Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden macOS postinstall script #57660

Open
sdavids opened this issue Mar 28, 2025 · 4 comments · May be fixed by #57661
Open

Harden macOS postinstall script #57660

sdavids opened this issue Mar 28, 2025 · 4 comments · May be fixed by #57661

Comments

@sdavids
Copy link

sdavids commented Mar 28, 2025
edited
Loading

Version

v22.14.0

Platform

Darwin redacted 24.3.0 Darwin Kernel Version 24.3.0: Thu Jan  2 20:24:06 PST 2025; root:xnu-11215.81.4~3/RELEASE_ARM64_T8103 arm64

Subsystem

No response

What steps will reproduce the bug?

Use the installer.

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior? Why is that the expected behavior?

The script is not susceptible to environment attacks.

What do you see instead?

node/tools/macos-installer/pkgbuild/npm/scripts/postinstall

Lines 4 to 5 in 0a91e98

ln -sf ../lib/node_modules/npm/bin/npm-cli.js npm
ln -sf ../lib/node_modules/npm/bin/npx-cli.js npx

Additional information

Shell Script Security - Environment Attacks
@sdavids sdavids linked a pull request Mar 28, 2025 that will close this issue
Open
@aduh95
Copy link
Contributor

aduh95 commented Mar 28, 2025

How can we reproduce?

@ged3v
Copy link

ged3v commented Mar 29, 2025

@sdavids Can you provide CWE and CVSS for this?

@sdavids
Copy link
Author

sdavids commented Mar 29, 2025

I am unsure want you want.

It is a simple change, significantly improving the status quo.

Yes, most Macs are used by a single person, so they will not be affected by this change.

@sdavids
Copy link
Author

sdavids commented Mar 29, 2025

/bin/ln is protected against malicious shenanigans.

ln is not.

sdavids added a commit to sdavids/node that referenced this issue Mar 30, 2025
@sdavids
tools: delete macos installer postinstall script
1426339 
Fixes: nodejs#57660
Fixes: nodejs#57548.
Signed-off-by: Sebastian Davids <sdavids@gmx.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tools: delete macos installer postinstall script sdavids/node
3 participants
@sdavids @aduh95 @ged3v