From 8a32b7404574b68eb023ba21a7fb42cd68069d77 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
Date: Wed, 1 Jun 2022 11:48:45 +0200
Subject: [PATCH] deps: import fixes for CVE-2021-44906
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Recreated from the upstream patches:

* https://github.com/substack/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d
* https://github.com/substack/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb

Signed-off-by: Jan Staněk <jstanek@redhat.com>
---
 deps/npm/node_modules/minimist/index.js          |  8 ++++++--
 deps/npm/node_modules/minimist/test/proto.js     | 16 ++++++++++++++++
 .../mkdirp/node_modules/minimist/index.js        |  8 ++++++--
 .../mkdirp/node_modules/minimist/test/proto.js   | 16 ++++++++++++++++
 4 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/deps/npm/node_modules/minimist/index.js b/deps/npm/node_modules/minimist/index.js
index d2afe5e..d9c3eb7 100644
--- a/deps/npm/node_modules/minimist/index.js
+++ b/deps/npm/node_modules/minimist/index.js
@@ -70,7 +70,7 @@ module.exports = function (args, opts) {
         var o = obj;
         for (var i = 0; i < keys.length-1; i++) {
             var key = keys[i];
-            if (key === '__proto__') return;
+            if (isConstructorOrProto(o, key)) return;
             if (o[key] === undefined) o[key] = {};
             if (o[key] === Object.prototype || o[key] === Number.prototype
                 || o[key] === String.prototype) o[key] = {};
@@ -79,7 +79,7 @@ module.exports = function (args, opts) {
         }
 
         var key = keys[keys.length - 1];
-        if (key === '__proto__') return;
+        if (isConstructorOrProto(o, key)) return;
         if (o === Object.prototype || o === Number.prototype
             || o === String.prototype) o = {};
         if (o === Array.prototype) o = [];
@@ -243,3 +243,7 @@ function isNumber (x) {
     return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x);
 }
 
+
+function isConstructorOrProto (obj, key) {
+    return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__';
+}
diff --git a/deps/npm/node_modules/minimist/test/proto.js b/deps/npm/node_modules/minimist/test/proto.js
index 8649107..4ac62df 100644
--- a/deps/npm/node_modules/minimist/test/proto.js
+++ b/deps/npm/node_modules/minimist/test/proto.js
@@ -42,3 +42,19 @@ test('proto pollution (constructor)', function (t) {
     t.equal(argv.y, undefined);
     t.end();
 });
+
+test('proto pollution (constructor function)', function (t) {
+    var argv = parse(['--_.concat.constructor.prototype.y', '123']);
+    function fnToBeTested() {}
+    t.equal(fnToBeTested.y, undefined);
+    t.equal(argv.y, undefined);
+    t.end();
+});
+
+// powered by snyk - https://github.com/backstage/backstage/issues/10343
+test('proto pollution (constructor function) snyk', function (t) {
+    var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' '));
+    t.equal((function(){}).foo, undefined);
+    t.equal(argv.y, undefined);
+    t.end();
+})
diff --git a/deps/npm/node_modules/mkdirp/node_modules/minimist/index.js b/deps/npm/node_modules/mkdirp/node_modules/minimist/index.js
index d2afe5e..d9c3eb7 100644
--- a/deps/npm/node_modules/mkdirp/node_modules/minimist/index.js
+++ b/deps/npm/node_modules/mkdirp/node_modules/minimist/index.js
@@ -70,7 +70,7 @@ module.exports = function (args, opts) {
         var o = obj;
         for (var i = 0; i < keys.length-1; i++) {
             var key = keys[i];
-            if (key === '__proto__') return;
+            if (isConstructorOrProto(o, key)) return;
             if (o[key] === undefined) o[key] = {};
             if (o[key] === Object.prototype || o[key] === Number.prototype
                 || o[key] === String.prototype) o[key] = {};
@@ -79,7 +79,7 @@ module.exports = function (args, opts) {
         }
 
         var key = keys[keys.length - 1];
-        if (key === '__proto__') return;
+        if (isConstructorOrProto(o, key)) return;
         if (o === Object.prototype || o === Number.prototype
             || o === String.prototype) o = {};
         if (o === Array.prototype) o = [];
@@ -243,3 +243,7 @@ function isNumber (x) {
     return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x);
 }
 
+
+function isConstructorOrProto (obj, key) {
+    return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__';
+}
diff --git a/deps/npm/node_modules/mkdirp/node_modules/minimist/test/proto.js b/deps/npm/node_modules/mkdirp/node_modules/minimist/test/proto.js
index 8649107..4ac62df 100644
--- a/deps/npm/node_modules/mkdirp/node_modules/minimist/test/proto.js
+++ b/deps/npm/node_modules/mkdirp/node_modules/minimist/test/proto.js
@@ -42,3 +42,19 @@ test('proto pollution (constructor)', function (t) {
     t.equal(argv.y, undefined);
     t.end();
 });
+
+test('proto pollution (constructor function)', function (t) {
+    var argv = parse(['--_.concat.constructor.prototype.y', '123']);
+    function fnToBeTested() {}
+    t.equal(fnToBeTested.y, undefined);
+    t.equal(argv.y, undefined);
+    t.end();
+});
+
+// powered by snyk - https://github.com/backstage/backstage/issues/10343
+test('proto pollution (constructor function) snyk', function (t) {
+    var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' '));
+    t.equal((function(){}).foo, undefined);
+    t.equal(argv.y, undefined);
+    t.end();
+})
-- 
2.36.1