-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: prevent accidental unpatching of vulns
When patching dependencies we unpatch previously applied patches. We were doing so too eagerly, potentially unpatching transitive dependencies as well.
- Loading branch information
Anton Drukh
committed
Apr 3, 2019
1 parent
7669ac0
commit 4447347
Showing
6 changed files
with
544 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
test/fixtures/protect-apply-same-patch-again/.snyk-npm-debug-20170905.flag
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
2019-04-03T10:53:44.704Z |
248 changes: 248 additions & 0 deletions
248
test/fixtures/protect-apply-same-patch-again/src/node.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,248 @@ | ||
/** | ||
* Module dependencies. | ||
*/ | ||
|
||
var tty = require('tty'); | ||
var util = require('util'); | ||
|
||
/** | ||
* This is the Node.js implementation of `debug()`. | ||
* | ||
* Expose `debug()` as the module. | ||
*/ | ||
|
||
exports = module.exports = require('./debug'); | ||
exports.init = init; | ||
exports.log = log; | ||
exports.formatArgs = formatArgs; | ||
exports.save = save; | ||
exports.load = load; | ||
exports.useColors = useColors; | ||
|
||
/** | ||
* Colors. | ||
*/ | ||
|
||
exports.colors = [6, 2, 3, 4, 5, 1]; | ||
|
||
/** | ||
* Build up the default `inspectOpts` object from the environment variables. | ||
* | ||
* $ DEBUG_COLORS=no DEBUG_DEPTH=10 DEBUG_SHOW_HIDDEN=enabled node script.js | ||
*/ | ||
|
||
exports.inspectOpts = Object.keys(process.env).filter(function (key) { | ||
return /^debug_/i.test(key); | ||
}).reduce(function (obj, key) { | ||
// camel-case | ||
var prop = key | ||
.substring(6) | ||
.toLowerCase() | ||
.replace(/_([a-z])/g, function (_, k) { return k.toUpperCase() }); | ||
|
||
// coerce string value into JS value | ||
var val = process.env[key]; | ||
if (/^(yes|on|true|enabled)$/i.test(val)) val = true; | ||
else if (/^(no|off|false|disabled)$/i.test(val)) val = false; | ||
else if (val === 'null') val = null; | ||
else val = Number(val); | ||
|
||
obj[prop] = val; | ||
return obj; | ||
}, {}); | ||
|
||
/** | ||
* The file descriptor to write the `debug()` calls to. | ||
* Set the `DEBUG_FD` env variable to override with another value. i.e.: | ||
* | ||
* $ DEBUG_FD=3 node script.js 3>debug.log | ||
*/ | ||
|
||
var fd = parseInt(process.env.DEBUG_FD, 10) || 2; | ||
|
||
if (1 !== fd && 2 !== fd) { | ||
util.deprecate(function(){}, 'except for stderr(2) and stdout(1), any other usage of DEBUG_FD is deprecated. Override debug.log if you want to use a different log function (https://git.io/debug_fd)')() | ||
} | ||
|
||
var stream = 1 === fd ? process.stdout : | ||
2 === fd ? process.stderr : | ||
createWritableStdioStream(fd); | ||
|
||
/** | ||
* Is stdout a TTY? Colored output is enabled when `true`. | ||
*/ | ||
|
||
function useColors() { | ||
return 'colors' in exports.inspectOpts | ||
? Boolean(exports.inspectOpts.colors) | ||
: tty.isatty(fd); | ||
} | ||
|
||
/** | ||
* Map %o to `util.inspect()`, all on a single line. | ||
*/ | ||
|
||
exports.formatters.o = function(v) { | ||
this.inspectOpts.colors = this.useColors; | ||
return util.inspect(v, this.inspectOpts) | ||
.split('\n').map(function(str) { | ||
return str.trim() | ||
}).join(' '); | ||
}; | ||
|
||
/** | ||
* Map %o to `util.inspect()`, allowing multiple lines if needed. | ||
*/ | ||
|
||
exports.formatters.O = function(v) { | ||
this.inspectOpts.colors = this.useColors; | ||
return util.inspect(v, this.inspectOpts); | ||
}; | ||
|
||
/** | ||
* Adds ANSI color escape codes if enabled. | ||
* | ||
* @api public | ||
*/ | ||
|
||
function formatArgs(args) { | ||
var name = this.namespace; | ||
var useColors = this.useColors; | ||
