rictorres / node-rpm-builder Goto Github PK

It will print debug info to the console.

{
  verbose: true || false
}

Including support for globs.

Add some examples to make it more easy to use.

RPM Builder is using [email protected] which includes minimatch which shipped with a
ReDoS Security issue, updating to latest should fix this.

There are breaking changes in newer globby versions according to bithound so will require testing

There should be an option to not follow symlinks (and preserve the link) when copying files to BUILDROOT.

According to Node.js / io.js fs.existsSync() will be deprecated.

Hi, I was getting this to work, and I ran into this glitch. I'd run my little rpmbuilder.js program and after maybe a minute i'd get this:

Error: stderr maxBuffer exceeded

this came from child-process. At first I tried passing in an option:

  execOpts: {maxBuffer: 1e6},

but that wasn't even big enough. Finally I commended out this line in index.js:

var cmd = [
  'rpmbuild',
  '-bb',
  //'-vv',          <<<====****
  '--buildroot',
  buildRoot,
  specFile
].join(' ');

The -vv was generating gobs and gobs of output into stderr. Since it seems to be dropped anyway, you probably don't need it.

BUT, after that the program wouldn't quit. Generated the rpm file, i just have to ^C. could be my problem, but just fyi.

Latest repository version contains support for RPM Provides parameter. Latest published version on npm registry is, however, 0.6.1 - according to https://www.npmjs.com/package/rpm-builder

On master branch the version in package.json has a SNAPSHOT postfix;
Can be the new version released and published on npm repository please ?

Hi! I've the next problem: I want to build i386 packages in a x86_64 machine. After some tests, the only good solution that I've found is to prepend setarch i386 to the command, so the command:

rpmbuild -bb -vv --buildroot ... behaves setarch i386 rpmbuild -bb -vv --buildroot...

Can you add some new option to your library that lets prepend "something" to the command? Or if you have a better solution it will be great.

Thanks for your library!!

group, owner, chmod, etc

#15

Really. Otherwise we cannot use your lib here due to failing RPM installation on any other Linux machine.

I'm trying to build a node application rpm using your npm package. I've filled out all the options concerning arch with x86_64 as that's the platform I'm currently running. I get the following error when I run the npm start.

[root@unknown0800277ccd0f node-app]# uname -m
x86_64

[root@unknown0800277ccd0f node-app]# npm start

> [email protected] start /root/node-app
> node index.js

Creating RPM directory structure at: /root/node-app/tmp-2zFExTn9V
SPEC file created: tmp-2zFExTn9V/SPECS/node-app-0.0.1-1.x86-64.spec
Executing: rpmbuild -bb -vv --buildroot /root/node-app/tmp-2zFExTn9V/BUILDROOT/ tmp-2zFExTn9V/SPECS/node-app-0.0.1-1.x86-64.spec
/root/node-app/index.js:40
    throw err;
    ^

Error: Command failed: rpmbuild -bb -vv --buildroot /root/node-app/tmp-2zFExTn9V/BUILDROOT/ tmp-2zFExTn9V/SPECS/node-app-0.0.1-1.x86-64.spec
error: No compatible architectures found for build

OS I'm build on.

platform:linux
distro:CentOS Linux
release:7
codename:Core
kernel:3.10.0-957.12.2.el7.x86_64
arch:x64
hostname:unknown0800277ccd0f.attlocal.net
codepage:UTF-8
logofile:centos
serial:f5438d6c4f924545873e64ebe3d743a4
build:N/A
servicepack:N/A

Also, I noticed that the keepTemp option has no logic. Whether I set it or not, it still keeps the temp directory. Not sure if that's happening because the builds are failing before it can complete.

For the config:

const rpmOptions = {
  name: packageName,
  version: gitVersion.GitVersion,
  release: 1,
  buildArch: 'noarch',
  keepTemp: false,
  files: [{ cwd: './dist', src: '*', dest: `/opt/${packageName}/` }],
  excludeFiles: ['./dist/static/js/*.js.map']
};

My expected output would be that all files inside the ./dist directory and subdirectories should be checked against the exclude paths.

What actually happens is that the check stops at the level of the first subdirectory, i.e. the paths checked includes ./dist/static, and since that path is not itself in the excludeFiles the entire static subdirectory is included without checking any of the files within that directory against the excludeFiles list. i.e. all the *.js.map files inside the static/js subdirectory end up being added to the rpm instead of being excluded because those file paths never get tested against the excludeFiles list.

Tested on rpm_builder v1.1.0

Hi is there a way to block config file replacement on update using
%config(noreplace)
as exposed here https://www.cl.cam.ac.uk/~jw35/docs/rpm_config.html
?

This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)

Vulnerability Description

Affected versions execute arbitrary commands remotely inside the victim's PC. The issue occurs because user input is formatted inside a command that will be executed without any checks. The cmd list is stringed and executed inside the exec function without checking the buildRoot and specFile variables, which are controlled by the user, leading to RCE.

The issue arises here:

https://github.com/rictorres/node-rpm-builder/blob/master/index.js#L119

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

...when defining files.