File CVE-2023-39333-node-create_dynamic_module-code-... of Package nodejs-electron

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2023-39333-node-create_dynamic_module-code-injection.patch of Package nodejs-electron (Revision ce48a445379d87d6a32ac83e2be2dbc5)

Currently displaying revision ce48a445379d87d6a32ac83e2be2dbc5 , Show latest

From eaf9083cf1e43bd897ac8244dcc0f4e3500150ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
Date: Sun, 6 Aug 2023 10:41:33 +0000
Subject: [PATCH] module: fix code injection through export names

createDynamicModule() properly escapes import names, but not export
names. In WebAssembly, any string is a valid export name. Importing a
WebAssembly module that uses a non-identifier export name leads to
either a syntax error in createDynamicModule() or to code injection,
that is, to the evaluation of almost arbitrary JavaScript code outside
of the WebAssembly module.

To address this issue, adopt the same mechanism in createExport() that
createImport() already uses. Add tests for both exports and imports.

PR-URL: https://github.com/nodejs-private/node-private/pull/461
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/490
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2023-39333
---
 .../modules/esm/create_dynamic_module.js      |  14 ++---
 test/es-module/test-esm-wasm.mjs              |  50 ++++++++++++++++++
 .../export-name-code-injection.wasm           | Bin 0 -> 98 bytes
 .../es-modules/export-name-code-injection.wat |   8 +++
 .../es-modules/export-name-syntax-error.wasm  | Bin 0 -> 37 bytes
 .../es-modules/export-name-syntax-error.wat   |   6 +++
 test/fixtures/es-modules/import-name.wasm     | Bin 0 -> 237 bytes
 test/fixtures/es-modules/import-name.wat      |  10 ++++
 8 files changed, 81 insertions(+), 7 deletions(-)
 create mode 100644 test/fixtures/es-modules/export-name-code-injection.wasm
 create mode 100644 test/fixtures/es-modules/export-name-code-injection.wat
 create mode 100644 test/fixtures/es-modules/export-name-syntax-error.wasm
 create mode 100644 test/fixtures/es-modules/export-name-syntax-error.wat
 create mode 100644 test/fixtures/es-modules/import-name.wasm
 create mode 100644 test/fixtures/es-modules/import-name.wat

diff --git a/lib/internal/modules/esm/create_dynamic_module.js b/lib/internal/modules/esm/create_dynamic_module.js
index f7c20083b6c91..c99da19d5c827 100644
--- a/third_party/electron_node/lib/internal/modules/esm/create_dynamic_module.js
+++ b/third_party/electron_node/lib/internal/modules/esm/create_dynamic_module.js
@@ -18,13 +18,13 @@ function createImport(impt, index) {
 import.meta.imports[${imptPath}] = $import_${index};`;
 }
 
-function createExport(expt) {
-  const name = `${expt}`;
-  return `let $${name};
-export { $${name} as ${name} };
-import.meta.exports.${name} = {
-  get: () => $${name},
-  set: (v) => $${name} = v,
+function createExport(expt, index) {
+  const nameStringLit = JSONStringify(expt);
+  return `let $export_${index};
+export { $export_${index} as ${nameStringLit} };
+import.meta.exports[${nameStringLit}] = {
+  get: () => $export_${index},
+  set: (v) => $export_${index} = v,
 };`;
 }

Places

File CVE-2023-39333-node-create_dynamic_module-code-injection.patch of Package nodejs-electron (Revision ce48a445379d87d6a32ac83e2be2dbc5)

Places