From 3bd68617ca86cfbeb9da0115f03d8aeb3395f9d5 Mon Sep 17 00:00:00 2001 From: Paolo Greppi Date: Fri, 10 Aug 2018 12:53:33 +0200 Subject: [PATCH 1/5] use fs.lchown rather than fs.chown and thereby fix #14 fixes the symlinks problem #3 while not causing the TOCTOU vulnerability #14 The [patch in libuv 1.21.0](https://github.com/libuv/libuv/releases/tag/v1.21.0) that undeprecates `fs.lchown` [has been incorporated in nodejs Version 10.6.0](https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V10.md#2018-07-04-version-1060-current-targos). So I specified the minimum nodejs version in `package.json` with the `engine` key: https://docs.npmjs.com/files/package.json#engines --- chownr.js | 11 ++--------- package.json | 3 ++- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/chownr.js b/chownr.js index ecd7b45..8112967 100644 --- a/chownr.js +++ b/chownr.js @@ -15,19 +15,12 @@ function chownr (p, uid, gid, cb) { , errState = null children.forEach(function (child) { var pathChild = path.resolve(p, child); - fs.lstat(pathChild, function(er, stats) { - if (er) - return cb(er) - if (!stats.isSymbolicLink()) - chownr(pathChild, uid, gid, then) - else - then() - }) + chownr(pathChild, uid, gid, then) }) function then (er) { if (errState) return if (er) return cb(errState = er) - if (-- len === 0) return fs.chown(p, uid, gid, cb) + if (-- len === 0) return fs.lchown(p, uid, gid, cb) } }) } diff --git a/package.json b/package.json index 6b31a60..582f172 100644 --- a/package.json +++ b/package.json @@ -19,5 +19,6 @@ "scripts": { "test": "tap test/*.js" }, - "license": "ISC" + "license": "ISC", + "engines": { "node" : ">=10.6.0" } } From fbc1254d62bdadbe353120df06ad5c70834f8a64 Mon Sep 17 00:00:00 2001 From: Paolo Greppi Date: Fri, 10 Aug 2018 17:36:05 +0200 Subject: [PATCH 2/5] update travis to match the supported nodejs version see: https://docs.travis-ci.com/user/languages/javascript-with-nodejs/#specifying-nodejs-versions in the process: - update that list to match the maintained Node versions see: https://github.com/nodejs/Release#release-schedule - remove the constraint on the npm version (I dont' see why the default npm would not work) --- .travis.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.travis.yml b/.travis.yml index e1bcee1..fe70e58 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,3 @@ language: node_js -before_script: npm install -g npm@latest node_js: - - '0.8' - - '0.10' - - '0.12' - - 'iojs' + - '10.6.0' From 0cdeb997e1f487a502d6f8775f4dbc66c2abb062 Mon Sep 17 00:00:00 2001 From: Paolo Greppi Date: Sat, 11 Aug 2018 14:03:24 +0200 Subject: [PATCH 3/5] update travis to use a docker image with node 10.8 preinstalled references: - https://www.jeffgeerling.com/blog/2018/how-i-test-ansible-configuration-on-7-different-oses-docker - https://hub.docker.com/_/node/ --- .travis.yml | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index fe70e58..7f6124d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,3 +1,20 @@ +--- language: node_js -node_js: - - '10.6.0' + +sudo: required + +services: + - docker + +before_install: + - 'docker pull node/10.8.0-stretch' + +script: + - container_id=$(mktemp) + - 'docker run --detach --volume="${PWD}":/root/chownr:rw --privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro node/10.8.0-stretch /lib/systemd/systemd > "${container_id}"' + - 'docker exec --tty "$(cat ${container_id})" df -h' + - 'docker exec --tty "$(cat ${container_id})" nodejs -v' + - 'docker exec --tty "$(cat ${container_id})" yarnpkg -v' + - 'docker exec --tty "$(cat ${container_id})" npm -v' + - 'docker exec --tty "$(cat ${container_id})" -w /root/chownr yarnpkg install' + - 'docker exec --tty "$(cat ${container_id})" -w /root/chownr tap test/*.js' From ddf0a825529fc45ca89a3676e8f18ad668edb713 Mon Sep 17 00:00:00 2001 From: Paolo Greppi Date: Sat, 11 Aug 2018 15:04:47 +0200 Subject: [PATCH 4/5] fix docker/travis config --- .travis.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.travis.yml b/.travis.yml index 7f6124d..f687b55 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,5 @@ --- -language: node_js +language: generic sudo: required @@ -7,14 +7,14 @@ services: - docker before_install: - - 'docker pull node/10.8.0-stretch' + - 'docker pull node:10.8.0-stretch' script: - container_id=$(mktemp) - - 'docker run --detach --volume="${PWD}":/root/chownr:rw --privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro node/10.8.0-stretch /lib/systemd/systemd > "${container_id}"' + - 'docker run --rm --detach --tty --init --volume="${PWD}":/root/chownr:rw --privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro node:10.8.0-stretch > "${container_id}"' - 'docker exec --tty "$(cat ${container_id})" df -h' - 'docker exec --tty "$(cat ${container_id})" nodejs -v' - 'docker exec --tty "$(cat ${container_id})" yarnpkg -v' - 'docker exec --tty "$(cat ${container_id})" npm -v' - - 'docker exec --tty "$(cat ${container_id})" -w /root/chownr yarnpkg install' - - 'docker exec --tty "$(cat ${container_id})" -w /root/chownr tap test/*.js' + - 'docker exec --tty -w /root/chownr "$(cat ${container_id})" yarnpkg install' + - 'docker exec --tty -w /root/chownr "$(cat ${container_id})" node_modules/tap/bin/run.js -Rspec test/*.js' From 63409f9c7ee9f8ed76da6aa1e7d5133f71399b1d Mon Sep 17 00:00:00 2001 From: Paolo Greppi Date: Sat, 11 Aug 2018 15:14:25 +0200 Subject: [PATCH 5/5] docker unknown shorthand flag -w --- .travis.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index f687b55..f8db8a0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,6 +7,7 @@ services: - docker before_install: + - 'docker -v' - 'docker pull node:10.8.0-stretch' script: @@ -16,5 +17,5 @@ script: - 'docker exec --tty "$(cat ${container_id})" nodejs -v' - 'docker exec --tty "$(cat ${container_id})" yarnpkg -v' - 'docker exec --tty "$(cat ${container_id})" npm -v' - - 'docker exec --tty -w /root/chownr "$(cat ${container_id})" yarnpkg install' - - 'docker exec --tty -w /root/chownr "$(cat ${container_id})" node_modules/tap/bin/run.js -Rspec test/*.js' + - 'docker exec --tty "$(cat ${container_id})" /bin/sh -c "cd /root/chownr && yarnpkg install"' + - 'docker exec --tty "$(cat ${container_id})" /bin/sh -c "cd /root/chownr && node_modules/tap/bin/run.js -Rspec test/*.js"'