Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dirkmueller:acdc:as_python3_module
nodejs14.30230
CVE-2023-30581.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-30581.patch of Package nodejs14.30230
commit a6f4e87bc913ff18c1859b8a350c24f744355e66 Author: RafaelGSS <rafael.nunu@hotmail.com> Date: Mon May 29 16:40:15 2023 -0300 policy: handle mainModule.__proto__ bypass Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/418 PR-URL: https://github.com/nodejs-private/node-private/pull/416 Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=1877919 Reviewed-By: Rich Trott <rtrott@gmail.com> CVE-ID: CVE-2023-30581 diff --git a/lib/internal/modules/cjs/loader.js b/lib/internal/modules/cjs/loader.js index 93681ea243..97bb6e5b13 100644 --- a/lib/internal/modules/cjs/loader.js +++ b/lib/internal/modules/cjs/loader.js @@ -226,6 +226,8 @@ function Module(id = '', parent) { redirects = policy.manifest.getDependencyMapper(moduleURL); // TODO(rafaelgss): remove the necessity of this branch setOwnProperty(this, 'require', makeRequireFunction(this, redirects)); + // eslint-disable-next-line no-proto + setOwnProperty(this.__proto__, 'require', makeRequireFunction(this, redirects)); } this[require_private_symbol] = internalRequire; } @@ -892,7 +894,7 @@ Module._load = function(request, parent, isMain) { const module = cachedModule || new Module(filename, parent); if (isMain) { - process.mainModule = module; + setOwnProperty(process, 'mainModule', module); setOwnProperty(module.require, 'main', process.mainModule); module.id = '.'; } diff --git a/test/fixtures/policy-manifest/main-module-proto-bypass.js b/test/fixtures/policy-manifest/main-module-proto-bypass.js new file mode 100644 index 0000000000..6111aae140 --- /dev/null +++ b/test/fixtures/policy-manifest/main-module-proto-bypass.js @@ -0,0 +1 @@ +process.mainModule.__proto__.require("os") diff --git a/test/parallel/test-policy-manifest.js b/test/parallel/test-policy-manifest.js index f8bebdf4cf..5dfadb3631 100644 --- a/test/parallel/test-policy-manifest.js +++ b/test/parallel/test-policy-manifest.js @@ -66,3 +66,18 @@ const fixtures = require('../common/fixtures.js'); assert.strictEqual(result.status, 0); } + +{ + const policyFilepath = fixtures.path('policy-manifest', 'onerror-exit.json'); + const mainModuleBypass = fixtures.path('policy-manifest', 'main-module-proto-bypass.js'); + const result = spawnSync(process.execPath, [ + '--experimental-policy', + policyFilepath, + mainModuleBypass, + ]); + + assert.notStrictEqual(result.status, 0); + const stderr = result.stderr.toString(); + assert.match(stderr, /ERR_MANIFEST_DEPENDENCY_MISSING/); + assert.match(stderr, /does not list os as a dependency specifier for conditions: require, node, node-addons/); +}
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
