From 500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krist=C3=B3f=20Hauser?= Date: Thu, 22 Aug 2024 15:17:38 +0200 Subject: [PATCH 1/7] feat: backported CVE fix from 4.0.6 over to 4.0.7 - 4.0.6 breaks API compatibility --- index.js | 12 ++++++++++-- test/braces.js | 18 +++++++++++++++++- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/index.js b/index.js index 1fad7f72..6acbc63a 100644 --- a/index.js +++ b/index.js @@ -4,8 +4,14 @@ const util = require('util'); const braces = require('braces'); const picomatch = require('picomatch'); const utils = require('picomatch/lib/utils'); -const isEmptyString = val => val === '' || val === './'; +const isEmptyString = (v) => v === "" || v === "./"; +const isObject = (v) => + v !== null && typeof v === "object" && !Array.isArray(v); +const hasBraces = (v) => { + const index = v.indexOf("{"); + return index > -1 && v.indexOf("}", index) > -1; +}; /** * Returns an array of strings that match one or more glob patterns. * @@ -445,7 +451,7 @@ micromatch.parse = (patterns, options) => { micromatch.braces = (pattern, options) => { if (typeof pattern !== 'string') throw new TypeError('Expected a string'); - if ((options && options.nobrace === true) || !/\{.*\}/.test(pattern)) { + if ((options && options.nobrace === true) || !hasBraces(pattern)) { return [pattern]; } return braces(pattern, options); @@ -464,4 +470,6 @@ micromatch.braceExpand = (pattern, options) => { * Expose micromatch */ +// exposed for tests +micromatch.hasBraces = hasBraces; module.exports = micromatch; diff --git a/test/braces.js b/test/braces.js index f70f5595..7971b167 100644 --- a/test/braces.js +++ b/test/braces.js @@ -2,9 +2,25 @@ const assert = require('assert'); const mm = require('..'); -const { isMatch, makeRe } = mm; +const { isMatch, hasBraces } = mm; describe('braces', () => { + it("should return true when braces are found", () => { + assert.equal(hasBraces("{foo}"), true); + assert.equal(hasBraces("foo}"), false); + assert.equal(hasBraces("{foo"), false); + assert.equal(hasBraces("a{}b"), true); + assert.equal(hasBraces("abc {foo} xyz"), true); + assert.equal(hasBraces("abc {foo xyz"), false); + assert.equal(hasBraces("abc {foo} xyz"), true); + assert.equal(hasBraces("abc foo} xyz"), false); + assert.equal(hasBraces("abc foo xyz"), false); + assert.equal(hasBraces("abc {foo} xyz {bar} pqr"), true); + assert.equal(hasBraces("abc {foo xyz {bar} pqr"), true); + assert.equal(hasBraces("abc foo} xyz {bar pqr"), false); + }); + + it('should handle extglobs in braces', () => { let fixtures = ['a', 'b', 'c', 'd', 'ab', 'ac', 'ad', 'bc', 'cb', 'bc,d', 'c,db', 'c,d', 'd)', '(b|c', '*(b|c', 'b|c', 'b|cc', 'cb|c', 'x(a|b|c)', 'x(a|c)', '(a|b|c)', '(a|c)']; From 293fd9e7d8e88d92acc589d3b1b265e60347be0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krist=C3=B3f=20Hauser?= Date: Thu, 22 Aug 2024 15:43:21 +0200 Subject: [PATCH 2/7] fix: removed unused isObject function --- index.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/index.js b/index.js index 6acbc63a..d449be13 100644 --- a/index.js +++ b/index.js @@ -6,8 +6,6 @@ const picomatch = require('picomatch'); const utils = require('picomatch/lib/utils'); const isEmptyString = (v) => v === "" || v === "./"; -const isObject = (v) => - v !== null && typeof v === "object" && !Array.isArray(v); const hasBraces = (v) => { const index = v.indexOf("{"); return index > -1 && v.indexOf("}", index) > -1; From 1406ea38f3e24b29f4d4f46908d5cffcb3e6c4ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krist=C3=B3f=20Hauser?= Date: Thu, 22 Aug 2024 17:44:38 +0200 Subject: [PATCH 3/7] feat: rework test to work on macos with node 10,12 and 14 --- .github/workflows/test.yml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 73ef7993..40e385c9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,10 +13,24 @@ jobs: matrix: os: [ubuntu-latest, windows-latest, macos-latest] node-version: [10, 12, 14, 16, 17] + exclude: + - os: macos-latest + node-version: 10 + - os: macos-latest + node-version: 12 + - os: macos-latest + node-version: 14 + include: + - os: macos-13 + node-version: 10 + - os: macos-13 + node-version: 12 + - os: macos-13 + node-version: 14 steps: - uses: actions/checkout@v2 - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} - run: npm install From 2ab13157f416679f54e3a32b1425e184bd16749e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krist=C3=B3f=20Hauser?