-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
child_process.spawn not checking null byte in args #44768
Comments
I agree this ought to be fixed, for consistency with node's fs module (which rejects paths with nul bytes) if nothing else. Pull request welcome. |
This change adds validation to reject an edge case where the child_process.spawn() argument strings might contain null bytes somewhere in between. Such strings were being silently truncated before, so throwing an error should prevent misuses of this API. Fixes: nodejs#44768 Signed-off-by: Darshan Sen <raisinten@gmail.com>
Sent a PR which adds the required validation: #44782 |
This change adds validation to reject an edge case where the child_process.spawn() argument strings might contain null bytes somewhere in between. Such strings were being silently truncated before, so throwing an error should prevent misuses of this API. Fixes: nodejs#44768 Signed-off-by: Darshan Sen <raisinten@gmail.com>
This change adds validation to reject an edge case where the child_process API argument strings might contain null bytes somewhere in between. Such strings were being silently truncated before, so throwing an error should prevent misuses of this API. Fixes: nodejs#44768 Signed-off-by: Darshan Sen <raisinten@gmail.com>
This change adds validation to reject an edge case where the child_process API argument strings might contain null bytes somewhere in between. Such strings were being silently truncated before, so throwing an error should prevent misuses of this API. Fixes: #44768 Signed-off-by: Darshan Sen <raisinten@gmail.com> PR-URL: #44782 Reviewed-By: James M Snell <jasnell@gmail.com>
This change adds validation to reject an edge case where the child_process API argument strings might contain null bytes somewhere in between. Such strings were being silently truncated before, so throwing an error should prevent misuses of this API. Fixes: #44768 Signed-off-by: Darshan Sen <raisinten@gmail.com> PR-URL: #44782 Reviewed-By: James M Snell <jasnell@gmail.com>
This change adds validation to reject an edge case where the child_process API argument strings might contain null bytes somewhere in between. Such strings were being silently truncated before, so throwing an error should prevent misuses of this API. Fixes: #44768 Signed-off-by: Darshan Sen <raisinten@gmail.com> PR-URL: #44782 Reviewed-By: James M Snell <jasnell@gmail.com>
This change adds validation to reject an edge case where the child_process API argument strings might contain null bytes somewhere in between. Such strings were being silently truncated before, so throwing an error should prevent misuses of this API. Fixes: #44768 Signed-off-by: Darshan Sen <raisinten@gmail.com> PR-URL: #44782 Reviewed-By: James M Snell <jasnell@gmail.com>
This change adds validation to reject an edge case where the child_process API argument strings might contain null bytes somewhere in between. Such strings were being silently truncated before, so throwing an error should prevent misuses of this API. Fixes: #44768 Signed-off-by: Darshan Sen <raisinten@gmail.com> PR-URL: #44782 Reviewed-By: James M Snell <jasnell@gmail.com>
This change adds validation to reject an edge case where the child_process API argument strings might contain null bytes somewhere in between. Such strings were being silently truncated before, so throwing an error should prevent misuses of this API. Fixes: #44768 Signed-off-by: Darshan Sen <raisinten@gmail.com> PR-URL: #44782 Reviewed-By: James M Snell <jasnell@gmail.com>
Hello @RaisinTen , looks like your test is not working on Ubuntu 23.04...
|
Maybe it has something to deal with the fact that we add --openssl-shared-config to some test?
|
changing argv[2] to argv[3] seems to work as workaround, but we should have a smarter way to check if TEST_CI_ARGS have a different value other than the default... |
This works as specific Ubuntu workaround. |
Version
v18.9.1
Platform
Linux tsc-ubuntu2204 5.15.0-48-generic #54-Ubuntu SMP Fri Aug 26 13:26:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Subsystem
child_process
What steps will reproduce the bug?
How often does it reproduce? Is there a required condition?
No particular condition required.
What is the expected behavior?
Node.js should raise error when invalid args (containing null byte) are given.
What do you see instead?
No error raised. Null byte and subsequent bytes are silently truncated.
Additional information
Other languages below have null byte checking and raise error in the same situation.
IMO raising error is safer to avoid null byte injection.
The text was updated successfully, but these errors were encountered: