child_process: harden against prototype pollution #48726
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nodejs-github-bot
added
child_process
github-actions
bot
removed
the
request-ci
KhafraDev
approved these changes
Jul 10, 2023
KhafraDev
added
the
author ready
This comment was marked as outdated.
This comment was marked as outdated.
VoltrexKeyva
approved these changes
Jul 12, 2023
aduh95
approved these changes
Jul 12, 2023
| @@ -136,7 +136,7 @@ function fork(modulePath, args = [], options) { | |||
| if (options != null) { | |||
| validateObject(options, 'options'); | |||
| } | |||
| options = { ...options, shell: false }; | |||
| options = { __proto__: null, ...options, shell: false }; | |||
There was a problem hiding this comment.
Not related to this PR, but I wonder if we should use { __proto__: options, shell: false } and let users decide if they want prototype pollution or not.
There was a problem hiding this comment.
Wouldn't it make this object affected by subsequent mutations outside?
In fact, I wonder if we should use structuredClone() or at least make copies of object properties like .env to avoid race conditions if multiple fork()s are called with reused options.
There was a problem hiding this comment.
Wouldn't it make this object affected by subsequent mutations outside?
I guess it depends if we read the properties in the same tick or not (which I expect we do most of the time, but I haven't checked).
In fact, I wonder if we should use
structuredClone()
That wouldn't help with inconsistency of our API: sometimes, we dismiss inherited properties, sometimes we don't. But it's clearly not a big deal as I don't think we ever received any bug report regarding that.
or at least make copies of object properties like
.envto avoid race conditions if multiplefork()s are called with reused options.
but wouldn't folks expect the same env to be shared if they supply the same object? The fact that no one complains makes me think we're overthinking it 😅
lpinca
added
the
commit-queue
nodejs-github-bot
removed
the
commit-queue
|
Landed in 6a88926 |
This was referenced Jul 16, 2023
Ceres6
pushed a commit
to Ceres6/node
that referenced
this pull request
Aug 14, 2023
PR-URL: nodejs#48726 Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Ceres6
pushed a commit
to Ceres6/node
that referenced
this pull request
Aug 14, 2023
PR-URL: nodejs#48726 Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
UlisesGascon
pushed a commit
to UlisesGascon/node
that referenced
this pull request
Aug 14, 2023
PR-URL: nodejs#48726 Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
RafaelGSS
pushed a commit
that referenced
this pull request
Aug 15, 2023
PR-URL: #48726 Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Merged
ruyadorno
pushed a commit
that referenced
this pull request
Sep 12, 2023
PR-URL: #48726 Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
ruyadorno
pushed a commit
that referenced
this pull request
Sep 13, 2023
PR-URL: #48726 Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Merged
ruyadorno
pushed a commit
that referenced
this pull request
Sep 17, 2023
PR-URL: #48726 Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
codebytere
added a commit
to electron/electron
that referenced
this pull request
Sep 19, 2023
jkleinsc
pushed a commit
to electron/electron
that referenced
this pull request
Sep 20, 2023
* chore: bump node in DEPS to v18.18.0 * child_process: harden against prototype pollution nodejs/node#48726 * deps: upgrade to libuv 1.46.0 nodejs/node#49591 * module: reduce url invocations in esm/load.js nodejs/node#48337 * Revert "test: remove test-crypto-keygen flaky designation" nodejs/node#48652 * fix: FTBTFS in ada dep ada-url/ada#464 ada-url/idna#31 * fix: force_colors snapshot line number * chore: fixup patch indices * chore: update filenames.json --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
MrHuangJser
pushed a commit
to MrHuangJser/electron
that referenced
this pull request
Dec 11, 2023
* chore: bump node in DEPS to v18.18.0 * child_process: harden against prototype pollution nodejs/node#48726 * deps: upgrade to libuv 1.46.0 nodejs/node#49591 * module: reduce url invocations in esm/load.js nodejs/node#48337 * Revert "test: remove test-crypto-keygen flaky designation" nodejs/node#48652 * fix: FTBTFS in ada dep ada-url/ada#464 ada-url/idna#31 * fix: force_colors snapshot line number * chore: fixup patch indices * chore: update filenames.json --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
lirantal
added a commit
to lirantal/node
that referenced
this pull request
Jul 9, 2024
Prior pull request (nodejs#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync().
lirantal
added a commit
to lirantal/node
that referenced
this pull request
Jul 9, 2024
Prior pull request (nodejs#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync().
lirantal
added a commit
to lirantal/node
that referenced
this pull request
Jul 9, 2024
Prior pull request (nodejs#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync().
lirantal
added a commit
to lirantal/node
that referenced
this pull request
Jul 9, 2024
Prior pull request (nodejs#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync().
lirantal
added a commit
to lirantal/node
that referenced
this pull request
Jul 9, 2024
Prior pull request (nodejs#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync().
lirantal
added a commit
to lirantal/node
that referenced
this pull request
Jul 9, 2024
Prior pull request (nodejs#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync().
lirantal
added a commit
to lirantal/node
that referenced
this pull request
Jul 9, 2024
Prior pull request (nodejs#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync().
nodejs-github-bot
pushed a commit
that referenced
this pull request
Jul 21, 2024
Prior pull request (#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync(). PR-URL: #53781 Reviewed-By: Vinícius Lourenço Claro Cardoso <contact@viniciusl.com.br> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
targos
pushed a commit
that referenced
this pull request
Jul 28, 2024
Prior pull request (#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync(). PR-URL: #53781 Reviewed-By: Vinícius Lourenço Claro Cardoso <contact@viniciusl.com.br> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
RafaelGSS
pushed a commit
that referenced
this pull request
Aug 5, 2024
Prior pull request (#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync(). PR-URL: #53781 Reviewed-By: Vinícius Lourenço Claro Cardoso <contact@viniciusl.com.br> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
marco-ippolito
pushed a commit
that referenced
this pull request
Aug 19, 2024
Prior pull request (#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync(). PR-URL: #53781 Reviewed-By: Vinícius Lourenço Claro Cardoso <contact@viniciusl.com.br> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
marco-ippolito
pushed a commit
that referenced
this pull request
Aug 19, 2024
Prior pull request (#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync(). PR-URL: #53781 Reviewed-By: Vinícius Lourenço Claro Cardoso <contact@viniciusl.com.br> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
marco-ippolito
pushed a commit
that referenced
this pull request
Aug 19, 2024
Prior pull request (#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync(). PR-URL: #53781 Reviewed-By: Vinícius Lourenço Claro Cardoso <contact@viniciusl.com.br> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Improve robustness against something like