Skip to content

lib,esm: handle bypass network-import via data: #53764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nodejs-github-bot merged 1 commit into from
Jul 12, 2024
Merged

lib,esm: handle bypass network-import via data: #53764

nodejs-github-bot merged 1 commit into from
Jul 12, 2024

Conversation

@RafaelGSS
Copy link
Member

@RafaelGSS RafaelGSS commented Jul 8, 2024
edited
Loading

This commit didn't land cleanly on main from v22.x 110902f. So, I'm opening a manual PR to make sure we won't break anything.

cc: @aduh95 @GeoffreyBooth

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jul 8, 2024

Review requested:

  • @nodejs/loaders

@nodejs-github-bot nodejs-github-bot added esm Issues and PRs related to the ECMAScript Modules implementation. needs-ci PRs that need a full CI run. labels Jul 8, 2024
@RafaelGSS
Copy link
Member Author

RafaelGSS commented Jul 8, 2024

The validation needs to accept H1 links as well.

anonrig
anonrig reviewed Jul 8, 2024
View reviewed changes
@RafaelGSS RafaelGSS force-pushed the backport-network-import-via-data branch from 5c74da6 to 61b1f42 Compare July 8, 2024 19:12
RafaelGSS
RafaelGSS commented Jul 8, 2024
View reviewed changes
@RafaelGSS RafaelGSS force-pushed the backport-network-import-via-data branch from 61b1f42 to 9dc1933 Compare July 8, 2024 21:45
@RafaelGSS
lib,esm: handle bypass network-import via data:
15c2d8d 
PR-URL: nodejs-private/node-private#522
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2092749
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
CVE-ID: CVE-2024-22020
@RafaelGSS RafaelGSS force-pushed the backport-network-import-via-data branch from 9dc1933 to 15c2d8d Compare July 8, 2024 21:49
@RafaelGSS RafaelGSS added the request-ci Add this label to start a Jenkins CI on a PR. label Jul 8, 2024
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jul 8, 2024
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jul 8, 2024

CI: https://ci.nodejs.org/job/node-test-pull-request/60188/

@RafaelGSS RafaelGSS added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jul 9, 2024
aduh95
aduh95 approved these changes Jul 9, 2024
View reviewed changes
lib/internal/modules/esm/resolve.js
return { __proto__: null, url: parsed.href };
}
}

Copy link
Contributor

@aduh95 aduh95 Jul 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: unrelated line removal

mcollina
mcollina approved these changes Jul 9, 2024
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@RafaelGSS RafaelGSS added the commit-queue Add this label to land a pull request using GitHub Actions. label Jul 12, 2024
@nodejs-github-bot nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Jul 12, 2024
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jul 12, 2024

Commit Queue failed
- Loading data for nodejs/node/pull/53764
✔  Done loading data for nodejs/node/pull/53764
----------------------------------- PR info ------------------------------------
Title      lib,esm: handle bypass network-import via data: (#53764)
Author     Rafael Gonzaga <rafael.nunu@hotmail.com> (@RafaelGSS)
Branch     RafaelGSS:backport-network-import-via-data -> nodejs:main
Labels     esm, author ready, needs-ci
Commits    1
 - lib,esm: handle bypass network-import via data:
Committers 1
 - RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: https://github.com/nodejs/node/pull/53764
Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=2092749
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/53764
Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=2092749
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
--------------------------------------------------------------------------------
   ℹ  This PR was created on Mon, 08 Jul 2024 18:48:45 GMT
   ✔  Approvals: 4
   ✔  - Yagiz Nizipli (@anonrig): https://github.com/nodejs/node/pull/53764#pullrequestreview-2164507162
   ✔  - Antoine du Hamel (@aduh95) (TSC): https://github.com/nodejs/node/pull/53764#pullrequestreview-2165404578
   ✔  - Marco Ippolito (@marco-ippolito) (TSC): https://github.com/nodejs/node/pull/53764#pullrequestreview-2165583758
   ✔  - Matteo Collina (@mcollina) (TSC): https://github.com/nodejs/node/pull/53764#pullrequestreview-2165697861
   ✔  Last GitHub CI successful
   ℹ  Last Full PR CI on 2024-07-08T23:19:20Z: https://ci.nodejs.org/job/node-test-pull-request/60188/
- Querying data for job/node-test-pull-request/60188/
   ✔  Last Jenkins CI successful
--------------------------------------------------------------------------------
   ✔  No git cherry-pick in progress
   ✔  No git am in progress
   ✔  No git rebase in progress
--------------------------------------------------------------------------------
- Bringing origin/main up to date...
From https://github.com/nodejs/node
 * branch                  main       -> FETCH_HEAD
✔  origin/main is now up-to-date
- Downloading patch for 53764
From https://github.com/nodejs/node
 * branch                  refs/pull/53764/merge -> FETCH_HEAD
✔  Fetched commits as fc233627ed44..15c2d8d75ed8
--------------------------------------------------------------------------------
[main ad0ac2de27] lib,esm: handle bypass network-import via data:
 Author: RafaelGSS <rafael.nunu@hotmail.com>
 Date: Wed Jan 10 14:50:18 2024 -0300
 3 files changed, 164 insertions(+), 64 deletions(-)
 create mode 100644 test/fixtures/es-modules/import-data-url.mjs
   ✔  Patches applied
--------------------------------------------------------------------------------
   ⚠  Found Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>, skipping..
   ⚠  Found Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>, skipping..
--------------------------------- New Message ----------------------------------
lib,esm: handle bypass network-import via data:

