diff --git a/CVE-2023-26136.patch b/CVE-2023-26136.patch new file mode 100644 index 0000000000000000000000000000000000000000..af245a5fe9b0f85aace783c0b14c015de5a4a10c --- /dev/null +++ b/CVE-2023-26136.patch @@ -0,0 +1,75 @@ +From: Colin Casey +Date: Mon, 5 Jun 2023 12:13:22 -0300 +Subject: Prevent prototype pollution in cookie memstore (#283) + +All occurrences of new object creation in `memstore.js` have been changed from `{}` (i.e.; `Object.create(Object.prototype)` to `Object.create(null)` so that we are using object instances that do not have a prototype property that can be polluted. + +Origin: https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e +Bug: https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873 +Bug: https://github.com/salesforce/tough-cookie/issues/282 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-26136 +--- + lib/memstore.js | 6 +++--- + test/cookie_jar_test.js | 25 +++++++++++++++++++++++++ + 2 files changed, 28 insertions(+), 3 deletions(-) + +diff --git a/lib/memstore.js b/lib/memstore.js +index 89ceb69..3486a6f 100644 +--- a/lib/memstore.js ++++ b/lib/memstore.js +@@ -36,7 +36,7 @@ var util = require('util'); + + function MemoryCookieStore() { + Store.call(this); +- this.idx = {}; ++ this.idx = Object.create(null); + } + util.inherits(MemoryCookieStore, Store); + exports.MemoryCookieStore = MemoryCookieStore; +@@ -109,10 +109,10 @@ MemoryCookieStore.prototype.findCookies = function(domain, path, cb) { + + MemoryCookieStore.prototype.putCookie = function(cookie, cb) { + if (!this.idx[cookie.domain]) { +- this.idx[cookie.domain] = {}; ++ this.idx[cookie.domain] = Object.create(null); + } + if (!this.idx[cookie.domain][cookie.path]) { +- this.idx[cookie.domain][cookie.path] = {}; ++ this.idx[cookie.domain][cookie.path] = Object.create(null); + } + this.idx[cookie.domain][cookie.path][cookie.key] = cookie; + cb(null); +diff --git a/test/cookie_jar_test.js b/test/cookie_jar_test.js +index 9d0691d..26ad159 100644 +--- a/test/cookie_jar_test.js ++++ b/test/cookie_jar_test.js +@@ -480,4 +480,29 @@ vows + } + } + }) ++ .addBatch({ ++ "Issue #282 - Prototype pollution": { ++ "when setting a cookie with the domain __proto__": { ++ topic: function() { ++ const jar = new tough.CookieJar(undefined, { ++ rejectPublicSuffixes: false ++ }); ++ // try to pollute the prototype ++ jar.setCookieSync( ++ "Slonser=polluted; Domain=__proto__; Path=/notauth", ++ "https://__proto__/admin" ++ ); ++ jar.setCookieSync( ++ "Auth=Lol; Domain=google.com; Path=/notauth", ++ "https://google.com/" ++ ); ++ this.callback(); ++ }, ++ "results in a cookie that is not affected by the attempted prototype pollution": function() { ++ const pollutedObject = {}; ++ assert(pollutedObject["/notauth"] === undefined); ++ } ++ } ++ } ++ }) + .export(module); diff --git a/nodejs-tough-cookie.spec b/nodejs-tough-cookie.spec index c0ddc3105d2882dc1b369fda8540d0f4c4094ca9..27c9fbd151830e4a95a47c3772871d274898949a 100644 --- a/nodejs-tough-cookie.spec +++ b/nodejs-tough-cookie.spec @@ -2,13 +2,15 @@ %global srcname tough-cookie Name: nodejs-%{srcname} Version: 2.3.2 -Release: 2 +Release: 3 Summary: RFC6265 Cookies and Cookie Jar for Node.js License: MIT URL: https://github.com/salesforce/tough-cookie Source0: https://github.com/salesforce/tough-cookie/archive/v%{version}/tough-cookie-%{version}.tar.gz Patch0: nodejs-tough-cookie-expiry.patch Patch1: nodejs-tough-cookie-assert.patch +# https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e +Patch2: CVE-2023-26136.patch BuildArch: noarch ExclusiveArch: %{nodejs_arches} noarch BuildRequires: nodejs-packaging @@ -44,6 +46,9 @@ vows --spec test/*_test.js %{nodejs_sitelib}/%{srcname} %changelog +* Tue Dec 12 2023 yaoxin - 2.3.2-3 +- Fix CVE-2023-26136 + * Wed Sep 16 2020 leiju - 2.3.2-2 - Fix build failure