Version in base suite: 2.0.2-4 Base version: node-dottie_2.0.2-4 Target version: node-dottie_2.0.2-4+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-dottie/node-dottie_2.0.2-4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-dottie/node-dottie_2.0.2-4+deb12u1.dsc changelog | 7 +++ patches/CVE-2023-26132.patch | 76 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 84 insertions(+) diff -Nru node-dottie-2.0.2/debian/changelog node-dottie-2.0.2/debian/changelog --- node-dottie-2.0.2/debian/changelog 2021-11-01 10:55:39.000000000 +0000 +++ node-dottie-2.0.2/debian/changelog 2023-07-09 04:43:00.000000000 +0000 @@ -1,3 +1,10 @@ +node-dottie (2.0.2-4+deb12u1) bookworm; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #1040592, CVE-2023-26132) + + -- Yadd Sun, 09 Jul 2023 08:43:00 +0400 + node-dottie (2.0.2-4) unstable; urgency=medium * Team upload diff -Nru node-dottie-2.0.2/debian/patches/CVE-2023-26132.patch node-dottie-2.0.2/debian/patches/CVE-2023-26132.patch --- node-dottie-2.0.2/debian/patches/CVE-2023-26132.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-dottie-2.0.2/debian/patches/CVE-2023-26132.patch 2023-07-09 04:43:00.000000000 +0000 @@ -0,0 +1,76 @@ +Description: rudimentary __proto__ guarding +Author: Mick Hansen +Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c +Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763 +Bug-Debian: https://bugs.debian.org/1040592 +Forwarded: not-needed +Applied-Upstream: 2.0.6, commit:7d3aee1c +Reviewed-By: Yadd +Last-Update: 2023-07-09 + +--- a/README.md ++++ b/README.md +@@ -42,6 +42,8 @@ + }); + ``` + ++If you accept arbitrary/user-defined paths to `set` you should call `Object.preventExtensions(values)` first to guard against potential pollution. ++ + ### Transform object + Transform object from keys with dottie notation to nested objects + +--- a/dottie.js ++++ b/dottie.js +@@ -72,6 +72,7 @@ + // Set nested value + Dottie.set = function(object, path, value, options) { + var pieces = Array.isArray(path) ? path : path.split('.'), current = object, piece, length = pieces.length; ++ if (pieces[0] === '__proto__') return; + + if (typeof current !== 'object') { + throw new Error('Parent is not an object.'); +@@ -137,6 +138,9 @@ + + if (key.indexOf(options.delimiter) !== -1) { + pieces = key.split(options.delimiter); ++ ++ if (pieces[0] === '__proto__') break; ++ + piecesLength = pieces.length; + current = transformed; + +--- a/test/set.test.js ++++ b/test/set.test.js +@@ -45,4 +45,12 @@ + }); + expect(data.foo.bar.baz).to.equal('someValue'); + }); ++ ++ it('should not attempt to set __proto__', function () { ++ var data = {}; ++ ++ dottie.set(data, '__proto__.pollution', 'polluted'); ++ ++ expect(data.__proto__.pollution).to.be.undefined; ++ }); + }); +\ No newline at end of file +--- a/test/transform.test.js ++++ b/test/transform.test.js +@@ -145,4 +145,16 @@ + expect(transformed.user.location.city).to.equal('Zanzibar City'); + expect(transformed.project.title).to.equal('dottie'); + }); ++ ++ it("should guard against prototype pollution", function () { ++ var values = { ++ 'user.name': 'John Doe', ++ '__proto__.pollution': 'pollution' ++ }; ++ ++ var transformed = dottie.transform(values); ++ expect(transformed.user).not.to.equal(undefined); ++ expect(transformed.user.name).to.equal('John Doe'); ++ expect(transformed.__proto__.pollution).to.be.undefined; ++ }); + }); diff -Nru node-dottie-2.0.2/debian/patches/series node-dottie-2.0.2/debian/patches/series --- node-dottie-2.0.2/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ node-dottie-2.0.2/debian/patches/series 2023-07-09 04:43:00.000000000 +0000 @@ -0,0 +1 @@ +CVE-2023-26132.patch