-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable passing environment variables to the node process #240
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At face value this certainly seems reasonable, unfortunately it is also possible to use this change to allow a pretty broad set of attacks on the host via the middleware. Options can be parsed from the body of the page being converted, and if the system supports file uploads and has the middleware enabled to allow conversion of responses it would be possible to have the end user alter these settings per request. This might include things like including extra files (--require ..
) or changing the default CA, or enabling process inspection, changing the node path. This is a surefire way to allow potential back-dooring or file exfiltration.
https://nodejs.org/api/cli.html#environment-variables_1
This would either require an absolutely bullet proof set of guards in Grover::OptionsBuilder#meta_options
or configuring this outside the bounds of the options
passed to the Grover initialiser.
Ah yes, you are right, I did not consider the middleware usage as we are not using it. Could this be under the config like this? So not using the options but adding one more flag here lib/grover/configuration.rb
Then passing it along for the lib/grover/processor.rb? |
Yes, exactly.. much safer |
Changed now so that |
Released in v1.1.8 |
We noticed that Chrome does not behave well with jemalloc enabled, and we prefer to use that in general.
Instead of disabling jemalloc in the whole environment, we opted to just disable it for the node process used. Based on quick search, others have had the same issue as well (#80)
We disabled it by passing a new environment variable for the node process like this