Patch CVE-2024-45590 in python-tensorboard (microsoft#10559)

Author: xordux

SPECS/python-tensorboard/CVE-2024-45590.patch

@@ -0,0 +1,87 @@
+From 8007c86f9772612b795ddd2733ec8d8f7c9957b8 Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <xordux@gmail.com>
+Date: Wed, 25 Sep 2024 17:14:58 +0000
+Subject: [PATCH] CVE-2024-45590: Set default depth limit to 32
+
+---
+ .../body-parser/lib/types/urlencoded.js       | 37 +++++++++++++++----
+ 1 file changed, 30 insertions(+), 7 deletions(-)
+
+diff --git a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/body-parser/lib/types/urlencoded.js b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/body-parser/lib/types/urlencoded.js
+index b2ca8f16d..886a3ce23 100644
+--- a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/body-parser/lib/types/urlencoded.js
++++ b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/body-parser/lib/types/urlencoded.js
+@@ -55,6 +55,9 @@ function urlencoded (options) {
+     : opts.limit
+   var type = opts.type || 'application/x-www-form-urlencoded'
+   var verify = opts.verify || false
++  var depth = typeof opts.depth !== 'number'
++    ? Number(opts.depth || 32)
++    : opts.depth
+ 
+   if (verify !== false && typeof verify !== 'function') {
+     throw new TypeError('option verify must be function')
+@@ -118,7 +121,8 @@ function urlencoded (options) {
+       encoding: charset,
+       inflate: inflate,
+       limit: limit,
+-      verify: verify
++      verify: verify,
++      depth: depth
+     })
+   }
+ }
+@@ -133,12 +137,20 @@ function extendedparser (options) {
+   var parameterLimit = options.parameterLimit !== undefined
+     ? options.parameterLimit
+     : 1000
++
++  var depth = typeof options.depth !== 'number'
++    ? Number(options.depth || 32)
++    : options.depth
+   var parse = parser('qs')
+ 
+   if (isNaN(parameterLimit) || parameterLimit < 1) {
+     throw new TypeError('option parameterLimit must be a positive number')
+   }
+ 
++  if(isNaN(depth) || depth < 0) {
++    throw new TypeError('option depth must be a zero or a positive number')
++  }
++
+   if (isFinite(parameterLimit)) {
+     parameterLimit = parameterLimit | 0
+   }
+@@ -156,12 +168,23 @@ function extendedparser (options) {
+     var arrayLimit = Math.max(100, paramCount)
+ 
+     debug('parse extended urlencoding')
+-    return parse(body, {
+-      allowPrototypes: true,
+-      arrayLimit: arrayLimit,
+-      depth: Infinity,
+-      parameterLimit: parameterLimit
+-    })
++    try {
++      return parse(body, {
++        allowPrototypes: true,
++        arrayLimit: arrayLimit,
++        depth: depth,
++        strictDepth: true,
++        parameterLimit: parameterLimit
++      })
++    } catch (err) {
++      if (err instanceof RangeError) {
++        throw createError(400, 'The input exceeded the depth', {
++          type: 'querystring.parse.rangeError'
++        })
++      } else {
++        throw err
++      }
++    }
+   }
+ }
+ 
+-- 
+2.39.4
+

SPECS/python-tensorboard/python-tensorboard.spec

@@ -7,7 +7,7 @@ TensorBoard is a suite of web applications for inspecting and understanding your
 Summary:        TensorBoard is a suite of web applications for inspecting and understanding your TensorFlow runs and graphs
 Name:           python-%{pypi_name}
 Version:        2.16.2
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -17,6 +17,7 @@ Source0:        %{_distro_sources_url}/%{name}-%{version}.tar.gz#/%{name}-%{vers
 Patch0:         0000-Use-system-package.patch
 Patch1:         CVE-2024-43788.patch
 Patch2:         CVE-2024-43796.patch
+Patch3:         CVE-2024-45590.patch
 
 BuildRequires:  bazel
 BuildRequires:  build-essential
@@ -96,6 +97,9 @@ mv %{pypi_name}-*.whl pyproject-wheeldir/
 %{python3_sitelib}/tensorboard_data_server*
 
 %changelog
+* Thu Sep 26 09 2024 Rohit Rawat <rohitrawat@microsoft.com> - 2.16.2-5
+- Patch to fix CVE-2024-45590
+
 * Wed Sep 25 09 2024 Rohit Rawat <rohitrawat@microsoft.com> - 2.16.2-4
 - Patch to fix CVE-2024-43796