From 33c91f90fc1613bf2b0071907656a225310e4364 Mon Sep 17 00:00:00 2001
From: Sandeep Karambelkar <skarambelkar@microsoft.com>
Date: Wed, 8 Jan 2025 05:58:51 +0000
Subject: [PATCH] Fix CVE-2024-53859 by applying the patch in the vendor
 directory for go-gh module

---
 SPECS/gh/CVE-2024-53859.patch | 72 +++++++++++++++++++++++++++++++++++
 SPECS/gh/gh.spec              | 12 ++++--
 2 files changed, 81 insertions(+), 3 deletions(-)
 create mode 100644 SPECS/gh/CVE-2024-53859.patch

diff --git a/SPECS/gh/CVE-2024-53859.patch b/SPECS/gh/CVE-2024-53859.patch
new file mode 100644
index 00000000000..3e45bf3d522
--- /dev/null
+++ b/SPECS/gh/CVE-2024-53859.patch
@@ -0,0 +1,72 @@
+From 5d6079f8ad16f553cdaea1d56fedcb4a3a1db082 Mon Sep 17 00:00:00 2001
+From: William Martin <williammartin@github.com>
+Date: Thu, 31 Oct 2024 14:07:48 +0100
+Subject: [PATCH] Fix token exposure for non-gh hosts in codespaces
+
+This commit introduces a fix for `GITHUB_TOKEN` being exposed to non-github hosts while in a codespace. We no longer return the `GITHUB_TOKEN` for any host except github.com and github.localhost while in a codespace (while the env var `CODESPACES` is `true`).
+
+This commit also changes how tokens are returned when no oAuth token is found in a config. Previously, an empty string and the `oauthToken` source was returned. Now, we return an empty string and the `defaultSource` source. The intention behind this change is to make more logical sense by not returning an `oauthToken` source when we didn't get any token. It's also worth mentioning that this change also improves our test coverage - all lines in `tokenForHost` are now covered by tests, and we don't have unreachable code.
+
+Co-authored-by: Kynan Ware <47394200+BagToad@users.noreply.github.com>
+
+Modified patch to apply to AzureLinux
+Modified-by: Sandeep Karambelkar <skarambelkar@microsoft.com>
+---
+ pkg/auth/auth.go      | 27 ++++++++----
+ 1 file changed, 91 insertions(+), 33 deletions(-)
+
+diff --git a/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go b/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go
+index a903736..4378e75 100644
+--- a/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go
++++ b/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go
+@@ -63,6 +63,15 @@ func TokenFromEnvOrConfig(host string) (string, string) {
+ 
+ func tokenForHost(cfg *config.Config, host string) (string, string) {
+ 	host = NormalizeHostname(host)
++
++	if isCodespaces, _ := strconv.ParseBool(os.Getenv(codespaces)); isCodespaces {
++		if host == github || host == localhost {
++			if token := os.Getenv(githubToken); token != "" {
++				return token, githubToken
++			}
++		}
++	}
++
+ 	if IsEnterprise(host) {
+ 		if token := os.Getenv(ghEnterpriseToken); token != "" {
+ 			return token, ghEnterpriseToken
+@@ -70,25 +79,25 @@ func tokenForHost(cfg *config.Config, host string) (string, string) {
+ 		if token := os.Getenv(githubEnterpriseToken); token != "" {
+ 			return token, githubEnterpriseToken
+ 		}
+-		if isCodespaces, _ := strconv.ParseBool(os.Getenv(codespaces)); isCodespaces {
+-			if token := os.Getenv(githubToken); token != "" {
+-				return token, githubToken
+-			}
+-		}
+ 		if cfg != nil {
+-			token, _ := cfg.Get([]string{hostsKey, host, oauthToken})
+-			return token, oauthToken
++			if token, _ := cfg.Get([]string{hostsKey, host, oauthToken}); token != "" {
++				return token, oauthToken
++			}
+ 		}
++		return "", defaultSource
+ 	}
++
+ 	if token := os.Getenv(ghToken); token != "" {
+ 		return token, ghToken
+ 	}
+ 	if token := os.Getenv(githubToken); token != "" {
+ 		return token, githubToken
+ 	}
++
+ 	if cfg != nil {
+-		token, _ := cfg.Get([]string{hostsKey, host, oauthToken})
+-		return token, oauthToken
++		if token, _ := cfg.Get([]string{hostsKey, host, oauthToken}); token != "" {
++			return token, oauthToken
++		}
+ 	}
+ 	return "", defaultSource
+ }
diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec
index 4e8e16fa9d3..39353ec9224 100644
--- a/SPECS/gh/gh.spec
+++ b/SPECS/gh/gh.spec
@@ -1,7 +1,7 @@
 Summary:        GitHub official command line tool
 Name:           gh
 Version:        2.62.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -15,6 +15,7 @@ Source1:        %{name}-%{version}-vendor.tar.gz
 
 Patch0:         0001-Fix-false-negative-in-TestMigrationWriteErrors-when-.patch
 Patch1:         CVE-2024-54132.patch
+Patch2:         CVE-2024-53859.patch
 BuildRequires:  golang < 1.23
 BuildRequires:  git
 Requires:       git
@@ -25,10 +26,12 @@ Requires:       git
 GitHub official command line tool.
 
 %prep
-%autosetup -p1 -n cli-%{version}
+# Don't patch during setup to apply vendor package 'go-gh' patch CVE-2024-53859.patch
+%autosetup -N -n cli-%{version}
+tar --no-same-owner -xf %{SOURCE1}
+%autopatch -p1
 
 %build
-tar --no-same-owner -xf %{SOURCE1}
 export GOPATH=%{our_gopath}
 # No mod download use vednor cache locally
 export GOFLAGS="-buildmode=pie -trimpath -mod=vendor -modcacherw -ldflags=-linkmode=external"
@@ -57,6 +60,9 @@ make test
 %{_datadir}/zsh/site-functions/_gh
 
 %changelog
+* Wed Jan 08 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 2.62.0-3
+- Patch CVE-2024-53859
+
 * Fri Dec 13 2024 Sandeep Karambelkar <skarambelkar@microsoft.com> - 2.62.0-2
 - Patch CVE-2024-54132