= Date: Thu, 22 Aug 2024 17:46:35 +0200 Subject: [PATCH 4/7] fix: use actions/setup-node@v4 --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 40e385c9..200d32f4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -30,7 +30,7 @@ jobs: steps: - uses: actions/checkout@v2 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} - run: npm install From d9dbd9a266686f44afb38da26fe016f96d1ec04f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krist=C3=B3f=20Hauser?= Date: Thu, 22 Aug 2024 19:31:17 +0200 Subject: [PATCH 5/7] feat: updated CHANGELOG --- CHANGELOG.md | 44 ++++++++++++++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc6d456a..1067af37 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,6 +32,25 @@ Changelog entries are classified using the following labels _(from [keep-a-chang +## [4.0.8] - 2024-08-22 + +- backported CVE fix (from v4.0.6) over to 4.x branch + +## [4.0.7] - 2024-05-22 + +- this is basically v4.0.5, with some README updates +- **it is vulnerable to CVE-2024-4067 & CVE-2024-4068** +- does NOT break API compatibility + +## [4.0.6] - 2024-05-21 + +- Added `hasBraces` to check if a pattern contains braces. +- Fixes CVE-2024-4067 & CVE-2024-4068 +- **BREAKS API COMPATIBILITY** +- Should be labeled as a major release, but it's not. + +## [4.0.1 - 4.0.4] + ## [4.0.0] - 2019-03-20 ### Added @@ -40,7 +59,6 @@ Changelog entries are classified using the following labels _(from [keep-a-chang - Adds support for `options.onIgnore`. See the readme for details - Adds support for `options.onResult`. See the readme for details - ### Breaking changes - Require Node.js >= 8.6 @@ -56,9 +74,9 @@ Changelog entries are classified using the following labels _(from [keep-a-chang Complete overhaul, with 36,000+ new unit tests validated against actual output generated by Bash and minimatch. More specifically, 35,000+ of the tests: - - micromatch results are directly compared to bash results - - in rare cases, when micromatch and bash disagree, micromatch's results are compared to minimatch's results - - micromatch is much more accurate than minimatch, so there were cases where I had to make assumptions. I'll try to document these. +- micromatch results are directly compared to bash results +- in rare cases, when micromatch and bash disagree, micromatch's results are compared to minimatch's results +- micromatch is much more accurate than minimatch, so there were cases where I had to make assumptions. I'll try to document these. This refactor introduces a parser and compiler that are supersets of more granular parsers and compilers from other sub-modules. Each of these sub-modules has a singular responsibility and focuses on a certain type of matching that aligns with a specific part of the Bash "expansion" API. @@ -73,20 +91,20 @@ Here are those sub-modules with links to related prs on those modules if you wan **Added** - - source map support (optionally created when using parse or compile - I have no idea what the use case is yet, but they come for free) (note that source maps are not generated for brace expansion at present, since the braces compiler uses a different strategy. I'll update if/when this changes). - - parser is exposed, so that implementors can customize or override specific micromatch parsers if necessary - - compiler is exposed, so that implementors can customize or override specific micromatch compilers if necessary +- source map support (optionally created when using parse or compile - I have no idea what the use case is yet, but they come for free) (note that source maps are not generated for brace expansion at present, since the braces compiler uses a different strategy. I'll update if/when this changes). +- parser is exposed, so that implementors can customize or override specific micromatch parsers if necessary +- compiler is exposed, so that implementors can customize or override specific micromatch compilers if necessary **Fixed** - - more accurate matching (passes 100% of Bash 4.3 of the brace expansion and extglob unit tests, as well as all Bash glob tests that are relevant to node.js usage, all minimatch tests, all