microsoft · jslobodzian · Apr 24, 2025 · Apr 23, 2025
@@ -0,0 +1,68 @@
+From 065334d1ee5b7210e1a0a93c37238c86858f2af7 Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Wed, 5 Mar 2025 10:08:48 -0800
+Subject: [PATCH] attr filter uses env.getattr
+
+---
+ deps/v8/third_party/jinja2/filters.py  | 37 ++++++++++++++++---------------------
+ 3 files changed, 30 insertions(+), 21 deletions(-)
+
+diff --git a/deps/v8/third_party/jinja2/filters.py b/deps/v8/third_party/jinja2/filters.py
+index e5b5a00c5..2bcba4fbd 100644
+--- a/deps/v8/third_party/jinja2/filters.py
++++ b/deps/v8/third_party/jinja2/filters.py
+@@ -6,6 +6,7 @@
+ import typing
+ import typing as t
+ from collections import abc
++from inspect import getattr_static
+ from itertools import chain
+ from itertools import groupby
+
+@@ -1411,31 +1412,25 @@ def do_reverse(value: t.Union[str, t.Iterable[V]]) -> t.Union[str, t.Iterable[V]
+ def do_attr(
+     environment: "Environment", obj: t.Any, name: str
+ ) -> t.Union[Undefined, t.Any]:
+-    """Get an attribute of an object.  ``foo|attr("bar")`` works like
+-    ``foo.bar`` just that always an attribute is returned and items are not
+-    looked up.
++    """Get an attribute of an object. ``foo|attr("bar")`` works like
++    ``foo.bar``, but returns undefined instead of falling back to ``foo["bar"]``
++    if the attribute doesn't exist.
+
+     See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more details.
+     """
++    # Environment.getattr will fall back to obj[name] if obj.name doesn't exist.
++    # But we want to call env.getattr to get behavior such as sandboxing.
++    # Determine if the attr exists first, so we know the fallback won't trigger.
+     try:
+-        name = str(name)
+-    except UnicodeError:
+-        pass
+-    else:
+-        try:
+-            value = getattr(obj, name)
+-        except AttributeError:
+-            pass
+-        else:
+-            if environment.sandboxed:
+-                environment = t.cast("SandboxedEnvironment", environment)
+-
+-                if not environment.is_safe_attribute(obj, name, value):
+-                    return environment.unsafe_undefined(obj, name)
+-
+-            return value
+-
+-    return environment.undefined(obj=obj, name=name)
++        # This avoids executing properties/descriptors, but misses __getattr__
++        # and __getattribute__ dynamic attrs.
++        getattr_static(obj, name)
++    except AttributeError:
++        # This finds dynamic attrs, and we know it's not a descriptor at this point.
++        if not hasattr(obj, name):
++            return environment.undefined(obj=obj, name=name)
++
++    return environment.getattr(obj, name)
+
+
+ @typing.overload
@@ -5,7 +5,7 @@ Name:           nodejs
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        20.14.0
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -25,7 +25,7 @@ Patch6:         CVE-2024-22020.patch
 Patch7:         CVE-2024-22195.patch
 Patch8:         CVE-2020-28493.patch
 Patch9:         CVE-2024-34064.patch
-
+Patch10:        CVE-2025-27516.patch
 BuildRequires:  brotli-devel
 BuildRequires:  c-ares-devel
 BuildRequires:  coreutils >= 8.22
@@ -119,7 +119,7 @@ make cctest
 %files
 %defattr(-,root,root)
 %license LICENSE
-%doc CHANGELOG.md LICENSE README.md
+%doc CHANGELOG.md README.md
 %{_bindir}/node
 %dir %{_prefix}/lib/node_modules
 %{_mandir}/man*/*
@@ -137,6 +137,9 @@ make cctest
 %{_prefix}/lib/node_modules/*
 
 %changelog
+* Mon Mar 10 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 20.14.0-7
+- Patch CVE-2025-27516
+
 * Wed Feb 12 2025 Kevin Lockwood <v-klockwood@microsoft.com> - 20.14.0-6
 - Patch CVE-2020-28493
 - Patch CVE-2024-34064