Patch CVE-2024-45590 in reaper (#10557)

microsoft · Oct 9, 2024 · 1b8263c · 1b8263c
1 parent 7322224
commit 1b8263c
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 1 deletion.
diff --git a/SPECS/reaper/CVE-2024-45590.patch b/SPECS/reaper/CVE-2024-45590.patch
@@ -0,0 +1,87 @@
+From 58b0b02d2501825235a1c1c2598171513621df45 Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <[email protected]>
+Date: Wed, 25 Sep 2024 12:35:30 +0000
+Subject: [PATCH] CVE-2024-45590: Set default depth limit to 32
+
+---
+ .../body-parser/lib/types/urlencoded.js       | 37 +++++++++++++++----
+ 1 file changed, 30 insertions(+), 7 deletions(-)
+
+diff --git a/src/ui/node_modules/body-parser/lib/types/urlencoded.js b/src/ui/node_modules/body-parser/lib/types/urlencoded.js
+index b2ca8f16..886a3ce2 100644
+--- a/src/ui/node_modules/body-parser/lib/types/urlencoded.js
++++ b/src/ui/node_modules/body-parser/lib/types/urlencoded.js
+@@ -55,6 +55,9 @@ function urlencoded (options) {
+     : opts.limit
+   var type = opts.type || 'application/x-www-form-urlencoded'
+   var verify = opts.verify || false
++  var depth = typeof opts.depth !== 'number'
++    ? Number(opts.depth || 32)
++    : opts.depth
+
+   if (verify !== false && typeof verify !== 'function') {
+     throw new TypeError('option verify must be function')
+@@ -118,7 +121,8 @@ function urlencoded (options) {
+       encoding: charset,
+       inflate: inflate,
+       limit: limit,
+-      verify: verify
++      verify: verify,
++      depth: depth
+     })
+   }
+ }
+@@ -133,12 +137,20 @@ function extendedparser (options) {
+   var parameterLimit = options.parameterLimit !== undefined
+     ? options.parameterLimit
+     : 1000
++
++  var depth = typeof options.depth !== 'number'
++    ? Number(options.depth || 32)
++    : options.depth
+   var parse = parser('qs')
+
+   if (isNaN(parameterLimit) || parameterLimit < 1) {
+     throw new TypeError('option parameterLimit must be a positive number')
+   }
+
++  if(isNaN(depth) || depth < 0) {
++    throw new TypeError('option depth must be a zero or a positive number')
++  }
++
+   if (isFinite(parameterLimit)) {
+     parameterLimit = parameterLimit | 0
+   }
+@@ -156,12 +168,23 @@ function extendedparser (options) {
+     var arrayLimit = Math.max(100, paramCount)
+
+     debug('parse extended urlencoding')
+-    return parse(body, {
+-      allowPrototypes: true,
+-      arrayLimit: arrayLimit,
+-      depth: Infinity,
+-      parameterLimit: parameterLimit
+-    })
++    try {
++      return parse(body, {
++        allowPrototypes: true,
++        arrayLimit: arrayLimit,
++        depth: depth,
++        strictDepth: true,
++        parameterLimit: parameterLimit
++      })
++    } catch (err) {
++      if (err instanceof RangeError) {
++        throw createError(400, 'The input exceeded the depth', {
++          type: 'querystring.parse.rangeError'
++        })
++      } else {
++        throw err
++      }
++    }
+   }
+ }
+
+-- 
+2.39.4
+
diff --git a/SPECS/reaper/reaper.spec b/SPECS/reaper/reaper.spec
@@ -6,7 +6,7 @@
 Summary:        Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters.
 Name:           reaper
 Version:        3.1.1
-Release:        12%{?dist}
+Release:        13%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -37,6 +37,7 @@ Patch1:         CVE-2023-42282.patch
 Patch2:         CVE-2017-18214.patch
 Patch3:         CVE-2024-42459.patch
 Patch4:         CVE-2024-43796.patch
+Patch5:         CVE-2024-45590.patch
 BuildRequires:  git
 BuildRequires:  javapackages-tools
 BuildRequires:  maven
@@ -173,6 +174,9 @@ fi
 %{_unitdir}/cassandra-%{name}.service
 
 %changelog
+* Thu Sep 26 2024 Rohit Rawat <[email protected]> - 3.1.1-13
+- Patch CVE-2024-45590 in body-parser module
+
 * Wed Sep 25 2024 Rohit Rawat <[email protected]> - 3.1.1-12
 - Patch CVE-2024-43796 in express module