[AUTO-CHERRYPICK] Patch nodejs for CVE-2025-27516 [Medium] - branch main (#12950)

CBL-Mariner-Bot · sandeepkarambelkar · web-flow · commit 4a9ab9dcae17 · 2025-03-19T15:37:36.000-04:00
Co-authored-by: Sandeep Karambelkar &lt;skarambelkar@microsoft.com&gt;
diff --git a/SPECS/nodejs/CVE-2025-27516.patch b/SPECS/nodejs/CVE-2025-27516.patch
@@ -0,0 +1,64 @@
+From 01e50061072389bc315db7c55e5489eb5370a5f7 Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Wed, 5 Mar 2025 10:08:48 -0800
+Subject: [PATCH] attr filter uses env.getattr
+
+---
+ deps/v8/third_party/jinja2/filters.py | 30 +++++++++++----------------
+ 1 file changed, 12 insertions(+), 18 deletions(-)
+
+diff --git a/deps/v8/third_party/jinja2/filters.py b/deps/v8/third_party/jinja2/filters.py
+index 1daf42bc..e71cb5ca 100644
+--- a/deps/v8/third_party/jinja2/filters.py
++++ b/deps/v8/third_party/jinja2/filters.py
+@@ -5,6 +5,7 @@ import random
+ import re
+ import warnings
+ from collections import namedtuple
++from inspect import getattr_static
+ from itertools import chain
+ from itertools import groupby
+ 
+@@ -1072,28 +1073,21 @@ def do_reverse(value):
+ @environmentfilter
+ def do_attr(environment, obj, name):
+     """Get an attribute of an object.  ``foo|attr("bar")`` works like
+-    ``foo.bar`` just that always an attribute is returned and items are not
+-    looked up.
++    ``foo.bar``, but returns undefined instead of falling back to ``foo["bar"]``
++    if the attribute doesn't exist.
+ 
+     See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more details.
+     """
+     try:
+-        name = str(name)
+-    except UnicodeError:
+-        pass
+-    else:
+-        try:
+-            value = getattr(obj, name)
+-        except AttributeError:
+-            pass
+-        else:
+-            if environment.sandboxed and not environment.is_safe_attribute(
+-                obj, name, value
+-            ):
+-                return environment.unsafe_undefined(obj, name)
+-            return value
+-    return environment.undefined(obj=obj, name=name)
+-
++        # This avoids executing properties/descriptors, but misses __getattr__
++        # and __getattribute__ dynamic attrs.
++        getattr_static(obj, name)
++    except AttributeError:
++        # This finds dynamic attrs, and we know it's not a descriptor at this point.
++        if not hasattr(obj, name):
++            return environment.undefined(obj=obj, name=name)
++
++    return environment.getattr(obj, name)
+ 
+ @contextfilter
+ def do_map(*args, **kwargs):
+-- 
+2.40.4
+
diff --git a/SPECS/nodejs/nodejs18.spec b/SPECS/nodejs/nodejs18.spec
@@ -6,7 +6,7 @@ Name:           nodejs18
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        18.20.3
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0
 Group:          Applications/System
 Vendor:         Microsoft Corporation
@@ -23,6 +23,7 @@ Patch3:         CVE-2025-23085.patch
 Patch4:         CVE-2024-22020.patch
 Patch5:         CVE-2024-22195.patch
 Patch6:         CVE-2024-34064.patch
+Patch7:         CVE-2025-27516.patch
 BuildRequires:  brotli-devel
 BuildRequires:  coreutils >= 8.22
 BuildRequires:  gcc
@@ -123,6 +124,9 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
+* Mon Mar 10 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 18.20.3-5
+- Patch CVE-2025-27516
+
 * Tue Feb 18 2025 Kevin Lockwood <v-klockwood@microsoft.com> - 18.20.3-4
 - Patch CVE-2024-34064
 
