Merge pull request #266 from hauserkristof/feature/v4.0.8

Backport CVE-2024-4067 fix from 4.0.6 over 4.0.7

Author: doowb

.github/workflows/test.yml

@@ -13,10 +13,24 @@ jobs:
  matrix:
  os: [ubuntu-latest, windows-latest, macos-latest]
  node-version: [10, 12, 14, 16, 17]
+ exclude:
+ - os: macos-latest
+ node-version: 10
+ - os: macos-latest
+ node-version: 12
+ - os: macos-latest
+ node-version: 14
+ include:
+ - os: macos-13
+ node-version: 10
+ - os: macos-13
+ node-version: 12
+ - os: macos-13
+ node-version: 14
 
  steps:
  - uses: actions/checkout@v2
- - uses: actions/setup-node@v1
+ - uses: actions/setup-node@v4
  with:
  node-version: ${{ matrix.node-version }}
  - run: npm install

CHANGELOG.md

@@ -32,6 +32,26 @@ Changelog entries are classified using the following labels _(from [keep-a-chang
 
 </details>
 
+## [4.0.8] - 2024-08-22
+
+- backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch
+
+## [4.0.7] - 2024-05-22
+
+- this is basically v4.0.5, with some README updates
+- **it is vulnerable to CVE-2024-4067**
+- Updated braces to v3.0.3 to avoid CVE-2024-4068
+- does NOT break API compatibility
+
+## [4.0.6] - 2024-05-21
+
+- Added `hasBraces` to check if a pattern contains braces.
+- Fixes CVE-2024-4067
+- **BREAKS API COMPATIBILITY**
+- Should be labeled as a major release, but it's not.
+
+## [4.0.1 - 4.0.5]
+
 ## [4.0.0] - 2019-03-20
 
 ### Added
@@ -40,7 +60,6 @@ Changelog entries are classified using the following labels _(from [keep-a-chang
 - Adds support for `options.onIgnore`. See the readme for details
 - Adds support for `options.onResult`. See the readme for details
 
-
 ### Breaking changes
 
 - Require Node.js >= 8.6
@@ -56,9 +75,9 @@ Changelog entries are classified using the following labels _(from [keep-a-chang
 
 Complete overhaul, with 36,000+ new unit tests validated against actual output generated by Bash and minimatch. More specifically, 35,000+ of the tests:
 
- - micromatch results are directly compared to bash results
- - in rare cases, when micromatch and bash disagree, micromatch's results are compared to minimatch's results
- - micromatch is much more accurate than minimatch, so there were cases where I had to make assumptions. I'll try to document these.
+- micromatch results are directly compared to bash results
+- in rare cases, when micromatch and bash disagree, micromatch's results are compared to minimatch's results
+- micromatch is much more accurate than minimatch, so there were cases where I had to make assumptions. I'll try to document these.
 
 This refactor introduces a parser and compiler that are supersets of more granular parsers and compilers from other sub-modules. Each of these sub-modules has a singular responsibility and focuses on a certain type of matching that aligns with a specific part of the Bash "expansion" API.
 
@@ -73,20 +92,20 @@ Here are those sub-modules with links to related prs on those modules if you wan
 
 **Added**
 
- - source map support (optionally created when using parse or compile - I have no idea what the use case is yet, but they come for free) (note that source maps are not generated for brace expansion at present, since the braces compiler uses a different strategy. I'll update if/when this changes).
- - parser is exposed, so that implementors can customize or override specific micromatch parsers if necessary
- - compiler is exposed, so that implementors can customize or override specific micromatch compilers if necessary
+- source map support (optionally created when using parse or compile - I have no idea what the use case is yet, but they come for free) (note that source maps are not generated for brace expansion at present, since the braces compiler uses a different strategy. I'll update if/when this changes).
+- parser is exposed, so that implementors can customize or override specific micromatch parsers if necessary
+- compiler is exposed, so that implementors can customize or override specific micromatch compilers if necessary
 