PR-URL: https://github.com/nodejs-private/node-private/pull/522

Refs: https://hackerone.com/bugs?subject=nodejs&amp;report_id=2092749

Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>

Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>

CVE-ID: CVE-2024-22020

PR-URL: #53764

Fixes: https://hackerone.com/bugs?subject=nodejs&amp;report_id=2092749

Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>

Reviewed-By: Matteo Collina <matteo.collina@gmail.com>


[main 6f2a2306fc] lib,esm: handle bypass network-import via data:

Author: RafaelGSS <rafael.nunu@hotmail.com>

Date: Wed Jan 10 14:50:18 2024 -0300

3 files changed, 164 insertions(+), 64 deletions(-)

create mode 100644 test/fixtures/es-modules/import-data-url.mjs

✖  6f2a2306fcf219dcd27189810a543b542800cbc4

✔  0:0      no Co-authored-by metadata                co-authored-by-is-trailer

✖  7:7      Fixes must be a GitHub URL.               fixes-url

✔  0:0      blank line after title                    line-after-title

✔  0:0      line-lengths are valid                    line-length

✔  0:0      metadata is at end of message             metadata-end

✔  6:8      PR-URL is valid.                          pr-url

✔  0:0      reviewers are valid                       reviewers

✔  0:0      valid subsystems                          subsystem

✔  0:0      Title is formatted correctly.             title-format

✔  0:0      Title is <= 50 columns.                   title-length


ℹ  Please fix the commit message and try again.

Please manually ammend the commit message, by running

git commit --amend

Once commit message is fixed, finish the landing command running

git node land --continue
https://github.com/nodejs/node/actions/runs/9907895685

@RafaelGSS RafaelGSS added commit-queue Add this label to land a pull request using GitHub Actions. and removed commit-queue-failed An error occurred while landing this pull request using GitHub Actions. labels Jul 12, 2024
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Jul 12, 2024
@nodejs-github-bot nodejs-github-bot merged commit 24648b5 into nodejs:main Jul 12, 2024
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jul 12, 2024

Landed in 24648b5

@aduh95 aduh95 added backported-to-v20.x PRs backported to the v20.x-staging branch. backported-to-v22.x PRs backported to the v22.x-staging branch. labels Jul 12, 2024
ehsankhfr pushed a commit to ehsankhfr/node that referenced this pull request Jul 18, 2024
@RafaelGSS @ehsankhfr
lib,esm: handle bypass network-import via data:
fba9247 
PR-URL: https://github.com/nodejs-private/node-private/pull/522
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2092749
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
CVE-ID: CVE-2024-22020
PR-URL: nodejs#53764
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
@aduh95 aduh95 mentioned this pull request Oct 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcollina mcollina mcollina approved these changes

@anonrig anonrig anonrig approved these changes

@aduh95 aduh95 aduh95 approved these changes

@marco-ippolito marco-ippolito marco-ippolito approved these changes

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. backported-to-v20.x PRs backported to the v20.x-staging branch. backported-to-v22.x PRs backported to the v22.x-staging branch. esm Issues and PRs related to the ECMAScript Modules implementation. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@RafaelGSS @nodejs-github-bot @mcollina @anonrig @aduh95 @marco-ippolito