Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-qs is vulnerable to prototype pollution, this affects web applications using node-express (CVE-2022-24999) [ Impact ] Medium security issue [ Tests ] Patch adds a test to verify that bug is fixed [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Just verity that key isn't __proto__ before updating object keys Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 3734d04..774ba07 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-qs (6.9.4+ds-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: CVE-2022-24999) + + -- Yadd <y...@debian.org> Sat, 03 Dec 2022 20:22:12 +0100 + node-qs (6.9.4+ds-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-24999.patch b/debian/patches/CVE-2022-24999.patch new file mode 100644 index 0000000..45c26ca --- /dev/null +++ b/debian/patches/CVE-2022-24999.patch @@ -0,0 +1,87 @@ +Description: `parse`: ignore `__proto__` keys +Author: Jordan Harband <ljh...@gmail.com> +Origin: upstream, https://github.com/ljharb/qs/pull/428 +Bug: https://security-tracker.debian.org/tracker/CVE-2022-24999 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2022-12-03 + +--- a/lib/parse.js ++++ b/lib/parse.js +@@ -135,7 +135,7 @@ + ) { + obj = []; + obj[index] = leaf; +- } else { ++ } else if (cleanRoot !== '__proto__') { + obj[cleanRoot] = leaf; + } + } +--- a/test/parse.js ++++ b/test/parse.js +@@ -768,5 +768,65 @@ + st.end(); + }); + ++ t.test('dunder proto is ignored', function (st) { ++ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42'; ++ var result = qs.parse(payload, { allowPrototypes: true }); ++ ++ st.deepEqual( ++ result, ++ { ++ categories: { ++ length: '42' ++ } ++ }, ++ 'silent [[Prototype]] payload' ++ ); ++ ++ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true }); ++ ++ st.deepEqual( ++ plainResult, ++ { ++ __proto__: null, ++ categories: { ++ __proto__: null, ++ length: '42' ++ } ++ }, ++ 'silent [[Prototype]] payload: plain objects' ++ ); ++ ++ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true }); ++ ++ st.notOk(Array.isArray(query.categories), 'is not an array'); ++ st.notOk(query.categories instanceof Array, 'is not instanceof an array'); ++ st.deepEqual(query.categories, { some: { json: 'toInject' } }); ++ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array'); ++ ++ st.deepEqual( ++ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }), ++ { ++ foo: { ++ bar: 'stuffs' ++ } ++ }, ++ 'hidden values' ++ ); ++ ++ st.deepEqual( ++ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }), ++ { ++ __proto__: null, ++ foo: { ++ __proto__: null, ++ bar: 'stuffs' ++ } ++ }, ++ 'hidden values: plain objects' ++ ); ++ ++ st.end(); ++ }); ++ + t.end(); + }); diff --git a/debian/patches/series b/debian/patches/series index aa71f6e..d1bf800 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ use-lodash-forEach-in-test.diff +CVE-2022-24999.patch