 **Fixed**
 
- - more accurate matching (passes 100% of Bash 4.3 of the brace expansion and extglob unit tests, as well as all Bash glob tests that are relevant to node.js usage, all minimatch tests, all brace-expansion tests, and also passes a couple of tests that bash fails)
- - even safer - micromatch has always generated optimized patterns so it's not subject to DoS exploits like minimatch (completely different than the regex DoS issue, minimatch and multimatch are still openly exposed to being used for DoS attacks), but more safeguards were built into this refactor
+- more accurate matching (passes 100% of Bash 4.3 of the brace expansion and extglob unit tests, as well as all Bash glob tests that are relevant to node.js usage, all minimatch tests, all brace-expansion tests, and also passes a couple of tests that bash fails)
+- even safer - micromatch has always generated optimized patterns so it's not subject to DoS exploits like minimatch (completely different than the regex DoS issue, minimatch and multimatch are still openly exposed to being used for DoS attacks), but more safeguards were built into this refactor
 
 **Changed**
 
- - the public API of this library did not change in this version and should be safe to upgrade without changing implentor code. However, we have released this as a major version for the following reasons:
-  - out of an abundance of caution due to the large amount of code changed in this release
-  - we have improved parser accuracy to such a degree that some implementors using invalid globs have noted change in behavior. If this is the case for you, please check that you are using a valid glob expression before logging a bug with this library
+- the public API of this library did not change in this version and should be safe to upgrade without changing implentor code. However, we have released this as a major version for the following reasons:
+ - out of an abundance of caution due to the large amount of code changed in this release
+ - we have improved parser accuracy to such a degree that some implementors using invalid globs have noted change in behavior. If this is the case for you, please check that you are using a valid glob expression before logging a bug with this library
 
 ## [1.0.1] - 2016-12-12
 
@@ -102,8 +121,6 @@ Stable release.
 
 First release.
 
-
 [Unreleased]: https://github.com/jonschlinkert/micromatch/compare/0.1.0...HEAD
 [0.2.0]: https://github.com/jonschlinkert/micromatch/compare/0.1.0...0.2.0
-
 [keep-a-changelog]: https://github.com/olivierlacan/keep-a-changelog

index.js

@@ -4,8 +4,12 @@ const util = require('util');
 const braces = require('braces');
 const picomatch = require('picomatch');
 const utils = require('picomatch/lib/utils');
-const isEmptyString = val => val === '' || val === './';
 
+const isEmptyString = (v) => v === "" || v === "./";
+const hasBraces = (v) => {
+ const index = v.indexOf("{");
+ return index > -1 && v.indexOf("}", index) > -1;
+};
 /**
  * Returns an array of strings that match one or more glob patterns.
  *
@@ -445,7 +449,7 @@ micromatch.parse = (patterns, options) => {
 
 micromatch.braces = (pattern, options) => {
  if (typeof pattern !== 'string') throw new TypeError('Expected a string');
- if ((options && options.nobrace === true) || !/\{.*\}/.test(pattern)) {
+ if ((options && options.nobrace === true) || !hasBraces(pattern)) {
  return [pattern];
  }
  return braces(pattern, options);
@@ -464,4 +468,6 @@ micromatch.braceExpand = (pattern, options) => {
  * Expose micromatch
  */
 
+// exposed for tests
+micromatch.hasBraces = hasBraces;
 module.exports = micromatch;

test/braces.js

@@ -2,9 +2,25 @@
 
 const assert = require('assert');
 const mm = require('..');
-const { isMatch, makeRe } = mm;
+const { isMatch, hasBraces } = mm;
 
 describe('braces', () => {
+ it("should return true when braces are found", () => {
+ assert.equal(hasBraces("{foo}"), true);
+ assert.equal(hasBraces("foo}"), false);
+ assert.equal(hasBraces("{foo"), false);
+ assert.equal(hasBraces("a{}b"), true);
+ assert.equal(hasBraces("abc {foo} xyz"), true);
+ assert.equal(hasBraces("abc {foo xyz"), false);
+ assert.equal(hasBraces("abc {foo} xyz"), true);
+ assert.equal(hasBraces("abc foo} xyz"), false);
+ assert.equal(hasBraces("abc foo xyz"), false);
+ assert.equal(hasBraces("abc {foo} xyz {bar} pqr"), true);
+ assert.equal(hasBraces("abc {foo xyz {bar} pqr"), true);
+ assert.equal(hasBraces("abc foo} xyz {bar pqr"), false);
+ });
+
+
  it('should handle extglobs in braces', () => {
  let fixtures = ['a', 'b', 'c', 'd', 'ab', 'ac', 'ad', 'bc', 'cb', 'bc,d', 'c,db', 'c,d', 'd)', '(b|c', '*(b|c', 'b|c', 'b|cc', 'cb|c', 'x(a|b|c)', 'x(a|c)', '(a|b|c)', '(a|c)'];