[Pkg-javascript-devel] Bug#1040678: bookworm-pu: package node-dottie/2.0.2-4+deb12u1

Sun Jul 9 06:09:43 BST 2023

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-dottie at packages.debian.org
Control: affects -1 + src:node-dottie

[ Reason ]
node-dottie is vulnerable to prototype pollution (#1040592,
CVE-2023-26132)

[ Impact ]
Medium security issue

[ Tests ]
Test updated passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Don't allow __proto__ modifications.
Patch includes also debian/tests/pkg-js/enable_proto file to allow
__proto__ calls during autopkgtest (forbidden by default) because patch
includes a prototype-pollution test

Cheers,
Yadd
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index 9edf53f..a6edff9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-dottie (2.0.2-4+deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: #1040592, CVE-2023-26132)
+
+ -- Yadd <yadd at debian.org>  Sun, 09 Jul 2023 08:43:00 +0400
+
 node-dottie (2.0.2-4) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-26132.patch b/debian/patches/CVE-2023-26132.patch
new file mode 100644
index 0000000..5186407
--- /dev/null
+++ b/debian/patches/CVE-2023-26132.patch
@@ -0,0 +1,76 @@
+Description: rudimentary __proto__ guarding
+Author: Mick Hansen <maker at mhansen.io>
+Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c
+Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763
+Bug-Debian: https://bugs.debian.org/1040592
+Forwarded: not-needed
+Applied-Upstream: 2.0.6, commit:7d3aee1c
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-07-09
+
+--- a/README.md
++++ b/README.md
+@@ -42,6 +42,8 @@
+ });
+ ```
+ 
++If you accept arbitrary/user-defined paths to `set` you should call `Object.preventExtensions(values)` first to guard against potential pollution.
++
+ ### Transform object
+ Transform object from keys with dottie notation to nested objects
+ 
+--- a/dottie.js
++++ b/dottie.js
+@@ -72,6 +72,7 @@
+   // Set nested value
+   Dottie.set = function(object, path, value, options) {
+     var pieces = Array.isArray(path) ? path : path.split('.'), current = object, piece, length = pieces.length;
++    if (pieces[0] === '__proto__') return;
+ 
+     if (typeof current !== 'object') {
+         throw new Error('Parent is not an object.');
+@@ -137,6 +138,9 @@
+ 
+       if (key.indexOf(options.delimiter) !== -1) {
+         pieces = key.split(options.delimiter);
++
++        if (pieces[0] === '__proto__') break;
++
+         piecesLength = pieces.length;
+         current = transformed;
+ 
+--- a/test/set.test.js
++++ b/test/set.test.js
+@@ -45,4 +45,12 @@
+     });
+     expect(data.foo.bar.baz).to.equal('someValue');
+   });
++
++  it('should not attempt to set __proto__', function () {
++    var data = {};
++
++    dottie.set(data, '__proto__.pollution', 'polluted');
++
++    expect(data.__proto__.pollution).to.be.undefined;
++  });
+ });
+\ No newline at end of file
+--- a/test/transform.test.js
++++ b/test/transform.test.js
+@@ -145,4 +145,16 @@
+     expect(transformed.user.location.city).to.equal('Zanzibar City');
+     expect(transformed.project.title).to.equal('dottie');
+   });
++
++  it("should guard against prototype pollution", function () {
++    var values = {
++      'user.name': 'John Doe',
++      '__proto__.pollution': 'pollution'
++    };
++
++    var transformed = dottie.transform(values);
++    expect(transformed.user).not.to.equal(undefined);
++    expect(transformed.user.name).to.equal('John Doe');
++    expect(transformed.__proto__.pollution).to.be.undefined;
++  });
+ });
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..e86da5e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-26132.patch
diff --git a/debian/tests/pkg-js/enable_proto b/debian/tests/pkg-js/enable_proto
new file mode 100644
index 0000000..e69de29
