[AUTO-CHERRYPICK] [Medium] patch reaper for CVE-2024-28863 - branch main (#13014)

Co-authored-by: Kevin Lockwood <57274670+kevin-b-lockwood@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/reaper/CVE-2024-28863.patch

@@ -0,0 +1,69 @@
+From d5c11013abfd08ccbdf829de8070e0ed275d0c61 Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <v-klockwood@microsoft.com>
+Date: Fri, 14 Mar 2025 14:01:06 -0700
+Subject: [PATCH] [Medium] patch reaper for CVE-2024-28863
+
+Link: https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7.patch
+---
+ npm/node_modules/tar/lib/unpack.js | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/npm/node_modules/tar/lib/unpack.js b/npm/node_modules/tar/lib/unpack.js
+index 726c457..7225361 100644
+--- a/npm/node_modules/tar/lib/unpack.js
++++ b/npm/node_modules/tar/lib/unpack.js
+@@ -174,6 +174,12 @@ class Unpack extends Parser {
+     this.processGid = (this.preserveOwner || this.setOwner) && process.getgid ?
+       process.getgid() : null
+ 
++    // prevent excessively deep nesting of subfolders
++    // set to `Infinity` to remove this restriction
++    this.maxDepth = typeof opt.maxDepth === 'number'
++      ? opt.maxDepth
++      : DEFAULT_MAX_DEPTH
++
+     // mostly just for testing, but useful in some cases.
+     // Forcibly trigger a chown on every entry, no matter what
+     this.forceChown = opt.forceChown === true
+@@ -219,11 +225,12 @@ class Unpack extends Parser {
+   }
+ 
+   [CHECKPATH] (entry) {
++    const p = normPath(entry.path)
++    const parts = p.split('/')
++
+     if (this.strip) {
+-      const parts = normPath(entry.path).split('/')
+       if (parts.length < this.strip)
+         return false
+-      entry.path = parts.slice(this.strip).join('/')
+ 
+       if (entry.type === 'Link') {
+         const linkparts = normPath(entry.linkpath).split('/')
+@@ -232,11 +239,21 @@ class Unpack extends Parser {
+         else
+           return false
+       }
++      parts.splice(0, this.strip)
++      entry.path = parts.join('/')
++    }
++
++    if (isFinite(this.maxDepth) && parts.length > this.maxDepth) {
++      this.warn('TAR_ENTRY_ERROR', 'path excessively deep', {
++        entry,
++        path: p,
++        depth: parts.length,
++        maxDepth: this.maxDepth,
++      })
++      return false
+     }
+ 
+     if (!this.preservePaths) {
+-      const p = normPath(entry.path)
+-      const parts = p.split('/')
+       if (parts.includes('..') || isWindows && /^[a-z]:\.\.$/i.test(parts[0])) {
+         this.warn(`path contains '..'`, p)
+         return false
+-- 
+2.34.1
+

SPECS/reaper/reaper.spec

@@ -6,7 +6,7 @@
 Summary:        Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters.
 Name:           reaper
 Version:        3.1.1
-Release:        16%{?dist}
+Release:        17%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -47,6 +47,7 @@ Patch11:        CVE-2024-21538.patch
 Patch12:        CVE-2020-28458.patch
 Patch13:        CVE-2024-52798.patch
 Patch14:        CVE-2020-24025.patch
+Patch15:        CVE-2024-28863.patch
 
 BuildRequires:  git
 BuildRequires:  javapackages-tools
@@ -102,11 +103,16 @@ ln -sf ../lib/node_modules/npm/bin/npm-cli.js bin/npm
 ln -sf ../lib/node_modules/npm/bin/npx-cli.js bin/npx
 
 cp n/versions/node/14.18.0/bin/node bin
-
-ls -al
 popd
 
-%autopatch -p1
+%autopatch -p1 -M 14
+
+pushd $tmp_local_dir/lib/node_modules/
+%autopatch -p1 15
+popd
+pushd $tmp_local_dir/n/versions/node/14.18.0/lib/node_modules/
+%autopatch -p1 15
+popd
 
 rsync -azvhr $tmp_local_dir/ "%{_prefix}/local"
 rm -rf $tmp_local_dir
@@ -184,6 +190,9 @@ fi
 %{_unitdir}/cassandra-%{name}.service
 
 %changelog
+* Thu Mar 13 2025 Kevin Lockwood <v-klockwood@microsoft.com> - 3.1.1-17
+- Patch CVE-2024-28863
+
 * Mon Feb 17 2025 Kanishk Bansal <kanbansal@microsoft.com> - 3.1.1-16
 - Patch CVE-2020-24025 and CVE-2024-52798 
 
@@ -194,7 +203,7 @@ fi
 * Fri Oct 18 2024 Rohit Rawat <rohitrawat@microsoft.com> - 3.1.1-14
 - Patch CVE-2024-45590 in body-parser module
 
-* Thu Oct 15 2024 Rohit Rawat <rohitrawat@microsoft.com> - 3.1.1-13
+* Thu Oct 17 2024 Rohit Rawat <rohitrawat@microsoft.com> - 3.1.1-13
 - CVE-2024-45296: upgrade path-to-regexp from 0.1.7 to 1.1.11 in reaper-srcui-node-modules
 - CVE-2024-43799: patch send in reaper-srcui-node-modules
 - CVE-2024-43800: patch serve-static in reaper-srcui-node-modules