From 38fe287b958204d92a0353e369511120e38c625c Mon Sep 17 00:00:00 2001
From: Peter Somogyvari <peter.somogyvari@accenture.com>
Date: Mon, 28 Mar 2022 13:33:20 -0700
Subject: [PATCH] fix(security): ensure node-forge > 1.3.0 for CVE-2022-24772

This is a temporary fix until our direct dependencies get patched
which we can update for ourselves. In the meantime this will force
the (currently considered) secure versions of node-forge to be used.

Fixes #1947

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
---
 package.json                                |  1 +
 packages/cactus-cmd-api-server/package.json |  4 +--
 yarn.lock                                   | 34 ++++++++-------------
 3 files changed, 15 insertions(+), 24 deletions(-)

diff --git a/package.json b/package.json
index 0787723dc4..b3528f661b 100644
--- a/package.json
+++ b/package.json
@@ -147,6 +147,7 @@
     "glob-parent": "5.1.2",
     "lodash": "4.17.20",
     "minimist": ">=1.2.6",
+    "node-forge": ">=1.3.0",
     "underscore": "1.13.2"
   }
 }
\ No newline at end of file
diff --git a/packages/cactus-cmd-api-server/package.json b/packages/cactus-cmd-api-server/package.json
index f659f4cc50..261f2150c0 100644
--- a/packages/cactus-cmd-api-server/package.json
+++ b/packages/cactus-cmd-api-server/package.json
@@ -79,7 +79,7 @@
     "google-protobuf": "3.18.0-rc.2",
     "jose": "4.1.0",
     "lmify": "0.3.0",
-    "node-forge": "1.0.0",
+    "node-forge": "1.3.0",
     "prom-client": "13.2.0",
     "run-time-error": "1.4.0",
     "rxjs": "7.3.0",
@@ -101,7 +101,7 @@
     "@types/google-protobuf": "3.15.5",
     "@types/jsonwebtoken": "8.5.4",
     "@types/multer": "1.4.7",
-    "@types/node-forge": "0.10.2",
+    "@types/node-forge": "1.0.1",
     "@types/passport": "1.0.7",
     "@types/passport-oauth2": "1.4.11",
     "@types/passport-saml": "1.1.3",
diff --git a/yarn.lock b/yarn.lock
index c5f97f8a3c..47082d9b6e 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -4470,10 +4470,10 @@
     "@types/node" "*"
     form-data "^3.0.0"
 
-"@types/node-forge@0.10.2":
-  version "0.10.2"
-  resolved "https://registry.yarnpkg.com/@types/node-forge/-/node-forge-0.10.2.tgz#03093c4e3f1150c11c2222aa86848e5c753fe1dd"
-  integrity sha512-nEWO3mkJ1j7eGxGUu32jaGFJj+YSvUt/zG4sEAXbUDbjkQMf9u98Bf3peC4oGFR3zA1n3M3KaXcw6xQyZpl5jg==
+"@types/node-forge@1.0.1":
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/@types/node-forge/-/node-forge-1.0.1.tgz#0df103639da9d5ec6a708d462020f0df70679f37"
+  integrity sha512-96ELNKv9tQJ19afdBUiM5iDw7OYEc53iUc51gAPR2aGaqRsO1DBROjqgZRjZa1tkPj7TnEOR0EnyAX6iryGkzA==
   dependencies:
     "@types/node" "*"
 
@@ -16064,10 +16064,10 @@ minimist-options@4.1.0:
     is-plain-obj "^1.1.0"
     kind-of "^6.0.3"
 
-minimist@^1.2.0, minimist@^1.2.3, minimist@^1.2.5:
-  version "1.2.5"
-  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
-  integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==
+minimist@>=1.2.6, minimist@^1.2.0, minimist@^1.2.3, minimist@^1.2.5:
+  version "1.2.6"
+  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.6.tgz#8637a5b759ea0d6e98702cfb3a9283323c93af44"
+  integrity sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==
 
 minipass-collect@^1.0.2:
   version "1.0.2"
@@ -16622,20 +16622,10 @@ node-fetch@^2.6.0, node-fetch@^2.6.1, node-fetch@^2.6.5, node-fetch@^2.6.7:
   version "2.6.7"
   resolved "https://registry.npmjs.org/@achingbrain/node-fetch/-/node-fetch-2.6.7.tgz#1b5d62978f2ed07b99444f64f0df39f960a6d34d"
 
-node-forge@1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/node-forge/-/node-forge-1.0.0.tgz#a025e3beeeb90d9cee37dae34d25b968ec3e6f15"
-  integrity sha512-ShkiiAlzSsgH1IwGlA0jybk9vQTIOLyJ9nBd0JTuP+nzADJFLY0NoDijM2zvD/JaezooGu3G2p2FNxOAK6459g==
-
-node-forge@^0.10.0:
-  version "0.10.0"
-  resolved "https://registry.yarnpkg.com/node-forge/-/node-forge-0.10.0.tgz#32dea2afb3e9926f02ee5ce8794902691a676bf3"
-  integrity sha512-PPmu8eEeG9saEUvI97fm4OYxXVB6bFvyNTyiUOBichBpFG8A1Ljw3bY62+5oOjDEMHRnd0Y7HQ+x7uzxOzC6JA==
-
-node-forge@^1.0.0:
-  version "1.2.1"
-  resolved "https://registry.yarnpkg.com/node-forge/-/node-forge-1.2.1.tgz#82794919071ef2eb5c509293325cec8afd0fd53c"
-  integrity sha512-Fcvtbb+zBcZXbTTVwqGA5W+MKBj56UjVRevvchv5XrcyXbmNdesfZL37nlcWOfpgHhgmxApw3tQbTr4CqNmX4w==
+node-forge@1.3.0, node-forge@>=1.3.0, node-forge@^0.10.0, node-forge@^1.0.0:
+  version "1.3.0"
+  resolved "https://registry.yarnpkg.com/node-forge/-/node-forge-1.3.0.tgz#37a874ea723855f37db091e6c186e5b67a01d4b2"
+  integrity sha512-08ARB91bUi6zNKzVmaj3QO7cr397uiDT2nJ63cHjyNtCTWIgvS47j3eT0WfzUwS9+6Z5YshRaoasFkXCKrIYbA==
 
 node-gyp-build@^4.2.0, node-gyp-build@^4.2.2, node-gyp-build@^4.3.0:
   version "4.3.0"