From fb1f32688b41a59f4318932ba1e8b55c4ba691ff Mon Sep 17 00:00:00 2001 From: Tony Cassara Date: Thu, 14 Feb 2019 12:43:31 -0800 Subject: [PATCH] Fixes Prototype Pollution vulnerability in Handlebars dependency (#7904) --- CHANGELOG.md | 1 + packages/jest-cli/package.json | 2 +- .../script_transformer.test.js.snap | 36 +++---- yarn.lock | 95 ++++++++++--------- 4 files changed, 70 insertions(+), 64 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3816ad097265..7418adb3c9d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ ### Fixes +- `[jest-cli]` Fix prototype pollution vulnerability in dependency ([#7904](https://github.com/facebook/jest/pull/7904)) - `[jest-cli]` Refactor `-o` and `--coverage` combined ([#7611](https://github.com/facebook/jest/pull/7611)) - `[expect]` Fix custom async matcher stack trace ([#7652](https://github.com/facebook/jest/pull/7652)) - `[jest-changed-files]` Improve default file selection for Mercurial repos ([#7880](https://github.com/facebook/jest/pull/7880)) diff --git a/packages/jest-cli/package.json b/packages/jest-cli/package.json index bc0caf236cad..98364d921fc4 100644 --- a/packages/jest-cli/package.json +++ b/packages/jest-cli/package.json @@ -11,7 +11,7 @@ "graceful-fs": "^4.1.15", "import-local": "^2.0.0", "is-ci": "^2.0.0", - "istanbul-api": "^2.0.8", + "istanbul-api": "^2.1.1", "istanbul-lib-coverage": "^2.0.2", "istanbul-lib-instrument": "^3.0.1", "istanbul-lib-source-maps": "^3.0.1", diff --git a/packages/jest-runtime/src/__tests__/__snapshots__/script_transformer.test.js.snap b/packages/jest-runtime/src/__tests__/__snapshots__/script_transformer.test.js.snap index de782a1c3c6a..d2d473e38b9f 100644 --- a/packages/jest-runtime/src/__tests__/__snapshots__/script_transformer.test.js.snap +++ b/packages/jest-runtime/src/__tests__/__snapshots__/script_transformer.test.js.snap @@ -25,12 +25,14 @@ Object { exports[`ScriptTransformer transforms a file properly 1`] = ` "({\\"Object.\\":function(module,exports,require,__dirname,__filename,global,jest){/* istanbul ignore next */ var cov_25u22311x4 = function () { - var path = \\"/fruits/banana.js\\", - hash = \\"ef12c7f3c0d46c0ac007781d50b4e524293578c6\\", - Function = function () {}.constructor, - global = new Function('return this')(), - gcv = \\"__coverage__\\", - coverageData = { + var path = \\"/fruits/banana.js\\"; + var hash = \\"ef12c7f3c0d46c0ac007781d50b4e524293578c6\\"; + + var Function = function () {}.constructor; + + var global = new Function(\\"return this\\")(); + var gcv = \\"__coverage__\\"; + var coverageData = { path: \\"/fruits/banana.js\\", statementMap: { \\"0\\": { @@ -52,8 +54,8 @@ var cov_25u22311x4 = function () { f: {}, b: {}, _coverageSchema: \\"43e27e138ebf9cfc5966b082cf9a028302ed4184\\" - }, - coverage = global[gcv] || (global[gcv] = {}); + }; + var coverage = global[gcv] || (global[gcv] = {}); if (coverage[path] && coverage[path].hash === hash) { return coverage[path]; @@ -71,12 +73,14 @@ module.exports = \\"banana\\"; exports[`ScriptTransformer transforms a file properly 2`] = ` "({\\"Object.