fix: protect handle quotes on vuln ids in .snyk file

snyk · Jan 11, 2022 · 45403e9 · 45403e9
1 parent c5d0e5d
commit 45403e9
Show file tree

Hide file tree

Showing 16 changed files with 27,258 additions and 1 deletion.
diff --git a/packages/snyk-protect/src/lib/snyk-file.ts b/packages/snyk-protect/src/lib/snyk-file.ts
@@ -1,4 +1,5 @@
 import { VulnIdAndPackageName } from './types';
+import { deQuote } from './utils';
 
 const lineRegex = /^(\s*)(.*):(?:$| )+(.*)$/i;
 
@@ -54,7 +55,7 @@ export function extractPatchMetadata(
       );
     } else {
       vulnIdAndPackageNames.push({
-        vulnId,
+        vulnId: deQuote(vulnId.trim()),
         packageName: packageNames[0],
       });
     }

diff --git a/packages/snyk-protect/src/lib/utils.ts b/packages/snyk-protect/src/lib/utils.ts
@@ -0,0 +1,13 @@
+export function deQuote(s: string): string {
+  let res = s;
+
+  if (res.startsWith('"') && res.endsWith('"')) {
+    res = res.substring(1, res.length - 1);
+  }
+
+  if (res.startsWith("'") && res.endsWith("'")) {
+    res = res.substring(1, res.length - 1);
+  }
+
+  return res;
+}
diff --git a/packages/snyk-protect/test/acceptance/protect.spec.ts b/packages/snyk-protect/test/acceptance/protect.spec.ts
@@ -143,6 +143,60 @@ describe('@snyk/protect', () => {
         },
       });
     });
+
+    it('works when the vulnId in a .snyk file is quoted', async () => {
+      const log = jest.spyOn(global.console, 'log');
+      const postJsonSpy = jest.spyOn(http, 'postJson');
+      const project = await createProject(
+        'single-patchable-module-with-quotes',
+      );
+      const patchedLodash = await getPatchedLodash();
+
+      await protect(project.path());
+
+      await expect(
+        project.read('node_modules/nyc/node_modules/lodash/lodash.js'),
+      ).resolves.toEqual(patchedLodash);
+
+      expect(
+        fse.existsSync(
+          project.path(
+            `node_modules/nyc/node_modules/lodash/lodash.js.snyk-protect.flag`,
+          ),
+        ),
+      ).toBe(true);
+
+      expect(
+        fse.existsSync(
+          project.path(
+            `node_modules/nyc/node_modules/lodash/.snyk-SNYK-JS-LODASH-567746.flag`,
+          ),
+        ),
+      ).toBe(true);
+
+      expect(log).toHaveBeenCalledWith('Applied Snyk patches.');
+      expect(postJsonSpy).toHaveBeenCalledTimes(1);
+      expect(postJsonSpy.mock.calls[0][1]).toEqual({
+        data: {
+          command: '@snyk/protect',
+          args: [],
+          version: '1.0.0-monorepo',
+          nodeVersion: process.version,
+          metadata: {
+            protectResult: {
+              type: 'APPLIED_PATCHES',
+              patchedModules: [
+                {
+                  vulnId: 'SNYK-JS-LODASH-567746',
+                  packageName: 'lodash',
+                  packageVersion: '4.17.15',
+                },
+              ],
+            },
+          },
+        },
+      });
+    });
   });
 
   describe('does not apply any patches and does not fail', () => {

diff --git a/packages/snyk-protect/test/fixtures/single-patchable-module-with-quotes/.snyk b/packages/snyk-protect/test/fixtures/single-patchable-module-with-quotes/.snyk
@@ -0,0 +1,24 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.22.1
+ignore: {}
+# patches apply the minimum changes required to fix a vulnerability
+patch:
+  'SNYK-JS-LODASH-567746':
+    - 'tap > nyc > istanbul-lib-instrument > babel-types > lodash':
+        patched: '2021-02-17T13:43:51.857Z'
+    - 'tap > nyc > istanbul-lib-instrument > babel-generator > lodash':
+        patched: '2021-02-17T13:43:51.857Z'
+    - 'tap > nyc > istanbul-lib-instrument > babel-traverse > lodash':
+        patched: '2021-02-17T13:43:51.857Z'
+    - 'tap > nyc > istanbul-lib-instrument > babel-template > lodash':
+        patched: '2021-02-17T13:43:51.857Z'
+    - 'tap > nyc > istanbul-lib-instrument > babel-generator > babel-types > lodash':
+        patched: '2021-02-17T13:43:51.857Z'
+    - 'tap > nyc > istanbul-lib-instrument > babel-traverse > babel-types > lodash':
+        patched: '2021-02-17T13:43:51.857Z'
+    - 'tap > nyc > istanbul-lib-instrument > babel-template > babel-types > lodash':
+        patched: '2021-02-17T13:43:51.857Z'
+    - 'tap > nyc > istanbul-lib-instrument > babel-template > babel-traverse > lodash':
+        patched: '2021-02-17T13:43:51.857Z'
+    - 'tap > nyc > istanbul-lib-instrument > babel-template > babel-traverse > babel-types > lodash':
+        patched: '2021-02-17T13:43:51.857Z'
diff --git a/packages/snyk-protect/test/fixtures/single-patchable-module-with-quotes/README.md b/packages/snyk-protect/test/fixtures/single-patchable-module-with-quotes/README.md
@@ -0,0 +1,4 @@
+Location of lodash package.json:
+```
+node_modules/nyc/node_modules/lodash
+```
diff --git a/...s/snyk-protect/test/fixtures/single-patchable-module-with-quotes/expected_patchfile.patch b/...s/snyk-protect/test/fixtures/single-patchable-module-with-quotes/expected_patchfile.patch
@@ -0,0 +1,66 @@
+# Licence
+# ---------
+# The MIT License
+
+# Copyright JS Foundation and other contributors <https://js.foundation/>
+
+# Based on Underscore.js, copyright Jeremy Ashkenas,
+# DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
+
+# This software consists of voluntary contributions made by many
+# individuals. For exact contribution history, see the revision history
+# available at https://github.com/lodash/lodash
+
+# The following license applies to all parts of this software except as
+# documented below:
+
+# ====
+
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+# ====
+
+# Copyright and related rights for sample code are waived via CC0. Sample
+# code is defined as all source code displayed within the prose of the
+# documentation.
+
+# CC0: http://creativecommons.org/publicdomain/zero/1.0/
+
+# ====
+
+# Files located in the node_modules and vendor directories are externally
+# maintained libraries used by this software which have their own
+# licenses; we recommend you read them, as their terms may differ from the
+# terms above.
+diff --git a/lodash.js b/lodash.js
+index 9b95dfef..43e71ffb 100644
+--- a/lodash.js
++++ b/lodash.js
+@@ -3977,6 +3977,10 @@
+         var key = toKey(path[index]),
+             newValue = value;
+
++        if ((key === '__proto__' || key === 'constructor' || key === 'prototype')) {
++          return object;
++        }
++
+         if (index != lastIndex) {
+           var objValue = nested[key];
+           newValue = customizer ? customizer(objValue, key, nested) : undefined;
diff --git a/...yk-protect/test/fixtures/single-patchable-module-with-quotes/node_modules/nyc/LICENSE.txt b/...yk-protect/test/fixtures/single-patchable-module-with-quotes/node_modules/nyc/LICENSE.txt