Skip to content

Commit

Permalink
policy: handle mainModule.__proto__ bypass
Browse files Browse the repository at this point in the history
Backport-PR-URL: nodejs-private/node-private#419
PR-URL: nodejs-private/node-private#416
Reviewed-By: Rich Trott <rtrott@gmail.com>
CVE-ID: CVE-2023-30581
  • Loading branch information
RafaelGSS committed Jun 19, 2023
1 parent c5f4629 commit 925e8f5
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 1 deletion.
4 changes: 3 additions & 1 deletion lib/internal/modules/cjs/loader.js
Original file line number Diff line number Diff line change
Expand Up @@ -237,6 +237,8 @@ function Module(id = '', parent) {
redirects = policy.manifest.getDependencyMapper(moduleURL);
// TODO(rafaelgss): remove the necessity of this branch
setOwnProperty(this, 'require', makeRequireFunction(this, redirects));
// eslint-disable-next-line no-proto
setOwnProperty(this.__proto__, 'require', makeRequireFunction(this, redirects));
}
this[require_private_symbol] = internalRequire;
}
Expand Down Expand Up @@ -941,7 +943,7 @@ Module._load = function(request, parent, isMain) {
const module = cachedModule || new Module(filename, parent);

if (isMain) {
process.mainModule = module;
setOwnProperty(process, 'mainModule', module);
setOwnProperty(module.require, 'main', process.mainModule);
module.id = '.';
}
Expand Down
1 change: 1 addition & 0 deletions test/fixtures/policy-manifest/main-module-proto-bypass.js
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
process.mainModule.__proto__.require("os")
15 changes: 15 additions & 0 deletions test/parallel/test-policy-manifest.js
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,18 @@ const fixtures = require('../common/fixtures.js');

assert.strictEqual(result.status, 0);
}

{
const policyFilepath = fixtures.path('policy-manifest', 'onerror-exit.json');
const mainModuleBypass = fixtures.path('policy-manifest', 'main-module-proto-bypass.js');
const result = spawnSync(process.execPath, [
'--experimental-policy',
policyFilepath,
mainModuleBypass,
]);

assert.notStrictEqual(result.status, 0);
const stderr = result.stderr.toString();
assert.match(stderr, /ERR_MANIFEST_DEPENDENCY_MISSING/);
assert.match(stderr, /does not list os as a dependency specifier for conditions: require, node, node-addons/);
}

0 comments on commit 925e8f5

Please sign in to comment.