|
||
if (useColors) { | ||
var c = this.color; | ||
var prefix = ' \u001b[3' + c + ';1m' + name + ' ' + '\u001b[0m'; | ||
|
||
args[0] = prefix + args[0].split('\n').join('\n' + prefix); | ||
args.push('\u001b[3' + c + 'm+' + exports.humanize(this.diff) + '\u001b[0m'); | ||
} else { | ||
args[0] = new Date().toUTCString() | ||
+ ' ' + name + ' ' + args[0]; | ||
} | ||
} | ||
|
||
/** | ||
* Invokes `util.format()` with the specified arguments and writes to `stream`. | ||
*/ | ||
|
||
function log() { | ||
return stream.write(util.format.apply(util, arguments) + '\n'); | ||
} | ||
|
||
/** | ||
* Save `namespaces`. | ||
* | ||
* @param {String} namespaces | ||
* @api private | ||
*/ | ||
|
||
function save(namespaces) { | ||
if (null == namespaces) { | ||
// If you set a process.env field to null or undefined, it gets cast to the | ||
// string 'null' or 'undefined'. Just delete instead. | ||
delete process.env.DEBUG; | ||
} else { | ||
process.env.DEBUG = namespaces; | ||
} | ||
} | ||
|
||
/** | ||
* Load `namespaces`. | ||
* | ||
* @return {String} returns the previously persisted debug modes | ||
* @api private | ||
*/ | ||
|
||
function load() { | ||
return process.env.DEBUG; | ||
} | ||
|
||
/** | ||
* Copied from `node/src/node.js`. | ||
* | ||
* XXX: It's lame that node doesn't expose this API out-of-the-box. It also | ||
* relies on the undocumented `tty_wrap.guessHandleType()` which is also lame. | ||
*/ | ||
|
||
function createWritableStdioStream (fd) { | ||
var stream; | ||
var tty_wrap = process.binding('tty_wrap'); | ||
|
||
// Note stream._type is used for test-module-load-list.js | ||
|
||
switch (tty_wrap.guessHandleType(fd)) { | ||
case 'TTY': | ||
stream = new tty.WriteStream(fd); | ||
stream._type = 'tty'; | ||
|
||
// Hack to have stream not keep the event loop alive. | ||
// See https://github.com/joyent/node/issues/1726 | ||
if (stream._handle && stream._handle.unref) { | ||
stream._handle.unref(); | ||
} | ||
break; | ||
|
||
case 'FILE': | ||
var fs = require('fs'); | ||
stream = new fs.SyncWriteStream(fd, { autoClose: false }); | ||
stream._type = 'fs'; | ||
break; | ||
|
||
case 'PIPE': | ||
case 'TCP': | ||
var net = require('net'); | ||
stream = new net.Socket({ | ||
fd: fd, | ||
readable: false, | ||
writable: true | ||
}); | ||
|
||
// FIXME Should probably have an option in net.Socket to create a | ||
// stream from an existing fd which is writable only. But for now | ||
// we'll just add this hack and set the `readable` member to false. | ||
// Test: ./node test/fixtures/echo.js < /etc/passwd | ||
stream.readable = false; | ||
stream.read = null; | ||
stream._type = 'pipe'; | ||
|
||
// FIXME Hack to have stream not keep the event loop alive. | ||
// See https://github.com/joyent/node/issues/1726 | ||
if (stream._handle && stream._handle.unref) { | ||
stream._handle.unref(); | ||
} | ||
break; | ||
|
||
default: | ||
// Probably an error on in uv_guess_handle() | ||
throw new Error('Implement me. Unknown stream file type!'); | ||
} | ||
|
||
// For supporting legacy API we put the FD here. | ||
stream.fd = fd; | ||
|
||
stream._isStdio = true; | ||
|
||
return stream; | ||
} | ||
|
||
/** | ||
* Init logic for `debug` instances. | ||
* | ||
* Create a new `inspectOpts` object in case `useColors` is set | ||
* differently for a particular `debug` instance. | ||
*/ | ||
|
||
function init (debug) { | ||
debug.inspectOpts = {}; | ||
|
||
var keys = Object.keys(exports.inspectOpts); | ||
for (var i = 0; i < keys.length; i++) { | ||
debug.inspectOpts[keys[i]] = exports.inspectOpts[keys[i]]; | ||
} | ||
} | ||
|
||
/** | ||
* Enable namespaces listed in `process.env.DEBUG` initially. | ||
*/ | ||
|
||
exports.enable(load()); |
Oops, something went wrong.