NixOS · 06kellyjac · Apr 12, 2023 · SuperSandro2000 · Apr 13, 2023 · 06kellyjac
diff --git a/pkgs/development/web/deno/CVE-2023-28446_escape_control_chars_backport.patch b/pkgs/development/web/deno/CVE-2023-28446_escape_control_chars_backport.patch
@@ -0,0 +1,140 @@
+diff --git a/Cargo.lock b/Cargo.lock
+index c9b2f0bf6..ac412caeb 100644
+--- a/Cargo.lock
++++ b/Cargo.lock
+@@ -513,6 +513,16 @@ dependencies = [
+  "winapi 0.3.9",
+ ]
+
++[[package]]
++name = "console_static_text"
++version = "0.7.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "953d2c3cf53213a4eccdbe8f2e0b49b5d0f77e87a2a9060117bbf9346f92b64e"
++dependencies = [
++ "unicode-width",
++ "vte",
++]
++
+ [[package]]
+ name = "const-oid"
+ version = "0.9.0"
+@@ -778,6 +788,7 @@ dependencies = [
+  "clap",
+  "clap_complete",
+  "clap_complete_fig",
++ "console_static_text",
+  "data-url",
+  "deno_ast",
+  "deno_bench_util",
+@@ -1177,6 +1188,7 @@ name = "deno_runtime"
+ version = "0.88.0"
+ dependencies = [
+  "atty",
++ "console_static_text",
+  "deno_broadcast_channel",
+  "deno_cache",
+  "deno_console",
+@@ -5416,6 +5428,27 @@ version = "1.0.2"
+ source = "registry+https://github.com/rust-lang/crates.io-index"
+ checksum = "6a02e4885ed3bc0f2de90ea6dd45ebcbb66dacffe03547fadbb0eeae2770887d"
+
++[[package]]
++name = "vte"
++version = "0.11.0"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "1aae21c12ad2ec2d168c236f369c38ff332bc1134f7246350dca641437365045"
++dependencies = [
++ "arrayvec",
++ "utf8parse",
++ "vte_generate_state_changes",
++]
++
++[[package]]
++name = "vte_generate_state_changes"
++version = "0.1.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "d257817081c7dffcdbab24b9e62d2def62e2ff7d00b1c20062551e6cccc145ff"
++dependencies = [
++ "proc-macro2 1.0.43",
++ "quote 1.0.21",
++]
++
+ [[package]]
+ name = "walkdir"
+ version = "2.3.2"
+diff --git a/Cargo.toml b/Cargo.toml
+index 256623504..0db382997 100644
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -78,6 +78,7 @@ base64 = "=0.13.1"
+ bencher = "0.1"
+ bytes = "=1.2.1"
+ cache_control = "=0.2.0"
++console_static_text = "=0.7.1"
+ data-url = "=0.2.0"
+ dlopen = "0.1.8"
+ encoding_rs = "=0.8.31"
+diff --git a/cli/Cargo.toml b/cli/Cargo.toml
+index a72ddc822..263234b70 100644
+--- a/cli/Cargo.toml
++++ b/cli/Cargo.toml
+@@ -59,6 +59,7 @@ chrono = { version = "=0.4.22", default-features = false, features = ["clock"] }
+ clap = "=3.1.12"
+ clap_complete = "=3.1.2"
+ clap_complete_fig = "=3.1.5"
++console_static_text.workspace = true
+ data-url.workspace = true
+ dissimilar = "=1.0.4"
+ dprint-plugin-json = "=0.16.0"
+diff --git a/runtime/Cargo.toml b/runtime/Cargo.toml
+index a62259a1a..be94ce420 100644
+--- a/runtime/Cargo.toml
++++ b/runtime/Cargo.toml
+@@ -72,6 +72,7 @@ deno_websocket.workspace = true
+ deno_webstorage.workspace = true
+
+ atty.workspace = true
++console_static_text.workspace = true
+ dlopen.workspace = true
+ encoding_rs.workspace = true
+ filetime = "0.2.16"
+diff --git a/runtime/permissions.rs b/runtime/permissions.rs
+index 95f95b512..d5c28ecdf 100644
+--- a/runtime/permissions.rs
++++ b/runtime/permissions.rs
+@@ -29,6 +29,14 @@ use std::sync::atomic::AtomicBool;
+ #[cfg(test)]
+ use std::sync::atomic::Ordering;
+
++/// Helper function to strip ansi codes and ASCII control characters.
++fn strip_ansi_codes_and_ascii_control(s: &str) -> std::borrow::Cow<str> {
++  console_static_text::strip_ansi_codes(s)
++    .chars()
++    .filter(|c| !c.is_ascii_control())
++    .collect()
++}
++
+ const PERMISSION_EMOJI: &str = "⚠️";
+
+ static DEBUG_LOG_ENABLED: Lazy<bool> =
+@@ -2389,13 +2397,17 @@ fn permission_prompt(
+     return false; // don't grant permission if this fails
+   }
+
++  let message = strip_ansi_codes_and_ascii_control(message);
++  let name = strip_ansi_codes_and_ascii_control(name);
++  let api_name = api_name.map(strip_ansi_codes_and_ascii_control);
++
+   // print to stderr so that if stdout is piped this is still displayed.
+   const OPTS: &str = "[y/n] (y = yes, allow; n = no, deny)";
+   eprint!("{}  ┌ ", PERMISSION_EMOJI);
+   eprint!("{}", colors::bold("Deno requests "));
+-  eprint!("{}", colors::bold(message));
++  eprint!("{}", colors::bold(message.clone()));
+   eprintln!("{}", colors::bold("."));
+-  if let Some(api_name) = api_name {
++  if let Some(api_name) = api_name.clone() {
+     eprintln!("   ├ Requested by `{}` API", api_name);
+   }
+   let msg = format!(
diff --git a/pkgs/development/web/deno/default.nix b/pkgs/development/web/deno/default.nix
@@ -25,7 +25,12 @@ rustPlatform.buildRustPackage rec {
     rev = "v${version}";
     sha256 = "sha256-Rkzr5Y50Z2A+TeWCrrC6GUvu8/x6IgDxvd8D6mKbIGE=";
   };
-  cargoSha256 = "sha256-n2K0CghobLri69oMrs8nCNSwq/5eH3YlzLtC9JRriQ8=";
+  cargoSha256 = "sha256-D6YjBMUBlfSkPcNDSAln0coADFFCMf8ukO7kAbuZp+g=";
+
+  cargoPatches = [
+    # resolved in 1.31.2
+    ./CVE-2023-28446_escape_control_chars_backport.patch
+  ];
 
   postPatch = ''
     # upstream uses lld on aarch64-darwin for faster builds