[Pkg-javascript-devel] Bug#941683: buster-pu: package node-yarnpkg/1.13.0-1+deb10u1

Thu Oct 3 19:57:49 BST 2019

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org at packages.debian.org
Usertags: pu

Hi,

node-yarnpkg is vulnerable: it exports auth data in http requests
(#941354, CVE-2019-5448). This patch imports upstream fix.

Cheers,
Xavier
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index 01fe7d70d..6c4b5fef1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-yarnpkg (1.13.0-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Add patch to force using https for the regular registries
+    (Closes: #941354, CVE-2019-5448)
+
+ -- Xavier Guimard <yadd at debian.org>  Thu, 03 Oct 2019 18:23:54 +0200
+
 node-yarnpkg (1.13.0-1) unstable; urgency=low
 
   * Initial release (Closes: #843021)
diff --git a/debian/patches/CVE-2019-5448.diff b/debian/patches/CVE-2019-5448.diff
new file mode 100644
index 000000000..8bb7442c8
--- /dev/null
+++ b/debian/patches/CVE-2019-5448.diff
@@ -0,0 +1,75 @@
+Description: Forces using https for the regular registries
+Author: Maël Nison <https://github.com/arcanis>
+Origin: upstream, https://github.com/yarnpkg/yarn/commit/2f08a740
+Bug: https://hackerone.com/reports/640904
+Bug-Debian: https://bugs.debian.org/941354
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd at debian.org>
+Last-Update: 2019-10-03
+
+--- a/__tests__/registries/npm-registry.js
++++ b/__tests__/registries/npm-registry.js
+@@ -750,6 +750,30 @@
+ 
+     expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual('https://my.registry.co/registry/foo/bar/baz');
+   });
++
++  for (const host of [`registry.yarnpkg.com`, `registry.npmjs.org`, `registry.npmjs.com`]) {
++    test(`enforces loading packages through https when they come from ${host}`, () => {
++      const testCwd = '.';
++      const {mockRequestManager, mockRegistries, mockReporter} = createMocks();
++      const npmRegistry = new NpmRegistry(testCwd, mockRegistries, mockRequestManager, mockReporter, true, []);
++      const registry = `http://${host}/registry`;
++      const pathname = 'foo/bar/baz';
++
++      expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual(`https://${host}/registry/foo/bar/baz`);
++    });
++  }
++
++  test("doesn't change the protocol for packages from other registries", () => {
++    const testCwd = '.';
++    const {mockRequestManager, mockRegistries, mockReporter} = createMocks();
++    const npmRegistry = new NpmRegistry(testCwd, mockRegistries, mockRequestManager, mockReporter, true, []);
++    const registry = 'http://registry.mylittlepony.org/registry';
++    const pathname = 'foo/bar/baz';
++
++    expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual(
++      'http://registry.mylittlepony.org/registry/foo/bar/baz',
++    );
++  });
+ });
+ 
+ describe('getScope functional test', () => {
+--- a/src/registries/npm-registry.js
++++ b/src/registries/npm-registry.js
+@@ -22,6 +22,7 @@
+ import ini from 'ini';
+ 
+ const DEFAULT_REGISTRY = 'https://registry.npmjs.org/';
++const REGEX_REGISTRY_ENFORCED_HTTPS = /^https?:\/\/([^\/]+\.)?(yarnpkg\.com|npmjs\.(org|com))(\/|$)/;
+ const REGEX_REGISTRY_HTTP_PROTOCOL = /^https?:/i;
+ const REGEX_REGISTRY_PREFIX = /^(https?:)?\/\//i;
+ const REGEX_REGISTRY_SUFFIX = /registry\/?$/;
+@@ -112,13 +113,17 @@
+   }
+ 
+   getRequestUrl(registry: string, pathname: string): string {
+-    const isUrl = REGEX_REGISTRY_PREFIX.test(pathname);
++    let resolved = pathname;
+ 
+-    if (isUrl) {
+-      return pathname;
+-    } else {
+-      return url.resolve(addSuffix(registry, '/'), pathname);
++    if (!REGEX_REGISTRY_PREFIX.test(pathname)) {
++      resolved = url.resolve(addSuffix(registry, '/'), pathname);
+     }
++
++    if (REGEX_REGISTRY_ENFORCED_HTTPS.test(resolved)) {
++      resolved = resolved.replace(/^http:\/\//, 'https://');
++    }
++
++    return resolved;
+   }
+ 
+   isRequestToRegistry(requestUrl: string, registryUrl: string): boolean {
diff --git a/debian/patches/series b/debian/patches/series
index f3c856f99..7c03222a8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@
 08-cli-table3.diff
 09-buffer_from.diff
 10-babel-plugin-inline-import.diff
+CVE-2019-5448.diff
