[AUTO-CHERRYPICK] Patch reaper for CVE-2020-24025 [Medium] - branch main (#12531)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/reaper/CVE-2020-24025.patch

@@ -0,0 +1,88 @@
+From 960801d68f88b5f8a98d8384d97a92589f365509 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Mon, 17 Feb 2025 12:38:27 +0000
+Subject: [PATCH] Fix CVE-2020-24025
+Upstream Patch Reference: https://github.com/sass/node-sass/pull/3149/commits/82e27620045e409746f051df36a7b8ff3b987f05
+
+---
+ node-sass/scripts/util/downloadoptions.js    |  5 ++-
+ node-sass/scripts/util/rejectUnauthorized.js | 46 ++++++++++++++++++++
+ 2 files changed, 49 insertions(+), 2 deletions(-)
+ create mode 100644 node-sass/scripts/util/rejectUnauthorized.js
+
+diff --git a/src/ui/node_modules/node-sass/scripts/util/downloadoptions.js b/src/ui/node_modules/node-sass/scripts/util/downloadoptions.js
+index 23529716..e9056b10 100644
+--- a/src/ui/node_modules/node-sass/scripts/util/downloadoptions.js
++++ b/src/ui/node_modules/node-sass/scripts/util/downloadoptions.js
+@@ -1,5 +1,6 @@
+ var proxy = require('./proxy'),
+-  userAgent = require('./useragent');
++  userAgent = require('./useragent'),
++  rejectUnauthorized = require('./rejectUnauthorized');
+ 
+ /**
+  * The options passed to request when downloading the bibary
+@@ -14,7 +15,7 @@ var proxy = require('./proxy'),
+  */
+ module.exports = function() {
+   var options = {
+-    rejectUnauthorized: false,
++    rejectUnauthorized: rejectUnauthorized(),
+     timeout: 60000,
+     headers: {
+       'User-Agent': userAgent(),
+diff --git a/src/ui/node_modules/node-sass/scripts/util/rejectUnauthorized.js b/src/ui/node_modules/node-sass/scripts/util/rejectUnauthorized.js
+new file mode 100644
+index 00000000..a1c80107
+--- /dev/null
++++ b/src/ui/node_modules/node-sass/scripts/util/rejectUnauthorized.js
+@@ -0,0 +1,46 @@
++var pkg = require('../../package.json');
++
++/**
++ * Get the value of a CLI argument
++ *
++ * @param {String} name
++ * @param {Array} args
++ * @api private
++ */
++ function getArgument(name, args) {
++  var flags = args || process.argv.slice(2),
++    index = flags.lastIndexOf(name);
++
++  if (index === -1 || index + 1 >= flags.length) {
++    return null;
++  }
++
++  return flags[index + 1];
++}
++
++/**
++ * Get the value of reject-unauthorized
++ * If environment variable SASS_REJECT_UNAUTHORIZED is non-zero,
++ * .npmrc variable sass_reject_unauthorized or
++ * process argument --sass-reject_unauthorized is provided,
++ * set rejectUnauthorized to true
++ * Else set to false by default
++ *
++ * @return {Boolean} The value of rejectUnauthorized
++ * @api private
++ */
++module.exports = function() {
++  var rejectUnauthorized = false;
++
++  if (getArgument('--sass-reject-unauthorized')) {
++    rejectUnauthorized = getArgument('--sass-reject-unauthorized');
++  } else if (process.env.SASS_REJECT_UNAUTHORIZED !== '0') {
++    rejectUnauthorized = true;
++  } else if (process.env.npm_config_sass_reject_unauthorized) {
++    rejectUnauthorized = process.env.npm_config_sass_reject_unauthorized;
++  } else if (pkg.nodeSassConfig && pkg.nodeSassConfig.rejectUnauthorized) {
++    rejectUnauthorized = pkg.nodeSassConfig.rejectUnauthorized;
++  } 
++
++  return rejectUnauthorized;
++};
+-- 
+2.45.2
+

SPECS/reaper/reaper.spec

@@ -6,7 +6,7 @@
 Summary:        Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters.
 Name:           reaper
 Version:        3.1.1
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -45,6 +45,7 @@ Patch9:         CVE-2024-48949.patch
 Patch10:        CVE-2024-45590.patch
 Patch11:        CVE-2024-21538.patch
 Patch12:        CVE-2020-28458.patch
+Patch13:        CVE-2020-24025.patch
 
 BuildRequires:  git
 BuildRequires:  javapackages-tools
@@ -182,6 +183,9 @@ fi
 %{_unitdir}/cassandra-%{name}.service
 
 %changelog
+* Mon Feb 17 2025 Kanishk Bansal <kanbansal@microsoft.com> - 3.1.1-16
+- Patch CVE-2020-24025
+
 * Sat Nov 16 2024 Sudipta Pandit <sudpandit@microsoft.com> - 3.1.1-15
 - Patch CVE-2024-21538 in node modules
 - Patch CVE-2020-28458 in bower components