File CVE-2021-44906.patch of Package nodejs14.23946
Index: node-v8.17.0/deps/npm/node_modules/minimist/index.js
===================================================================
--- node-v8.17.0.orig/deps/npm/node_modules/minimist/index.js
+++ node-v8.17.0/deps/npm/node_modules/minimist/index.js
@@ -70,7 +70,7 @@ module.exports = function (args, opts) {
var o = obj;
for (var i = 0; i < keys.length-1; i++) {
var key = keys[i];
- if (key === '__proto__') return;
+ if (isConstructorOrProto(o, key)) return;
if (o[key] === undefined) o[key] = {};
if (o[key] === Object.prototype || o[key] === Number.prototype
|| o[key] === String.prototype) o[key] = {};
@@ -79,7 +79,7 @@ module.exports = function (args, opts) {
}
var key = keys[keys.length - 1];
- if (key === '__proto__') return;
+ if (isConstructorOrProto(o, key)) return;
if (o === Object.prototype || o === Number.prototype
|| o === String.prototype) o = {};
if (o === Array.prototype) o = [];
@@ -243,3 +243,7 @@ function isNumber (x) {
return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x);
}
+
+function isConstructorOrProto (obj, key) {
+ return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__';
+}
Index: node-v8.17.0/deps/npm/node_modules/minimist/package.json
===================================================================
--- node-v8.17.0.orig/deps/npm/node_modules/minimist/package.json
+++ node-v8.17.0/deps/npm/node_modules/minimist/package.json
@@ -69,5 +69,5 @@
"opera/12"
]
},
- "version": "1.2.5"
+ "version": "1.2.6"
}
Index: node-v8.17.0/deps/npm/node_modules/minimist/readme.markdown
===================================================================
--- node-v8.17.0.orig/deps/npm/node_modules/minimist/readme.markdown
+++ node-v8.17.0/deps/npm/node_modules/minimist/readme.markdown
@@ -34,7 +34,10 @@ $ node example/parse.js -x 3 -y 4 -n5 -a
Previous versions had a prototype pollution bug that could cause privilege
escalation in some circumstances when handling untrusted user input.
-Please use version 1.2.3 or later: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
+Please use version 1.2.6 or later:
+
+* https://security.snyk.io/vuln/SNYK-JS-MINIMIST-2429795 (version <=1.2.5)
+* https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 (version <=1.2.3)
# methods
Index: node-v8.17.0/deps/npm/node_modules/minimist/test/proto.js
===================================================================
--- node-v8.17.0.orig/deps/npm/node_modules/minimist/test/proto.js
+++ node-v8.17.0/deps/npm/node_modules/minimist/test/proto.js
@@ -42,3 +42,19 @@ test('proto pollution (constructor)', fu
t.equal(argv.y, undefined);
t.end();
});
+
+test('proto pollution (constructor function)', function (t) {
+ var argv = parse(['--_.concat.constructor.prototype.y', '123']);
+ function fnToBeTested() {}
+ t.equal(fnToBeTested.y, undefined);
+ t.equal(argv.y, undefined);
+ t.end();
+});
+
+// powered by snyk - https://github.com/backstage/backstage/issues/10343
+test('proto pollution (constructor function) snyk', function (t) {
+ var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' '));
+ t.equal((function(){}).foo, undefined);
+ t.equal(argv.y, undefined);
+ t.end();
+})