Package: node-cached-path-relative / 1.0.2-1+deb11u1

CVE-2021-23518.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 
Description: fix prototype pollution
Origin: upstream, https://github.com/ashaffer/cached-path-relative/commit/40c73bf70
Author: Andrew <darawk@gmail.com>
Bug: https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
Forwarded: not-needed
Reviewed-By: Yadd <yadd@debian.org>
Last-Update: 2022-01-26

--- a/lib/index.js
+++ b/lib/index.js
@@ -27,7 +27,7 @@
   // to invalidate the cache
   var cwd = process.cwd()
   if (cwd !== lastCwd) {
-    cache = {}
+    cache = Object.create(null)
     lastCwd = cwd
   }
 
@@ -35,7 +35,7 @@
 
   var result = relative.call(path, from, to)
 
-  cache[from] = cache[from] || {}
+  cache[from] = cache[from] || Object.create(null)
   cache[from][to] = result
 
   return result