Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
nodejs14.33370
CVE-2023-32559.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-32559.patch of Package nodejs14.33370
commit 242aaa0caaf0c15109067b598d58fdeae603c5fd Author: Tobias Nießen <tobias.niessen@tuwien.ac.at> Date: Sun Apr 16 22:26:47 2023 +0200 policy: disable process.binding() when enabled process.binding() can be used to trivially bypass restrictions imposed through a policy. Since the function is deprecated already, simply replace it with a stub when a policy is being enabled. Fixes: https://hackerone.com/bugs?report_id=1946470 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> CVE-ID: CVE-2023-32559 PR-URL: https://github.com/nodejs-private/node-private/pull/459 Index: node-v14.21.3/doc/api/deprecations.md =================================================================== --- node-v14.21.3.orig/doc/api/deprecations.md +++ node-v14.21.3/doc/api/deprecations.md @@ -2072,6 +2072,9 @@ Type: Documentation-only (supports [`--p `process.binding()` is for use by Node.js internal code only. +While `process.binding()` has not reached End-of-Life status in general, it is +unavailable when [policies][] are enabled. + ### DEP0112: `dgram` private APIs <!-- YAML changes: @@ -2794,4 +2797,5 @@ an explicit [`"exports"` or `"main"` ent [from_arraybuffer]: buffer.md#buffer_static_method_buffer_from_arraybuffer_byteoffset_length [from_string_encoding]: buffer.md#buffer_static_method_buffer_from_string_encoding [legacy `urlObject`]: url.md#url_legacy_urlobject +[policies]: permissions.md#policies [static methods of `crypto.Certificate()`]: crypto.md#crypto_class_certificate Index: node-v14.21.3/doc/api/errors.md =================================================================== --- node-v14.21.3.orig/doc/api/errors.md +++ node-v14.21.3/doc/api/errors.md @@ -624,6 +624,14 @@ APIs _not_ using `AbortSignal`s typicall This code does not use the regular `ERR_*` convention Node.js errors use in order to be compatible with the web platform's `AbortError`. +<a id="ERR_ACCESS_DENIED"></a> + +### `ERR_ACCESS_DENIED` + +A special type of error that is triggered whenever Node.js tries to get access +to a resource restricted by the [policy][] manifest. +For example, `process.binding`. + <a id="ERR_AMBIGUOUS_ARGUMENT"></a> ### `ERR_AMBIGUOUS_ARGUMENT` Index: node-v14.21.3/lib/internal/errors.js =================================================================== --- node-v14.21.3.orig/lib/internal/errors.js +++ node-v14.21.3/lib/internal/errors.js @@ -788,6 +788,10 @@ module.exports = { // Note: Please try to keep these in alphabetical order // // Note: Node.js specific errors must begin with the prefix ERR_ + +E('ERR_ACCESS_DENIED', + 'Access to this API has been restricted. Permission: %s', + Error); E('ERR_AMBIGUOUS_ARGUMENT', 'The "%s" argument is ambiguous. %s', TypeError); E('ERR_ARG_NOT_ITERABLE', '%s must be iterable', TypeError); E('ERR_ASSERTION', '%s', Error); Index: node-v14.21.3/lib/internal/process/policy.js =================================================================== --- node-v14.21.3.orig/lib/internal/process/policy.js +++ node-v14.21.3/lib/internal/process/policy.js @@ -7,6 +7,7 @@ const { } = primordials; const { + ERR_ACCESS_DENIED, ERR_MANIFEST_TDZ, } = require('internal/errors').codes; const { Manifest } = require('internal/policy/manifest'); @@ -32,6 +33,15 @@ module.exports = ObjectFreeze({ return o; }); manifest = new Manifest(json, url); + + // process.binding() is deprecated (DEP0111) and trivially allows bypassing + // policies, so if policies are enabled, make this API unavailable. + process.binding = function binding(_module) { + throw new ERR_ACCESS_DENIED('process.binding'); + }; + process._linkedBinding = function _linkedBinding(_module) { + throw new ERR_ACCESS_DENIED('process._linkedBinding'); + }; }, get manifest() { Index: node-v14.21.3/test/fixtures/policy/process-binding/app.js =================================================================== --- /dev/null +++ node-v14.21.3/test/fixtures/policy/process-binding/app.js @@ -0,0 +1,10 @@ +'use strict'; + +const assert = require('assert'); + +assert.throws(() => { process.binding(); }, { + code: 'ERR_ACCESS_DENIED' +}); +assert.throws(() => { process._linkedBinding(); }, { + code: 'ERR_ACCESS_DENIED' +}); Index: node-v14.21.3/test/fixtures/policy/process-binding/policy.json =================================================================== --- /dev/null +++ node-v14.21.3/test/fixtures/policy/process-binding/policy.json @@ -0,0 +1,10 @@ +{ + "resources": { + "./app.js": { + "integrity": true, + "dependencies": { + "assert": true + } + } + } +} Index: node-v14.21.3/test/parallel/test-policy-process-binding.js =================================================================== --- /dev/null +++ node-v14.21.3/test/parallel/test-policy-process-binding.js @@ -0,0 +1,28 @@ +'use strict'; + +const common = require('../common'); +common.requireNoPackageJSONAbove(); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const fixtures = require('../common/fixtures'); + +const assert = require('node:assert'); +const { spawnSync } = require('node:child_process'); + +const dep = fixtures.path('policy', 'process-binding', 'app.js'); +const depPolicy = fixtures.path( + 'policy', + 'process-binding', + 'policy.json'); +const { status } = spawnSync( + process.execPath, + [ + '--experimental-policy', depPolicy, dep, + ], + { + stdio: 'inherit' + }, +); +assert.strictEqual(status, 0);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor