File: CVE-2021-23413.patch

package info (click to toggle)
node-jszip 3.5.0%2Bdfsg-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 25,100 kB
  • sloc: javascript: 5,652; makefile: 2; sh: 2
file content (43 lines) | stat: -rw-r--r-- 1,540 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
 
Description: fix: Use a null prototype object for this.files
Author: Michael Aquilina <michaelaquilina@gmail.com>
Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413
Forwarded: not-needed
Reviewed-By: Yadd <yadd@debian.org>
Last-Update: 2021-07-26

--- a/lib/index.js
+++ b/lib/index.js
@@ -19,7 +19,10 @@
     //   "folder/" : {...},
     //   "folder/data.txt" : {...}
     // }
-    this.files = {};
+    // NOTE: we use a null prototype because we do not
+    // want filenames like "toString" coming from a zip file
+    // to overwrite methods and attributes in a normal Object.
+    this.files = Object.create(null);
 
     this.comment = null;
 
--- a/lib/object.js
+++ b/lib/object.js
@@ -179,16 +179,16 @@
      */
     forEach: function(cb) {
         var filename, relativePath, file;
+        /* jshint ignore:start */
+        // ignore warning about unwanted properties because this.files is a null prototype object
         for (filename in this.files) {
-            if (!this.files.hasOwnProperty(filename)) {
-                continue;
-            }
             file = this.files[filename];
             relativePath = filename.slice(this.root.length, filename.length);
             if (relativePath && filename.slice(0, this.root.length) === this.root) { // the file is in the current root
                 cb(relativePath, file); // TODO reverse the parameters ? need to be clean AND consistent with the filter search fn...
             }
         }
+        /* jshint ignore:end */
     },
 
     /**