From fb22523acc8835dbd91556b7d7b347ce7eb53883 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 24 Mar 2022 15:54:01 +0000 Subject: [PATCH 1/2] Bump minimist from 1.2.5 to 1.2.6 Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 to 1.2.6. - [Release notes](https://github.com/substack/minimist/releases) - [Commits](https://github.com/substack/minimist/compare/1.2.5...1.2.6) --- updated-dependencies: - dependency-name: minimist dependency-type: indirect ... Signed-off-by: dependabot[bot] --- package-lock.json | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index 7ac21d42f3..fe6bae80b1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -3646,8 +3646,9 @@ } }, "node_modules/minimist": { - "version": "1.2.5", - "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==", + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz", + "integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==", "dev": true }, "node_modules/ms": { @@ -8003,8 +8004,9 @@ } }, "minimist": { - "version": "1.2.5", - "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==", + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz", + "integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==", "dev": true }, "ms": { From ca5ed24270f1f5633fa7d06b4dc8e66ffd077946 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 24 Mar 2022 16:36:41 +0000 Subject: [PATCH 2/2] Update checked-in dependencies --- node_modules/.package-lock.json | 5 +++-- node_modules/minimist/index.js | 8 ++++++-- node_modules/minimist/package.json | 2 +- node_modules/minimist/readme.markdown | 5 ++++- node_modules/minimist/test/proto.js | 16 ++++++++++++++++ 5 files changed, 30 insertions(+), 6 deletions(-) diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json index d4199afa76..dbe5f7c9b3 100644 --- a/node_modules/.package-lock.json +++ b/node_modules/.package-lock.json @@ -3593,8 +3593,9 @@ } }, "node_modules/minimist": { - "version": "1.2.5", - "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==", + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz", + "integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==", "dev": true }, "node_modules/ms": { diff --git a/node_modules/minimist/index.js b/node_modules/minimist/index.js index d2afe5e4d4..d9c3eb79f2 100644 --- a/node_modules/minimist/index.js +++ b/node_modules/minimist/index.js @@ -70,7 +70,7 @@ module.exports = function (args, opts) { var o = obj; for (var i = 0; i < keys.length-1; i++) { var key = keys[i]; - if (key === '__proto__') return; + if (isConstructorOrProto(o, key)) return; if (o[key] === undefined) o[key] = {}; if (o[key] === Object.prototype || o[key] === Number.prototype || o[key] === String.prototype) o[key] = {}; @@ -79,7 +79,7 @@ module.exports = function (args, opts) { } var key = keys[keys.length - 1]; - if (key === '__proto__') return; + if (isConstructorOrProto(o, key)) return; if (o === Object.prototype || o === Number.prototype || o === String.prototype) o = {}; if (o === Array.prototype) o = []; @@ -243,3 +243,7 @@ function isNumber (x) { return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x); } + +function isConstructorOrProto (obj, key) { + return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__'; +} diff --git a/node_modules/minimist/package.json b/node_modules/minimist/package.json index c091d41375..c225853352 100644 --- a/node_modules/minimist/package.json +++ b/node_modules/minimist/package.json @@ -1,6 +1,6 @@ { "name": "minimist", - "version": "1.2.5", + "version": "1.2.6", "description": "parse argument options", "main": "index.js", "devDependencies": { diff --git a/node_modules/minimist/readme.markdown b/node_modules/minimist/readme.markdown index 5fd97ab11e..859d1ab452 100644 --- a/node_modules/minimist/readme.markdown +++ b/node_modules/minimist/readme.markdown @@ -34,7 +34,10 @@ $ node example/parse.js -x 3 -y 4 -n5 -abc --beep=boop foo bar baz Previous versions had a prototype pollution bug that could cause privilege escalation in some circumstances when handling untrusted user input. -Please use version 1.2.3 or later: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 +Please use version 1.2.6 or later: + +* https://security.snyk.io/vuln/SNYK-JS-MINIMIST-2429795 (version <=1.2.5) +* https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 (version <=1.2.3) # methods diff --git a/node_modules/minimist/test/proto.js b/node_modules/minimist/test/proto.js index 8649107ecb..4ac62df264 100644 --- a/node_modules/minimist/test/proto.js +++ b/node_modules/minimist/test/proto.js @@ -42,3 +42,19 @@ test('proto pollution (constructor)', function (t) { t.equal(argv.y, undefined); t.end(); }); + +test('proto pollution (constructor function)', function (t) { + var argv = parse(['--_.concat.constructor.prototype.y', '123']); + function fnToBeTested() {} + t.equal(fnToBeTested.y, undefined); + t.equal(argv.y, undefined); + t.end(); +}); + +// powered by snyk - https://github.com/backstage/backstage/issues/10343 +test('proto pollution (constructor function) snyk', function (t) { + var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' ')); + t.equal((function(){}).foo, undefined); + t.equal(argv.y, undefined); + t.end(); +})