1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

child_process: fix incomplete prototype pollution hardening

Browse Source 
Prior pull request (#48726) hardened against prototype pollution
vulnerabilities but effectively missed some use-cases which
opened a window for prototype pollution for some child_process
functions such as spawn(), spawnSync(), and execFileSync().

PR-URL: https://github.com/nodejs/node/pull/53781
Reviewed-By: Vinícius Lourenço Claro Cardoso <contact@viniciusl.com.br>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
This commit is contained in:
Liran Tal 2024-07-22 00:27:04 +03:00 committed by GitHub
parent 1fb23f1897
commit 47b877993f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/child_process.js
View File

@ -568,6 +568,7 @@ function normalizeSpawnArguments(file, args, options) {
else
validateObject(options, 'options');
options = { __proto__: null, ...options };
let cwd = options.cwd;
// Validate the cwd, if present.

34
test/parallel/test-child-process-prototype-tampering.mjs
View File

@ -1,7 +1,7 @@
import * as common from '../common/index.mjs';
import * as fixtures from '../common/fixtures.mjs';
import { EOL } from 'node:os';
import { strictEqual } from 'node:assert';
import { strictEqual, notStrictEqual, throws } from 'node:assert';
import cp from 'node:child_process';
// TODO(LiviaMedeiros): test on different platforms
@ -57,3 +57,35 @@ for (const tamperedUID of [0, 1, 999, 1000, 0n, 'gwak']) {
delete Object.prototype.execPath;
}
for (const shellCommandArgument of ['-L && echo "tampered"']) {
Object.prototype.shell = true;
const cmd = 'pwd';
let cmdExitCode = '';
const program = cp.spawn(cmd, [shellCommandArgument], { cwd: expectedCWD });
program.stderr.on('data', common.mustCall());
program.stdout.on('data', common.mustNotCall());
program.on('exit', common.mustCall((code) => {
notStrictEqual(code, 0);
}));
cp.execFile(cmd, [shellCommandArgument], { cwd: expectedCWD },
common.mustCall((err) => {
notStrictEqual(err.code, 0);
})
);
throws(() => {
cp.execFileSync(cmd, [shellCommandArgument], { cwd: expectedCWD });
}, (e) => {
notStrictEqual(e.status, 0);
return true;
});
cmdExitCode = cp.spawnSync(cmd, [shellCommandArgument], { cwd: expectedCWD }).status;
notStrictEqual(cmdExitCode, 0);
delete Object.prototype.shell;
}