diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index e15270502..66c01e2a4 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -27670,7 +27670,7 @@ var require_package = __commonJS({ "js-yaml": "^4.1.1", jsonschema: "1.4.1", long: "^5.3.2", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", semver: "^7.7.3", uuid: "^13.0.0" }, diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 703a47c7d..431c37513 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -27670,7 +27670,7 @@ var require_package = __commonJS({ "js-yaml": "^4.1.1", jsonschema: "1.4.1", long: "^5.3.2", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", semver: "^7.7.3", uuid: "^13.0.0" }, diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 51ead50de..ede7a9a6d 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -27670,7 +27670,7 @@ var require_package = __commonJS({ "js-yaml": "^4.1.1", jsonschema: "1.4.1", long: "^5.3.2", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", semver: "^7.7.3", uuid: "^13.0.0" }, diff --git a/lib/init-action-post.js b/lib/init-action-post.js index b04b27ecf..5852bbba4 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -27670,7 +27670,7 @@ var require_package = __commonJS({ "js-yaml": "^4.1.1", jsonschema: "1.4.1", long: "^5.3.2", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", semver: "^7.7.3", uuid: "^13.0.0" }, diff --git a/lib/init-action.js b/lib/init-action.js index c6ab60184..58a789deb 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -27670,7 +27670,7 @@ var require_package = __commonJS({ "js-yaml": "^4.1.1", jsonschema: "1.4.1", long: "^5.3.2", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", semver: "^7.7.3", uuid: "^13.0.0" }, diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 6cf6de54c..e346b6cb3 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -27670,7 +27670,7 @@ var require_package = __commonJS({ "js-yaml": "^4.1.1", jsonschema: "1.4.1", long: "^5.3.2", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", semver: "^7.7.3", uuid: "^13.0.0" }, diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 01b0ac9e3..dad178be4 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -27670,7 +27670,7 @@ var require_package = __commonJS({ "js-yaml": "^4.1.1", jsonschema: "1.4.1", long: "^5.3.2", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", semver: "^7.7.3", uuid: "^13.0.0" }, diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 64fbae0d0..fba9c177e 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -27670,7 +27670,7 @@ var require_package = __commonJS({ "js-yaml": "^4.1.1", jsonschema: "1.4.1", long: "^5.3.2", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", semver: "^7.7.3", uuid: "^13.0.0" }, diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index b4834b1cf..b32d70b20 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -24935,7 +24935,7 @@ var require_util8 = __commonJS({ parts.push(""); } break; - // FIXME: do proper formating for numbers, etc + // FIXME: do proper formatting for numbers, etc //case 'f': //case 'd': case "%": @@ -26386,6 +26386,7 @@ var require_asn1 = __commonJS({ GENERALIZEDTIME: 24, BMPSTRING: 30 }; + asn1.maxDepth = 256; asn1.create = function(tagClass, type2, constructed, value, options) { if (forge.util.isArray(value)) { var tmp = []; @@ -26527,6 +26528,9 @@ var require_asn1 = __commonJS({ if (!("decodeBitStrings" in options)) { options.decodeBitStrings = true; } + if (!("maxDepth" in options)) { + options.maxDepth = asn1.maxDepth; + } if (typeof bytes === "string") { bytes = forge.util.createBuffer(bytes); } @@ -26541,6 +26545,9 @@ var require_asn1 = __commonJS({ return value; }; function _fromDer(bytes, remaining, depth, options) { + if (depth >= options.maxDepth) { + throw new Error("ASN.1 parsing error: Max depth exceeded."); + } var start; _checkBufferLength(bytes, remaining, 2); var b1 = bytes.getByte(); @@ -26716,6 +26723,9 @@ var require_asn1 = __commonJS({ last = true; valueBytes = []; value = parseInt(values[i], 10); + if (value > 4294967295) { + throw new Error("OID value too large; max is 32-bits."); + } do { b = value & 127; value = value >>> 7; @@ -26740,8 +26750,11 @@ var require_asn1 = __commonJS({ oid = Math.floor(b / 40) + "." + b % 40; var value = 0; while (bytes.length() > 0) { + if (value > 70368744177663) { + throw new Error("OID value too large; max is 53-bits."); + } b = bytes.getByte(); - value = value << 7; + value = value * 128; if (b & 128) { value += b & 127; } else { @@ -26902,19 +26915,40 @@ var require_asn1 = __commonJS({ if (v.value && forge.util.isArray(v.value)) { var j = 0; for (var i = 0; rval && i < v.value.length; ++i) { - rval = v.value[i].optional || false; - if (obj.value[j]) { - rval = asn1.validate(obj.value[j], v.value[i], capture, errors); - if (rval) { - ++j; - } else if (v.value[i].optional) { + var schemaItem = v.value[i]; + rval = !!schemaItem.optional; + var objChild = obj.value[j]; + if (!objChild) { + if (!schemaItem.optional) { + rval = false; + if (errors) { + errors.push("[" + v.name + '] Missing required element. Expected tag class "' + schemaItem.tagClass + '", type "' + schemaItem.type + '"'); + } + } + continue; + } + var schemaHasTag = typeof schemaItem.tagClass !== "undefined" && typeof schemaItem.type !== "undefined"; + if (schemaHasTag && (objChild.tagClass !== schemaItem.tagClass || objChild.type !== schemaItem.type)) { + if (schemaItem.optional) { rval = true; + continue; + } else { + rval = false; + if (errors) { + errors.push("[" + v.name + "] Tag mismatch. Expected (" + schemaItem.tagClass + "," + schemaItem.type + "), got (" + objChild.tagClass + "," + objChild.type + ")"); + } + break; } } - if (!rval && errors) { - errors.push( - "[" + v.name + '] Tag class "' + v.tagClass + '", type "' + v.type + '" expected value length "' + v.value.length + '", got "' + obj.value.length + '"' - ); + var childRval = asn1.validate(objChild, schemaItem, capture, errors); + if (childRval) { + ++j; + rval = true; + } else if (schemaItem.optional) { + rval = true; + } else { + rval = false; + break; } } } @@ -30955,7 +30989,7 @@ var require_rsa = __commonJS({ constructed: false, capture: "algorithmIdentifier" }, { - // NULL paramters + // NULL parameters name: "DigestInfo.DigestAlgorithm.parameters", tagClass: asn1.Class.UNIVERSAL, type: asn1.Type.NULL, @@ -31468,7 +31502,7 @@ var require_rsa = __commonJS({ if (oid === forge.oids.md2 || oid === forge.oids.md5) { if (!("parameters" in capture)) { throw new Error( - "ASN.1 object does not contain a valid RSASSA-PKCS1-v1_5 DigestInfo value. Missing algorithm identifer NULL parameters." + "ASN.1 object does not contain a valid RSASSA-PKCS1-v1_5 DigestInfo value. Missing algorithm identifier NULL parameters." ); } } @@ -35665,6 +35699,8 @@ var require_pkcs12 = __commonJS({ if (macValue.getBytes() !== capture.macDigest) { throw new Error("PKCS#12 MAC could not be verified. Invalid password?"); } + } else if (Array.isArray(obj.value) && obj.value.length > 2) { + throw new Error("Invalid PKCS#12. macData field present but MAC was not validated."); } _decodeAuthenticatedSafe(pfx, data.value, strict, password); return pfx; @@ -47328,7 +47364,7 @@ var require_package = __commonJS({ "js-yaml": "^4.1.1", jsonschema: "1.4.1", long: "^5.3.2", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", semver: "^7.7.3", uuid: "^13.0.0" }, diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 3be03091e..78848db80 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -28967,7 +28967,7 @@ var require_package = __commonJS({ "js-yaml": "^4.1.1", jsonschema: "1.4.1", long: "^5.3.2", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", semver: "^7.7.3", uuid: "^13.0.0" }, diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index c4385bbf9..c389b8b0e 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -27670,7 +27670,7 @@ var require_package = __commonJS({ "js-yaml": "^4.1.1", jsonschema: "1.4.1", long: "^5.3.2", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", semver: "^7.7.3", uuid: "^13.0.0" }, diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index ef6bb9aaa..c3ea61b53 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -27670,7 +27670,7 @@ var require_package = __commonJS({ "js-yaml": "^4.1.1", jsonschema: "1.4.1", long: "^5.3.2", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", semver: "^7.7.3", uuid: "^13.0.0" }, diff --git a/package-lock.json b/package-lock.json index 0b3ab5312..c24715d34 100644 --- a/package-lock.json +++ b/package-lock.json @@ -28,7 +28,7 @@ "js-yaml": "^4.1.1", "jsonschema": "1.4.1", "long": "^5.3.2", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", "semver": "^7.7.3", "uuid": "^13.0.0" }, @@ -47,7 +47,7 @@ "@types/semver": "^7.7.1", "@types/sinon": "^21.0.0", "@typescript-eslint/eslint-plugin": "^8.48.0", - "@typescript-eslint/parser": "^8.41.0", + "@typescript-eslint/parser": "^8.48.0", "ava": "^6.4.1", "esbuild": "^0.27.0", "eslint": "^8.57.1", @@ -1798,6 +1798,7 @@ "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.2.tgz", "integrity": "sha512-/g2d4sW9nUDJOMz3mabVQvOGhVa4e/BN/Um7yca9Bb2XTzPPnfTWHWQg+IsEYO7M3Vx+EXvaM/I2pJWIMun1bg==", "license": "MIT", + "peer": true, "dependencies": { "@octokit/auth-token": "^4.0.0", "@octokit/graphql": "^7.1.0", @@ -2567,6 +2568,7 @@ "integrity": "sha512-jCzKdm/QK0Kg4V4IK/oMlRZlY+QOcdjv89U2NgKHZk1CYTj82/RVSx1mV/0gqCVMJ/DA+Zf/S4NBWNF8GQ+eqQ==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@typescript-eslint/scope-manager": "8.48.0", "@typescript-eslint/types": "8.48.0", @@ -3161,6 +3163,7 @@ "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz", "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==", "dev": true, + "peer": true, "bin": { "acorn": "bin/acorn" }, @@ -3736,6 +3739,7 @@ } ], "license": "MIT", + "peer": true, "dependencies": { "caniuse-lite": "^1.0.30001669", "electron-to-chromium": "^1.5.41", @@ -4589,6 +4593,7 @@ "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.57.1.tgz", "integrity": "sha512-ypowyDxpVSYpkXr9WPv2PAZCtNip1Mv5KTW0SCurXv/9iOpcrH9PaqUElksqEB6pChqHGDRCFTyrZlGhnLNGiA==", "dev": true, + "peer": true, "dependencies": { "@eslint-community/eslint-utils": "^4.2.0", "@eslint-community/regexpp": "^4.6.1", @@ -4643,6 +4648,7 @@ "version": "8.3.0", "dev": true, "license": "MIT", + "peer": true, "bin": { "eslint-config-prettier": "bin/cli.js" }, @@ -4914,6 +4920,7 @@ "resolved": "https://registry.npmjs.org/eslint-plugin-import/-/eslint-plugin-import-2.29.1.tgz", "integrity": "sha512-BbPC0cuExzhiMo4Ff1BTVwHpjjv28C5R+btTOGaCRC7UEz801up0JadwkeSk5Ued6TG34uaczuVuH6qyy5YUxw==", "dev": true, + "peer": true, "dependencies": { "array-includes": "^3.1.7", "array.prototype.findlastindex": "^1.2.3", @@ -6969,9 +6976,10 @@ } }, "node_modules/node-forge": { - "version": "1.3.1", - "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz", - "integrity": "sha512-dPEtOeMvF9VMcYV/1Wb8CPoVAXtp6MKMlcbAt4ddqmGqUJ6fQZFXkNZNkNlfevtNkGtaSoXf/vNNNSvgrdXwtA==", + "version": "1.3.2", + "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.2.tgz", + "integrity": "sha512-6xKiQ+cph9KImrRh0VsjH2d8/GXA4FIMlgU4B757iI1ApvcyA9VlouP0yZJha01V+huImO+kKMU7ih+2+E14fw==", + "license": "(BSD-3-Clause OR GPL-2.0)", "engines": { "node": ">= 6.13.0" } @@ -7348,6 +7356,7 @@ "integrity": "sha512-G+YdqtITVZmOJje6QkXQWzl3fSfMxFwm1tjTyo9exhkmWSqC4Yhd1+lug++IlR2mvRVAxEDDWYkQdeSztajqgg==", "dev": true, "license": "MIT", + "peer": true, "bin": { "prettier": "bin/prettier.cjs" }, @@ -8341,6 +8350,7 @@ "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==", "dev": true, "license": "MIT", + "peer": true, "engines": { "node": ">=12" }, @@ -8549,6 +8559,7 @@ "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", "dev": true, "license": "Apache-2.0", + "peer": true, "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" @@ -8622,6 +8633,7 @@ "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.17.0.tgz", "integrity": "sha512-Drp39TXuUlD49F7ilHHCG7TTg8IkA+hxCuULdmzWYICxGXvDXmDmWEjJYZQYgf6l/TFfYNE167m7isnc3xlIEg==", "dev": true, + "peer": true, "dependencies": { "@typescript-eslint/scope-manager": "8.17.0", "@typescript-eslint/types": "8.17.0", diff --git a/package.json b/package.json index aa4fad58e..14f1e770e 100644 --- a/package.json +++ b/package.json @@ -43,7 +43,7 @@ "js-yaml": "^4.1.1", "jsonschema": "1.4.1", "long": "^5.3.2", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", "semver": "^7.7.3", "uuid": "^13.0.0" },