proto__ calls during autopkgtest (forbidden by default) because patch
includes a prototype-pollution test

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 9edf53f..a6edff9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-dottie (2.0.2-4+deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: #1040592, CVE-2023-26132)
+
+ -- Yadd <yadd@debian.org>  Sun, 09 Jul 2023 08:43:00 +0400
+
 node-dottie (2.0.2-4) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-26132.patch b/debian/patches/CVE-2023-26132.patch
new file mode 100644
index 0000000..5186407
--- /dev/null
+++ b/debian/patches/CVE-2023-26132.patch
@@ -0,0 +1,76 @@
+Description: rudimentary __proto__ guarding
+Author: Mick Hansen <maker@mhansen.io>
+Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c
+Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763
+Bug-Debian: https://bugs.debian.org/1040592
+Forwarded: not-needed
+Applied-Upstream: 2.0.6, commit:7d3aee1c
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-07-09
+
+--- a/README.md
++++ b/README.md
+@@ -42,6 +42,8 @@
+ });
+ ```
+ 
++If you accept arbitrary/user-defined paths to `set` you should call `Object.preventExtensions(values)` first to guard against potential pollution.
++
+ ### Transform object
+ Transform object from keys with dottie notation to nested objects
+ 
+--- a/dottie.js
++++ b/dottie.js
+@@ -72,6 +72,7 @@
+   // Set nested value
+   Dottie.set = function(object, path, value, options) {
+     var pieces = Array.isArray(path) ? path : path.split('.'), current = object, piece, length = pieces.length;
++    if (pieces[0] === '__proto__') return;
+ 
+     if (typeof current !== 'object') {
+         throw new Error('Parent is not an object.');
+@@ -137,6 +138,9 @@
+ 
+       if (key.indexOf(options.delimiter) !== -1) {
+         pieces = key.split(options.delimiter);
++
++        if (pieces[0] === '__proto__') break;
++
+         piecesLength = pieces.length;
+         current = transformed;
+ 
+--- a/test/set.test.js
++++ b/test/set.test.js
+@@ -45,4 +45,12 @@
+     });
+     expect(data.foo.bar.baz).to.equal('someValue');
+   });
++
++  it('should not attempt to set __proto__', function () {
++    var data = {};
++
++    dottie.set(data, '__proto__.pollution', 'polluted');
++
++    expect(data.__proto__.pollution).to.be.undefined;
++  });
+ });
+\ No newline at end of file
+--- a/test/transform.test.js
++++ b/test/transform.test.js
+@@ -145,4 +145,16 @@
+     expect(transformed.user.location.city).to.equal('Zanzibar City');
+     expect(transformed.project.title).to.equal('dottie');
+   });
++
++  it("should guard against prototype pollution", function () {
++    var values = {
++      'user.name': 'John Doe',
++      '__proto__.pollution': 'pollution'
++    };
++
++    var transformed = dottie.transform(values);
++    expect(transformed.user).not.to.equal(undefined);
++    expect(transformed.user.name).to.equal('John Doe');
++    expect(transformed.__proto__.pollution).to.be.undefined;
++  });
+ });
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..e86da5e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-26132.patch
diff --git a/debian/tests/pkg-js/enable_proto b/debian/tests/pkg-js/enable_proto
new file mode 100644
index 0000000..e69de29

--- End Message ---

--- Begin Message ---

• To: 1040678-done@bugs.debian.org
• Subject: Released with 12.2
• From: Jonathan Wiltshire <jmw@coccia.debian.org>
• Date: Sat, 07 Oct 2023 09:59:38 +0000
• Message-id: <E1qp45y-00A49r-CP@coccia.debian.org>

Version: 12.2

The upload requested in this bug has been released as part of 12.2.

--- End Message ---