Bug#969366: buster-pu: package node-url-parse/1.2.0-2+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#969366: buster-pu: package node-url-parse/1.2.0-2+deb10u1
From: Xavier Guimard <yadd@debian.org>
Date: Tue, 01 Sep 2020 13:01:58 +0200
Message-id: <[🔎] 159895811890.226653.17277639036312043247.reportbug@deb007.xnr.fr>
Reply-to: Xavier Guimard <yadd@debian.org>, 969366@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Insufficient validation and sanitization of user input exists in url-parse
npm package version 1.4.4 and earlier may allow attacker to bypass security
checks.

[ Impact ]
Medium security risk

[ Tests ]
Upstream test related to this vulnerability is included in patch. I ran
both build & autopkgtest tests

[ Risks ]
Low risk: test covers all features including CVE fix, change just trim left
to prevent unsantitized input from generating false positives

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
1. "mocha" was missing in build dependencies, causing test failures
2. the upstream fix adds security checks without modifying algorithm

Cheers,
Xavier

diff --git a/debian/changelog b/debian/changelog
index 04127dd..ee819f8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-url-parse (1.2.0-2+deb10u1) buster; urgency=medium
+
+  * Add missing test dependency: mocha
+  * Fix insufficient validation and sanitization of user input
+    (Closes: CVE-2020-8124)
+
+ -- Xavier Guimard <yadd@debian.org>  Tue, 01 Sep 2020 12:55:09 +0200
+
 node-url-parse (1.2.0-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 2c683c6..8433ca7 100644
--- a/debian/control
+++ b/debian/control
@@ -7,6 +7,7 @@ Testsuite: autopkgtest-pkg-nodejs
 Build-Depends:
  debhelper (>= 9)
  , dh-buildinfo
+ , mocha <!nocheck>
  , nodejs
  , webpack
  , node-deep-eql <!nocheck>
diff --git a/debian/patches/CVE-2020-8124.diff b/debian/patches/CVE-2020-8124.diff
new file mode 100644
index 0000000..129c377
--- /dev/null
+++ b/debian/patches/CVE-2020-8124.diff
@@ -0,0 +1,93 @@
+Description: Fix CVE 2020-8124
+ Insufficient validation and sanitization of user input exists in url-parse
+ npm package version 1.4.4 and earlier may allow attacker to bypass security
+ checks.
+Author: Arnout Kazemier <info@3rd-Eden.com>
+Origin: upstream, https://github.com/unshiftio/url-parse/commit/3ecd256f
+Bug: https://hackerone.com/reports/496293
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-09-01
+
+--- a/index.js
++++ b/index.js
+@@ -2,8 +2,20 @@
+ 
+ var required = require('requires-port')
+   , qs = require('querystringify')
++  , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//
+   , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\S\s]*)/i
+-  , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//;
++  , whitespace = '[\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]'
++  , left = new RegExp('^'+ whitespace +'+');
++
++/**
++ * Trim a given string.
++ *
++ * @param {String} str String to trim.
++ * @public
++ */
++function trimLeft(str) {
++  return (str || '').replace(left, '');
++}
+ 
+ /**
+  * These are the parse rules for the URL parser, it informs the parser
+@@ -94,6 +106,7 @@
+  * @api private
+  */
+ function extractProtocol(address) {
++  address = trimLeft(address);
+   var match = protocolre.exec(address);
+ 
+   return {
+@@ -149,6 +162,8 @@
+  * @api public
+  */
+ function URL(address, location, parser) {
++  address = trimLeft(address);
++
+   if (!(this instanceof URL)) {
+     return new URL(address, location, parser);
+   }
+@@ -414,6 +429,7 @@
+ //
+ URL.extractProtocol = extractProtocol;
+ URL.location = lolcation;
++URL.trimLeft = trimLeft;
+ URL.qs = qs;
+ 
+ module.exports = URL;
+--- a/test/test.js
++++ b/test/test.js
+@@ -31,6 +31,14 @@
+ 
+   describe('extractProtocol', function () {
+     it('extracts the protocol data', function () {
++      assume(parse.extractProtocol('http://example.com')).eql({
++        slashes: true,
++        protocol: 'http:',
++        rest: 'example.com'
++      });
++    });
++
++    it('extracts the protocol data for nothing', function () {
+       assume(parse.extractProtocol('')).eql({
+         slashes: false,
+         protocol: '',
+@@ -49,6 +57,15 @@
+     });
+   });
+ 
++
++  it('trimsLeft', function () {
++    assume(parse.extractProtocol(' javascript://foo')).eql({
++      slashes: true,
++      protocol: 'javascript:',
++      rest: 'foo'
++    });
++  });
++
+   it('parses the query string into an object', function () {
+     var url = 'http://google.com/?foo=bar'
+       , data = parse(url, true);
diff --git a/debian/patches/series b/debian/patches/series
index 1ae99bc..c24e259 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 CVE-2018-3774.diff
+CVE-2020-8124.diff

Reply to:

Follow-Ups:
- Bug#969366: buster-pu: package node-url-parse/1.2.0-2+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#969366: buster-pu: package node-url-parse/1.2.0-2+deb10u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#969366: node-url-parse 1.2.0-2+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Bug#969366: marked as done (buster-pu: package node-url-parse/1.2.0-2+deb10u1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Next by Date: Bug#969369: buster-pu: package node-elliptic/6.4.1_dfsg-1+deb10u1
Next by thread: Bug#969366: buster-pu: package node-url-parse/1.2.0-2+deb10u1
Index(es):
- Date
- Thread