OSSForks/node
1
0
Fork 0
mirror of https://github.com/zebrajr/node.git synced 2026-01-15 12:15:26 +00:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

policy: handle mainModule.__proto__ bypass

Browse Source 
PR-URL: https://github.com/nodejs-private/node-private/pull/416
Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=1877919
Reviewed-By: Rich Trott <rtrott@gmail.com>
CVE-ID: CVE-2023-30581
This commit is contained in:
RafaelGSS
2023-05-29 16:40:15 -03:00
parent a4afe82373
commit daaa43ed96
4 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/internal/modules/cjs/loader.js
View File

@@ -231,6 +231,8 @@ function Module(id = '', parent) {
redirects = manifest.getDependencyMapper(moduleURL);
// TODO(rafaelgss): remove the necessity of this branch
setOwnProperty(this, 'require', makeRequireFunction(this, redirects));
// eslint-disable-next-line no-proto
setOwnProperty(this.__proto__, 'require', makeRequireFunction(this, redirects));
}
this[require_private_symbol] = internalRequire;
}
@@ -943,7 +945,7 @@ Module._load = function(request, parent, isMain) {
const module = cachedModule || new Module(filename, parent);
if (isMain) {
process.mainModule = module;
setOwnProperty(process, 'mainModule', module);
setOwnProperty(module.require, 'main', process.mainModule);
module.id = '.';
}

8
test/fixtures/errors/force_colors.snapshot vendored
View File

@@ -4,10 +4,10 @@ throw new Error('Should include grayed stack trace')
Error: Should include grayed stack trace
at Object.<anonymous> (/test*force_colors.js:1:7)
 at Module._compile (node:internal*modules*cjs*loader:1255:14)
 at Module._extensions..js (node:internal*modules*cjs*loader:1309:10)
 at Module.load (node:internal*modules*cjs*loader:1113:32)
 at Module._load (node:internal*modules*cjs*loader:960:12)
 at Module._compile (node:internal*modules*cjs*loader:1257:14)
 at Module._extensions..js (node:internal*modules*cjs*loader:1311:10)
 at Module.load (node:internal*modules*cjs*loader:1115:32)
 at Module._load (node:internal*modules*cjs*loader:962:12)
 at Function.executeUserEntryPoint [as runMain] (node:internal*modules*run_main:83:12)
 at node:internal*main*run_main_module:23:47

1
test/fixtures/policy-manifest/main-module-proto-bypass.js vendored Normal file
View File

@@ -0,0 +1 @@
process.mainModule.__proto__.require("os")

15
test/parallel/test-policy-manifest.js
View File

@@ -66,3 +66,18 @@ const fixtures = require('../common/fixtures.js');
assert.strictEqual(result.status, 0);
}
{
const policyFilepath = fixtures.path('policy-manifest', 'onerror-exit.json');
const mainModuleBypass = fixtures.path('policy-manifest', 'main-module-proto-bypass.js');
const result = spawnSync(process.execPath, [
'--experimental-policy',
policyFilepath,
mainModuleBypass,
]);
assert.notStrictEqual(result.status, 0);
const stderr = result.stderr.toString();
assert.match(stderr, /ERR_MANIFEST_DEPENDENCY_MISSING/);
assert.match(stderr, /does not list os as a dependency specifier for conditions: require, node, node-addons/);
}