From ca3548827387bddc492dd53717de9e8b3ca1efaf Mon Sep 17 00:00:00 2001
From: muxator <a.mux@inwind.it>
Date: Sun, 22 Mar 2020 00:33:22 +0100
Subject: [PATCH] minify: upgrade clean-css 3.4.19 -> 4.2.3. Adapt to the
 semver major change

CleanCSS 3.4.19 had a Regex Denial of Service vulnerability and has to be
updated. The major version bump requires the following changes:

1. Disabling rebase is necessary because otherwise the URLs for the web fonts
   become wrong;

   EXAMPLE 1:
       /static/css/src/static/font/fontawesome-etherpad.woff
     instead of
       /static/font/fontawesome-etherpad.woff

   EXAMPLE 2 (this is more surprising):
       /p/src/static/font/opendyslexic.otf
     instead of
       /static/font/opendyslexic.otf

2. CleanCSS.minify() can either receive a string containing the CSS, or an array
   of strings. In that case each array element is interpreted as an absolute
   local path from which the CSS file is read.

   In version 4.x, CleanCSS API was simplified, eliminating the relativeTo
   parameter, and thus we cannot use our already loaded "content" argument, but
   we have to wrap the absolute path to the CSS in an array and ask the library
   to read it by itself.

Fixes #3616.
---
 src/node/utils/Minify.js | 33 +++++++++++++++++++++++++----
 src/package-lock.json    | 45 +++++++---------------------------------
 src/package.json         |  2 +-
 3 files changed, 38 insertions(+), 42 deletions(-)

