meteor-node-stubs 1.2.11 → 1.2.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/node_modules/elliptic/lib/elliptic/ec/index.js +40 -5
  3. package/node_modules/elliptic/lib/elliptic/ec/key.js +2 -2
  4. package/node_modules/elliptic/package.json +1 -1
  5. package/package.json +2 -2
package/CHANGELOG.md CHANGED
@@ -1,3 +1,11 @@
1
+ v1.2.12 - 2024-10-31
2
+
3
+ * Update `elliptic` to v6.6.0 to address a security vulnerability.
4
+
5
+ v1.2.11 - 2024-10-25
6
+
7
+ * Update `rimraf` to v5 to remove vulnerable `inflight` dependency.
8
+
1
9
  v1.2.8 - 2024-04-01
2
10
  * Add new dependency `@meteorjs/crypto-browserify` to replace `crypto-browserify` as it had unsafe dependencies.
3
11
 
package/node_modules/elliptic/lib/elliptic/ec/index.js CHANGED
@@ -78,8 +78,27 @@ EC.prototype.genKeyPair = function genKeyPair(options) {
78
78
  }
79
79
  };
80
80
 
81
- EC.prototype._truncateToN = function _truncateToN(msg, truncOnly) {
82
- var delta = msg.byteLength() * 8 - this.n.bitLength();
81
+ EC.prototype._truncateToN = function _truncateToN(msg, truncOnly, bitLength) {
82
+ var byteLength;
83
+ if (BN.isBN(msg) || typeof msg === 'number') {
84
+ msg = new BN(msg, 16);
85
+ byteLength = msg.byteLength();
86
+ } else if (typeof msg === 'object') {
87
+ // BN assumes an array-like input and asserts length
88
+ byteLength = msg.length;
89
+ msg = new BN(msg, 16);
90
+ } else {
91
+ // BN converts the value to string
92
+ var str = msg.toString();
93
+ // HEX encoding
94
+ byteLength = (str.length + 1) >>> 1;
95
+ msg = new BN(str, 16);
96
+ }
97
+ // Allow overriding
98
+ if (typeof bitLength !== 'number') {
99
+ bitLength = byteLength * 8;
100
+ }
101
+ var delta = bitLength - this.n.bitLength();
83
102
  if (delta > 0)
84
103
  msg = msg.ushrn(delta);
85
104
  if (!truncOnly && msg.cmp(this.n) >= 0)
@@ -96,8 +115,18 @@ EC.prototype.sign = function sign(msg, key, enc, options) {
96
115
  if (!options)
97
116
  options = {};
98
117
 
118
+ if (typeof msg !== 'string' && typeof msg !== 'number' && !BN.isBN(msg)) {
119
+ assert(typeof msg === 'object' && msg && typeof msg.length === 'number',
120
+ 'Expected message to be an array-like, a hex string, or a BN instance');
121
+ assert((msg.length >>> 0) === msg.length); // non-negative 32-bit integer
122
+ for (var i = 0; i < msg.length; i++) assert((msg[i] & 255) === msg[i]);
123
+ }
124
+
99
125
  key = this.keyFromPrivate(key, enc);
100
- msg = this._truncateToN(new BN(msg, 16));
126
+ msg = this._truncateToN(msg, false, options.msgBitLength);
127
+
128
+ // Would fail further checks, but let's make the error message clear
129
+ assert(!msg.isNeg(), 'Can not sign a negative message');
101
130
 
102
131
  // Zero-extend key to provide enough entropy
103
132
  var bytes = this.n.byteLength();
@@ -106,6 +135,9 @@ EC.prototype.sign = function sign(msg, key, enc, options) {
106
135
  // Zero-extend nonce to have the same byte size as N
107
136
  var nonce = msg.toArray('be', bytes);
108
137
 
138
+ // Recheck nonce to be bijective to msg
139
+ assert((new BN(nonce)).eq(msg), 'Can not sign message');
140
+
109
141
  // Instantiate Hmac_DRBG
110
142
  var drbg = new HmacDRBG({
111
143
  hash: this.hash,
@@ -153,8 +185,11 @@ EC.prototype.sign = function sign(msg, key, enc, options) {
153
185
  }
154
186
  };
155
187
 
156
- EC.prototype.verify = function verify(msg, signature, key, enc) {
157
- msg = this._truncateToN(new BN(msg, 16));
188
+ EC.prototype.verify = function verify(msg, signature, key, enc, options) {
189
+ if (!options)
190
+ options = {};
191
+
192
+ msg = this._truncateToN(msg, false, options.msgBitLength);
158
193
  key = this.keyFromPublic(key, enc);
159
194
  signature = new Signature(signature, 'hex');
160
195
 
package/node_modules/elliptic/lib/elliptic/ec/key.js CHANGED
@@ -111,8 +111,8 @@ KeyPair.prototype.sign = function sign(msg, enc, options) {
111
111
  return this.ec.sign(msg, this, enc, options);
112
112
  };
113
113
 
114
- KeyPair.prototype.verify = function verify(msg, signature) {
115
- return this.ec.verify(msg, signature, this);
114
+ KeyPair.prototype.verify = function verify(msg, signature, options) {
115
+ return this.ec.verify(msg, signature, this, undefined, options);
116
116
  };
117
117
 
118
118
  KeyPair.prototype.inspect = function inspect() {
package/node_modules/elliptic/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "elliptic",
3
- "version": "6.5.7",
3
+ "version": "6.6.1",
4
4
  "description": "EC cryptography",
5
5
  "main": "lib/elliptic.js",
6
6
  "files": [
package/package.json CHANGED
@@ -2,7 +2,7 @@
2
2
  "name": "meteor-node-stubs",
3
3
  "author": "Ben Newman <ben@meteor.com>",
4
4
  "description": "Stub implementations of Node built-in modules, a la Browserify",
5
- "version": "1.2.11",
5
+ "version": "1.2.13",
6
6
  "main": "index.js",
7
7
  "license": "MIT",
8
8
  "homepage": "https://github.com/meteor/meteor/blob/devel/npm-packages/meteor-node-stubs/README.md",
@@ -18,7 +18,7 @@
18
18
  "console-browserify": "^1.2.0",
19
19
  "constants-browserify": "^1.0.0",
20
20
  "domain-browser": "^4.23.0",
21
- "elliptic": "^6.5.7",
21
+ "elliptic": "^6.6.1",
22
22
  "events": "^3.3.0",
23
23
  "https-browserify": "^1.0.0",
24
24
  "os-browserify": "^0.3.0",