\\":function(module,exports,require,__dirname,__filename,global,jest){/* istanbul ignore next */ var cov_23yvu8etmu = function () { - var path = \\"/fruits/kiwi.js\\", - hash = \\"90cf6273dfbcd93e4510a6c5503c2125aab1f1b8\\", - Function = function () {}.constructor, - global = new Function('return this')(), - gcv = \\"__coverage__\\", - coverageData = { + var path = \\"/fruits/kiwi.js\\"; + var hash = \\"90cf6273dfbcd93e4510a6c5503c2125aab1f1b8\\"; + + var Function = function () {}.constructor; + + var global = new Function(\\"return this\\")(); + var gcv = \\"__coverage__\\"; + var coverageData = { path: \\"/fruits/kiwi.js\\", statementMap: { \\"0\\": { @@ -136,8 +140,8 @@ var cov_23yvu8etmu = function () { }, b: {}, _coverageSchema: \\"43e27e138ebf9cfc5966b082cf9a028302ed4184\\" - }, - coverage = global[gcv] || (global[gcv] = {}); + }; + var coverage = global[gcv] || (global[gcv] = {}); if (coverage[path] && coverage[path].hash === hash) { return coverage[path]; diff --git a/yarn.lock b/yarn.lock index 42f57554fa8c..71ed496d78f9 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4240,7 +4240,7 @@ debug@^3.1.0: dependencies: ms "^2.1.1" -debug@^4.0.1, debug@^4.1.0: +debug@^4.0.1, debug@^4.1.0, debug@^4.1.1: version "4.1.1" resolved "https://registry.yarnpkg.com/debug/-/debug-4.1.1.tgz#3b72260255109c6b589cee050f1d516139664791" integrity sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw== @@ -6410,10 +6410,10 @@ gzip-size@3.0.0: dependencies: duplexer "^0.1.1" -handlebars@^4.0.11, handlebars@^4.0.2: - version "4.0.12" - resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.0.12.tgz#2c15c8a96d46da5e266700518ba8cb8d919d5bc5" - integrity sha512-RhmTekP+FZL+XNhwS1Wf+bTTZpdLougwt5pcgA1tuz6Jcx0fpH/7z0qd71RKnZHBCxIRBHfBOnio4gViPemNzA== +handlebars@^4.0.2, handlebars@^4.1.0: + version "4.1.0" + resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.1.0.tgz#0d6a6f34ff1f63cecec8423aa4169827bf787c3a" + integrity sha512-l2jRuU1NAWK6AW5qqcTATWQJvNPEwkM7NEKSiv/gqOsoSQbVoWyqVEY5GS+XPQ88zLNmqASRpzfdm8d79hJS+w== dependencies: async "^2.5.0" optimist "^0.6.1" @@ -7415,75 +7415,76 @@ isstream@~0.1.2: resolved "https://registry.yarnpkg.com/isstream/-/isstream-0.1.2.tgz#47e63f7af55afa6f92e1500e690eb8b8529c099a" integrity sha1-R+Y/evVa+m+S4VAOaQ64uFKcCZo= -istanbul-api@^2.0.8: - version "2.0.8" - resolved "https://registry.yarnpkg.com/istanbul-api/-/istanbul-api-2.0.8.tgz#5621503c5595e5adbbacd5ce257090417c7f55da" - integrity sha512-ITCccemErW+BhZotmyQ/ktlYTAp9r7oWfz1oxxMpgKQVTUw0NAYRbKLbOSNaInipecIKul7U7O5BfCQBBRZa3w== +istanbul-api@^2.0.8, istanbul-api@^2.1.1: + version "2.1.1" + resolved "https://registry.yarnpkg.com/istanbul-api/-/istanbul-api-2.1.1.tgz#194b773f6d9cbc99a9258446848b0f988951c4d0" + integrity sha512-kVmYrehiwyeBAk/wE71tW6emzLiHGjYIiDrc8sfyty4F8M02/lrgXSm+R1kXysmF20zArvmZXjlE/mg24TVPJw== dependencies: async "^2.6.1" compare-versions "^3.2.1" fileset "^2.0.3" - istanbul-lib-coverage "^2.0.2" - istanbul-lib-hook "^2.0.2" - istanbul-lib-instrument "^3.0.1" - istanbul-lib-report "^2.0.3" - istanbul-lib-source-maps "^3.0.1" - istanbul-reports "^2.0.3" + istanbul-lib-coverage "^2.0.3" + istanbul-lib-hook "^2.0.3" + istanbul-lib-instrument "^3.1.0" + istanbul-lib-report "^2.0.4" + istanbul-lib-source-maps "^3.0.2" + istanbul-reports "^2.1.1" js-yaml "^3.12.0" make-dir "^1.3.0" + minimatch "^3.0.4" once "^1.4.0" -istanbul-lib-coverage@^2.0.2: - version "2.0.2" - resolved "https://registry.yarnpkg.com/istanbul-lib-coverage/-/istanbul-lib-coverage-2.0.2.tgz#d5db9a7a4bb8fdbd62ec746226385987b73a8f43" - integrity sha512-4CsY730KHy12ya/YNKubrMlb7EZZVsEPhXntyRY/Cbs7HN5HdznLbI4UbvIGHgocxHx3VkGe7l6IN1lipetuGg== +istanbul-lib-coverage@^2.0.2, istanbul-lib-coverage@^2.0.3: + version "2.0.3" + resolved "https://registry.yarnpkg.com/istanbul-lib-coverage/-/istanbul-lib-coverage-2.0.3.tgz#0b891e5ad42312c2b9488554f603795f9a2211ba" + integrity sha512-dKWuzRGCs4G+67VfW9pBFFz2Jpi4vSp/k7zBcJ888ofV5Mi1g5CUML5GvMvV6u9Cjybftu+E8Cgp+k0dI1E5lw== -istanbul-lib-hook@^2.0.2: - version "2.0.2" - resolved "https://registry.yarnpkg.com/istanbul-lib-hook/-/istanbul-lib-hook-2.0.2.tgz#9ddd28aeac10f3bb6a4d02325e72b35044d17d3a" - integrity sha512-m0MwviQ0Av6qBNDkvKdLBxxuK6ffXo8761gE2bfT+/b+dhg8LUyQhp1nFh795LO12DpiSocuCPIRwILCsN1//Q== +istanbul-lib-hook@^2.0.3: + version "2.0.3" + resolved "https://registry.yarnpkg.com/istanbul-lib-hook/-/istanbul-lib-hook-2.0.3.tgz#e0e581e461c611be5d0e5ef31c5f0109759916fb" + integrity sha512-CLmEqwEhuCYtGcpNVJjLV1DQyVnIqavMLFHV/DP+np/g3qvdxu3gsPqYoJMXm15sN84xOlckFB3VNvRbf5yEgA== dependencies: append-transform "^1.0.0" -istanbul-lib-instrument@^3.0.0, istanbul-lib-instrument@^3.0.1: - version "3.0.1" - resolved "https://registry.yarnpkg.com/istanbul-lib-instrument/-/istanbul-lib-instrument-3.0.1.tgz#dd631e117dd9891e8bf1de7bb400cb8e491363af" - integrity sha512-/LTPhh1YKXjJlb5uggsiZjJHuViIljcIsB1zqmZegIw2yQ4l8LRksRGebJrZUFVEE28ZtKzmmT50W5tpAucfJg== +istanbul-lib-instrument@^3.0.0, istanbul-lib-instrument@^3.0.1, istanbul-lib-instrument@^3.1.0: + version "3.1.0" + resolved "https://registry.yarnpkg.com/istanbul-lib-instrument/-/istanbul-lib-instrument-3.1.0.tgz#a2b5484a7d445f1f311e93190813fa56dfb62971" + integrity sha512-ooVllVGT38HIk8MxDj/OIHXSYvH+1tq/Vb38s8ixt9GoJadXska4WkGY+0wkmtYCZNYtaARniH/DixUGGLZ0uA== dependencies: "@babel/generator" "^7.0.0" "@babel/parser" "^7.0.0" "@babel/template" "^7.0.0" "@babel/traverse" "^7.0.0" "@babel/types" "^7.0.0" - istanbul-lib-coverage "^2.0.2" + istanbul-lib-coverage "^2.0.3" semver "^5.5.0" -istanbul-lib-report@^2.0.3: - version "2.0.3" - resolved "https://registry.yarnpkg.com/istanbul-lib-report/-/istanbul-lib-report-2.0.3.tgz#8e22534766e9cc8e20ae96283331b4405da9dce9" - integrity sha512-25gX27Mbd3MjM41hwGl5lWcQEqaPaMP79YDFS20xuTUujItNmHgTBS3WRZvzyzLE0IAKaL+JpLrryou2WlZNMw== +istanbul-lib-report@^2.0.4: + version "2.0.4" + resolved "https://registry.yarnpkg.com/istanbul-lib-report/-/istanbul-lib-report-2.0.4.tgz#bfd324ee0c04f59119cb4f07dab157d09f24d7e4" + integrity sha512-sOiLZLAWpA0+3b5w5/dq0cjm2rrNdAfHWaGhmn7XEFW6X++IV9Ohn+pnELAl9K3rfpaeBfbmH9JU5sejacdLeA== dependencies: - istanbul-lib-coverage "^2.0.2" + istanbul-lib-coverage "^2.0.3" make-dir "^1.3.0" - supports-color "^5.4.0" + supports-color "^6.0.0" -istanbul-lib-source-maps@^3.0.1: - version "3.0.1" - resolved "https://registry.yarnpkg.com/istanbul-lib-source-maps/-/istanbul-lib-source-maps-3.0.1.tgz#002936e1106c4fa49714a946e6c63c1098b52e11" - integrity sha512-DBsZMpCwCPewRCmyd0FETHtzarQK/kKejQkDPBqKPwLYQmhs2p6a7yytfVDqib7PgXGSJZNTc1b6B3jl9G8FqA== +istanbul-lib-source-maps@^3.0.1, istanbul-lib-source-maps@^3.0.2: + version "3.0.2" + resolved "https://registry.yarnpkg.com/istanbul-lib-source-maps/-/istanbul-lib-source-maps-3.0.2.tgz#f1e817229a9146e8424a28e5d69ba220fda34156" + integrity sha512-JX4v0CiKTGp9fZPmoxpu9YEkPbEqCqBbO3403VabKjH+NRXo72HafD5UgnjTEqHL2SAjaZK1XDuDOkn6I5QVfQ== dependencies: - debug "^3.1.0" - istanbul-lib-coverage "^2.0.2" + debug "^4.1.1" + istanbul-lib-coverage "^2.0.3" make-dir "^1.3.0" rimraf "^2.6.2" source-map "^0.6.1" -istanbul-reports@^2.0.3: - version "2.0.3" - resolved "https://registry.yarnpkg.com/istanbul-reports/-/istanbul-reports-2.0.3.tgz#332eda684c9ee891f199dfba305c3e776f55fc16" - integrity sha512-qpQ5ZWBkOatTxmTelS+HV5ybPSq7EeXmwXrPbGv7ebP+9DJOtveUcv6hCncZE4IxSAEkdmLEh3xo31SCttbApQ== +istanbul-reports@^2.1.1: + version "2.1.1" + resolved "https://registry.yarnpkg.com/istanbul-reports/-/istanbul-reports-2.1.1.tgz#72ef16b4ecb9a4a7bd0e2001e00f95d1eec8afa9" + integrity sha512-FzNahnidyEPBCI0HcufJoSEoKykesRlFcSzQqjH9x0+LC8tnnE/p/90PBLu8iZTxr8yYZNyTtiAujUqyN+CIxw== dependencies: - handlebars "^4.0.11" + handlebars "^4.1.0" isurl@^1.0.0-alpha5: version "1.0.0" @@ -12318,14 +12319,14 @@ supports-color@^3.2.3: dependencies: has-flag "^1.0.0" -supports-color@^5.3.0, supports-color@^5.4.0: +supports-color@^5.3.0: version "5.5.0" resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-5.5.0.tgz#e2e69a44ac8772f78a1ec0b35b689df6530efc8f" integrity sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow== dependencies: has-flag "^3.0.0" -supports-color@^6.1.0: +supports-color@^6.0.0, supports-color@^6.1.0: version "6.1.0" resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-6.1.0.tgz#0764abc69c63d5ac842dd4867e8d025e880df8f3" integrity sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==