diff --git a/src/node/utils/Minify.js b/src/node/utils/Minify.js
index 034a225a3..a6187331d 100644
--- a/src/node/utils/Minify.js
+++ b/src/node/utils/Minify.js
@@ -414,11 +414,36 @@ function compressJS(content)
 function compressCSS(filename, content, callback)
 {
   try {
-    var base = path.join(ROOT_DIR, path.dirname(filename));
-    new CleanCSS({relativeTo: base}).minify(content, function (errors, minified) {
+    const absPath = path.join(ROOT_DIR, filename);
+
+    /*
+     * Changes done to migrate CleanCSS 3.x -> 4.x:
+     *
+     * 1. Disabling rebase is necessary because otherwise the URLs for the web
+     *    fonts become wrong.
+     *
+     *    EXAMPLE 1:
+     *        /static/css/src/static/font/fontawesome-etherpad.woff
+     *      instead of
+     *        /static/font/fontawesome-etherpad.woff
+     *    EXAMPLE 2 (this is more surprising):
+     *        /p/src/static/font/opendyslexic.otf
+     *      instead of
+     *        /static/font/opendyslexic.otf
+     *
+     * 2. CleanCSS.minify() can either receive a string containing the CSS, or
+     *    an array of strings. In that case each array element is interpreted as
+     *    an absolute local path from which the CSS file is read.
+     *
+     *    In version 4.x, CleanCSS API was simplified, eliminating the
+     *    relativeTo parameter, and thus we cannot use our already loaded
+     *    "content" argument, but we have to wrap the absolute path to the CSS
+     *    in an array and ask the library to read it by itself.
+     */
+    new CleanCSS({rebase: false}).minify([absPath], function (errors, minified) {
       if (errors) {
         // on error, just yield the un-minified original, but write a log message
-        console.error(`CleanCSS.minify() returned an error on ${filename} (base CSS path: ${base}): ${errors}`);
+        console.error(`CleanCSS.minify() returned an error on ${filename} (${absPath}): ${errors}`);
         callback(null, content);
       } else {
         callback(null, minified.styles);
@@ -426,7 +451,7 @@ function compressCSS(filename, content, callback)
     });
   } catch (error) {
     // on error, just yield the un-minified original, but write a log message
-    console.error(`Unexpected error minifying ${filename} (base CSS path: ${base}): ${error}`);
+    console.error(`Unexpected error minifying ${filename} (${absPath}): ${error}`);
     callback(null, content);
   }
 }
diff --git a/src/package-lock.json b/src/package-lock.json
index 1d1e58840..75609fc5d 100644
--- a/src/package-lock.json
+++ b/src/package-lock.json
@@ -236,11 +236,6 @@
         "repeat-string": "^1.5.2"
       }
     },
-    "amdefine": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/amdefine/-/amdefine-1.0.1.tgz",
-      "integrity": "sha1-SlKCrBZHKek2Gbz9OtFR+BfOkfU="
-    },
     "ansi-regex": {
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz",
@@ -712,22 +707,11 @@
       }
     },
     "clean-css": {
-      "version": "3.4.19",
-      "resolved": "https://registry.npmjs.org/clean-css/-/clean-css-3.4.19.tgz",
-      "integrity": "sha1-wyqKE8o7gkYJsUMGpdp22Hk8eHQ=",
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/clean-css/-/clean-css-4.2.3.tgz",
+      "integrity": "sha512-VcMWDN54ZN/DS+g58HYL5/n4Zrqe8vHJpGA8KdgUXFU4fuP/aHNw8eld9SyEIyabIMJX/0RaY/fplOo5hYLSFA==",
       "requires": {
-        "commander": "2.8.x",
-        "source-map": "0.4.x"
-      },
-      "dependencies": {
-        "source-map": {
-          "version": "0.4.4",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.4.4.tgz",
-          "integrity": "sha1-66T12pwNyZneaAMti092FzZSA2s=",
-          "requires": {
-            "amdefine": ">=0.0.4"
-          }
-        }
+        "source-map": "~0.6.0"
       }
     },
     "cliui": {
@@ -789,12 +773,10 @@
       }
     },
     "commander": {
-      "version": "2.8.1",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-2.8.1.tgz",
-      "integrity": "sha1-Br42f+v9oMMwqh4qBy09yXYkJdQ=",
-      "requires": {
-        "graceful-readlink": ">= 1.0.0"
-      }
+      "version": "2.15.1",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-2.15.1.tgz",
+      "integrity": "sha512-VlfT9F3V0v+jr4yxPc5gg9s62/fIVWsd2Bk2iD435um1NlGMYdVCq+MjcXnhYq2icNOizHr1kK+5TI6H0Hy0ag==",
+      "dev": true
     },
     "commondir": {
       "version": "1.0.1",
@@ -1614,11 +1596,6 @@
       "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.2.tgz",
       "integrity": "sha512-IItsdsea19BoLC7ELy13q1iJFNmd7ofZH5+X/pJr90/nRoPEX0DJo1dHDbgtYWOhJhcCgMDTOw84RZ72q6lB+Q=="
     },
-    "graceful-readlink": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/graceful-readlink/-/graceful-readlink-1.0.1.tgz",
-      "integrity": "sha1-TK+tdrxi8C+gObL5Tpo906ORpyU="
-    },
     "growl": {
       "version": "1.10.5",
       "resolved": "https://registry.npmjs.org/growl/-/growl-1.10.5.tgz",
@@ -2388,12 +2365,6 @@
         "supports-color": "5.4.0"
       },
       "dependencies": {
-        "commander": {
-          "version": "2.15.1",
-          "resolved": "https://registry.npmjs.org/commander/-/commander-2.15.1.tgz",
-          "integrity": "sha512-VlfT9F3V0v+jr4yxPc5gg9s62/fIVWsd2Bk2iD435um1NlGMYdVCq+MjcXnhYq2icNOizHr1kK+5TI6H0Hy0ag==",
-          "dev": true
-        },
         "debug": {
           "version": "3.1.0",
           "resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz",
diff --git a/src/package.json b/src/package.json
index 926de995e..7f13cf873 100644
--- a/src/package.json
+++ b/src/package.json
@@ -34,7 +34,7 @@
     "async-stacktrace": "0.0.2",
     "channels": "0.0.4",
     "cheerio": "0.20.0",
-    "clean-css": "3.4.19",
+    "clean-css": "4.2.3",
     "cookie-parser": "1.4.4",
     "ejs": "2.6.1",
     "etherpad-require-kernel": "1.0.9",