child_process: harden against prototype pollution by LiviaMedeiros · Pull Request #48726 · nodejs/node

LiviaMedeiros · 2023-07-10T16:25:28Z

Improve robustness against something like

Object.assign(Object.prototype, {
  cwd: '/etc',
  uid: 82, // www-data
  execFile: '/bin/rm', // using rm to "spawn" modules
  execArgv: [ ... ],
  shell: '...',
  env: { ... },
  ...
});

nodejs-github-bot · 2023-07-10T18:28:55Z

CI: https://ci.nodejs.org/job/node-test-pull-request/52685/

nodejs-github-bot · 2023-07-11T14:27:43Z

CI: https://ci.nodejs.org/job/node-test-pull-request/52697/

nodejs-github-bot · 2023-07-12T07:08:44Z

CI: https://ci.nodejs.org/job/node-test-pull-request/52717/

aduh95 · 2023-07-12T22:32:21Z

lib/child_process.js

    validateObject(options, 'options');
  }
-  options = { ...options, shell: false };
+  options = { __proto__: null, ...options, shell: false };


Not related to this PR, but I wonder if we should use { __proto__: options, shell: false } and let users decide if they want prototype pollution or not.

Wouldn't it make this object affected by subsequent mutations outside?
In fact, I wonder if we should use structuredClone() or at least make copies of object properties like .env to avoid race conditions if multiple fork()s are called with reused options.

Wouldn't it make this object affected by subsequent mutations outside?

I guess it depends if we read the properties in the same tick or not (which I expect we do most of the time, but I haven't checked).

In fact, I wonder if we should use structuredClone()

That wouldn't help with inconsistency of our API: sometimes, we dismiss inherited properties, sometimes we don't. But it's clearly not a big deal as I don't think we ever received any bug report regarding that.

or at least make copies of object properties like .env to avoid race conditions if multiple fork()s are called with reused options.

but wouldn't folks expect the same env to be shared if they supply the same object? The fact that no one complains makes me think we're overthinking it 😅

nodejs-github-bot · 2023-07-14T09:37:39Z

Landed in 6a88926

PR-URL: nodejs#48726 Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>

PR-URL: #48726 Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>

nodejs/node#48726

* chore: bump node in DEPS to v18.18.0 * child_process: harden against prototype pollution nodejs/node#48726 * deps: upgrade to libuv 1.46.0 nodejs/node#49591 * module: reduce url invocations in esm/load.js nodejs/node#48337 * Revert "test: remove test-crypto-keygen flaky designation" nodejs/node#48652 * fix: FTBTFS in ada dep ada-url/ada#464 ada-url/idna#31 * fix: force_colors snapshot line number * chore: fixup patch indices * chore: update filenames.json --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>

Prior pull request (nodejs#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync().

Prior pull request (#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync(). PR-URL: #53781 Reviewed-By: Vinícius Lourenço Claro Cardoso <contact@viniciusl.com.br> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>

child_process: harden against prototype pollution

993fa88

nodejs-github-bot added child_process Issues and PRs related to the child_process subsystem. needs-ci PRs that need a full CI run. labels Jul 10, 2023

LiviaMedeiros added the request-ci Add this label to start a Jenkins CI on a PR. label Jul 10, 2023

github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jul 10, 2023

KhafraDev approved these changes Jul 10, 2023

View reviewed changes

KhafraDev added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jul 10, 2023

This comment was marked as outdated.

Sign in to view

VoltrexKeyva approved these changes Jul 12, 2023

View reviewed changes

aduh95 approved these changes Jul 12, 2023

View reviewed changes

lpinca added the commit-queue Add this label to land a pull request using GitHub Actions. label Jul 14, 2023

nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Jul 14, 2023

nodejs-github-bot merged commit 6a88926 into nodejs:main Jul 14, 2023

This was referenced Jul 16, 2023

CI Reliability 2023-07-16 nodejs/reliability#614

Open

CI Reliability 2023-07-17 nodejs/reliability#615

Open

UlisesGascon mentioned this pull request Aug 15, 2023

v20.6.0 proposal #49185

Merged

ruyadorno mentioned this pull request Sep 13, 2023

v18.18.0 proposal #49220

Merged

codebytere added a commit to electron/electron that referenced this pull request Sep 19, 2023

child_process: harden against prototype pollution

63e78c0

nodejs/node#48726

lirantal mentioned this pull request Jul 9, 2024

child_process: fix incomplete prototype pollution hardening #53781

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

child_process: harden against prototype pollution#48726

child_process: harden against prototype pollution#48726
nodejs-github-bot merged 1 commit intonodejs:mainfrom
LiviaMedeiros:childprocess-harden-protopollution

LiviaMedeiros commented Jul 10, 2023

Uh oh!

nodejs-github-bot commented Jul 10, 2023

Uh oh!

nodejs-github-bot commented Jul 11, 2023

Uh oh!

This comment was marked as outdated.

nodejs-github-bot commented Jul 12, 2023

Uh oh!

aduh95 Jul 12, 2023

Uh oh!

LiviaMedeiros Jul 14, 2023

Uh oh!

aduh95 Jul 14, 2023

Uh oh!

nodejs-github-bot commented Jul 14, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Uh oh!

Conversation

LiviaMedeiros commented Jul 10, 2023

Uh oh!

nodejs-github-bot commented Jul 10, 2023

Uh oh!

nodejs-github-bot commented Jul 11, 2023

Uh oh!

This comment was marked as outdated.

nodejs-github-bot commented Jul 12, 2023

Uh oh!

aduh95 Jul 12, 2023

Choose a reason for hiding this comment

Uh oh!

LiviaMedeiros Jul 14, 2023

Choose a reason for hiding this comment

Uh oh!

aduh95 Jul 14, 2023

Choose a reason for hiding this comment

Uh oh!

nodejs-github-bot commented Jul 14, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants