From 5d36e4fe331dd5c88fe75c8f86cbc4e58a4d6c60 Mon Sep 17 00:00:00 2001
From: wangxiao65 <287608437@qq.com>
Date: Tue, 13 Apr 2021 23:01:36 +0800
Subject: [PATCH] fix CVE-2021-23358

---
 CVE-2021-23358.patch   | 64 ++++++++++++++++++++++++++++++++++++++++++
 nodejs-underscore.spec |  6 +++-
 2 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-23358.patch

diff --git a/CVE-2021-23358.patch b/CVE-2021-23358.patch
new file mode 100644
index 0000000..9f99808
--- /dev/null
+++ b/CVE-2021-23358.patch
@@ -0,0 +1,64 @@
+From 4c73526d43838ad6ab43a6134728776632adeb66 Mon Sep 17 00:00:00 2001
+From: Julian Gonggrijp <dev@juliangonggrijp.com>
+Date: Sat, 13 Mar 2021 22:38:44 +0100
+Subject: [PATCH] Fix #2911
+
+---
+ underscore.js         | 23 +++++++++++++++++++----
+ 1 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/underscore.js b/underscore.js
+index 3af6352e6..798eda091 100644
+--- a/underscore.js
++++ b/underscore.js
+@@ -1550,6 +1550,13 @@
+     return '\\' + escapes[match];
+   };
+ 
++  // In order to prevent third-party code injection through
++  // `_.templateSettings.variable`, we test it against the following regular
++  // expression. It is intentionally a bit more liberal than just matching valid
++  // identifiers, but still prevents possible loopholes through defaults or
++  // destructuring assignment.
++  var bareIdentifier = /^\s*(\w|\$)+\s*$/;
++
+   // JavaScript micro-templating, similar to John Resig's implementation.
+   // Underscore templating handles arbitrary delimiters, preserves whitespace,
+   // and correctly escapes quotes within interpolated code.
+@@ -1585,8 +1592,17 @@
+     });
+     source += "';\n";
+ 
+-    // If a variable is not specified, place data values in local scope.
+-    if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
++    var argument = settings.variable;
++    if (argument) {
++      // Insure against third-party code injection.
++      if (!bareIdentifier.test(argument)) throw new Error(
++        'variable is not a bare identifier: ' + argument
++      );
++    } else {
++      // If a variable is not specified, place data values in local scope.
++      source = 'with(obj||{}){\n' + source + '}\n';
++      argument = 'obj';
++    }
+ 
+     source = "var __t,__p='',__j=Array.prototype.join," +
+       "print=function(){__p+=__j.call(arguments,'');};\n" +
+@@ -1594,7 +1610,7 @@
+ 
+     var render;
+     try {
+-      render = new Function(settings.variable || 'obj', '_', source);
++      render = new Function(argument, '_', source);
+     } catch (e) {
+       e.source = source;
+       throw e;
+@@ -1605,7 +1621,6 @@
+     };
+ 
+     // Provide the compiled source as a convenience for precompilation.
+-    var argument = settings.variable || 'obj';
+     template.source = 'function(' + argument + '){\n' + source + '}';
+ 
+     return template;
diff --git a/nodejs-underscore.spec b/nodejs-underscore.spec
index 3041789..f38e73f 100644
--- a/nodejs-underscore.spec
+++ b/nodejs-underscore.spec
@@ -3,11 +3,12 @@
 %global installdir  %{_jsdir}/underscore
 Name:                nodejs-underscore
 Version:             1.9.1
-Release:             1
+Release:             2
 Summary:             JavaScript's functional programming helper library
 License:             MIT
 URL:                 http://github.com/jashkenas/underscore
 Source0:             http://github.com/jashkenas/underscore/archive/%{version}.tar.gz
+Patch0000:           CVE-2021-23358.patch
 BuildArch:           noarch
 ExclusiveArch:       %{nodejs_arches} noarch
 BuildRequires:       web-assets-devel
@@ -61,5 +62,8 @@ cp -pr underscore.js underscore-min.js underscore-min.map \
 %{installdir}
 
 %changelog
+* Fri Apr 16 2021 wangxiao <wangxiao65@huawei.com> - 1.9.1-2
+- Fix CVE-2021-23358
+
 * Thu Aug 20 2020 zhanghua <zhanghua40@huawei.com> - 1.9.1-1
 - Package init
-- 
Gitee