brace-expansion tests, and also passes a couple of tests that bash fails) - - even safer - micromatch has always generated optimized patterns so it's not subject to DoS exploits like minimatch (completely different than the regex DoS issue, minimatch and multimatch are still openly exposed to being used for DoS attacks), but more safeguards were built into this refactor +- more accurate matching (passes 100% of Bash 4.3 of the brace expansion and extglob unit tests, as well as all Bash glob tests that are relevant to node.js usage, all minimatch tests, all brace-expansion tests, and also passes a couple of tests that bash fails) +- even safer - micromatch has always generated optimized patterns so it's not subject to DoS exploits like minimatch (completely different than the regex DoS issue, minimatch and multimatch are still openly exposed to being used for DoS attacks), but more safeguards were built into this refactor **Changed** - - the public API of this library did not change in this version and should be safe to upgrade without changing implentor code. However, we have released this as a major version for the following reasons: - - out of an abundance of caution due to the large amount of code changed in this release - - we have improved parser accuracy to such a degree that some implementors using invalid globs have noted change in behavior. If this is the case for you, please check that you are using a valid glob expression before logging a bug with this library +- the public API of this library did not change in this version and should be safe to upgrade without changing implentor code. However, we have released this as a major version for the following reasons: + - out of an abundance of caution due to the large amount of code changed in this release + - we have improved parser accuracy to such a degree that some implementors using invalid globs have noted change in behavior. If this is the case for you, please check that you are using a valid glob expression before logging a bug with this library ## [1.0.1] - 2016-12-12 @@ -102,8 +120,6 @@ Stable release. First release. - [Unreleased]: https://github.com/jonschlinkert/micromatch/compare/0.1.0...HEAD [0.2.0]: https://github.com/jonschlinkert/micromatch/compare/0.1.0...0.2.0 - [keep-a-changelog]: https://github.com/olivierlacan/keep-a-changelog From 113f2e3fa7cb30b429eda7c4c38475a8e8ba1b30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krist=C3=B3f=20Hauser?= Date: Thu, 22 Aug 2024 23:37:23 +0200 Subject: [PATCH 6/7] fix: CVE numbers in CHANGELOG --- CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1067af37..96c8e29c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,18 +34,18 @@ Changelog entries are classified using the following labels _(from [keep-a-chang ## [4.0.8] - 2024-08-22 -- backported CVE fix (from v4.0.6) over to 4.x branch +- backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch ## [4.0.7] - 2024-05-22 - this is basically v4.0.5, with some README updates -- **it is vulnerable to CVE-2024-4067 & CVE-2024-4068** +- **it is vulnerable to CVE-2024-4067** - does NOT break API compatibility ## [4.0.6] - 2024-05-21 - Added `hasBraces` to check if a pattern contains braces. -- Fixes CVE-2024-4067 & CVE-2024-4068 +- Fixes CVE-2024-4067 - **BREAKS API COMPATIBILITY** - Should be labeled as a major release, but it's not. From 67fcce6a1077c2faf5ad0c5f998fa70202cc5dae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krist=C3=B3f=20Hauser?= Date: Fri, 23 Aug 2024 00:06:39 +0200 Subject: [PATCH 7/7] fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5 --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 96c8e29c..8cd1883b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -40,6 +40,7 @@ Changelog entries are classified using the following labels _(from [keep-a-chang - this is basically v4.0.5, with some README updates - **it is vulnerable to CVE-2024-4067** +- Updated braces to v3.0.3 to avoid CVE-2024-4068 - does NOT break API compatibility ## [4.0.6] - 2024-05-21 @@ -49,7 +50,7 @@ Changelog entries are classified using the following labels _(from [keep-a-chang - **BREAKS API COMPATIBILITY** - Should be labeled as a major release, but it's not. -## [4.0.1 - 4.0.4] +## [4.0.1 - 4.0.5] ## [4.0.0] - 2019-03-20