nodejs/nodejs-electron
SHA256
7
0
Fork 0
forked from pool/nodejs-electron
Code Pull Requests Activity
Files
cef1ee1e83c86a8fe13c22fbe454daba6fe293d3ef085143aa25201a36dec7db
nodejs-electron/CVE-2023-39333-node-create_dynamic_module-code-injection.patch

62 lines
2.8 KiB
Diff
Raw Normal View History

Accepting request 1118117 from home:dziobian:gulgul-ultron:19 - Add backported security patches: * CVE-2023-38552 bsc#1216272 CVE-2023-38552-node-integrity-checks-according-to-policies.patch * CVE-2023-39333 bsc#1216273 CVE-2023-39333-node-create_dynamic_module-code-injection.patch * CVE-2023-45143 bsc#1216205 CVE-2023-45143-undici-cookie-leakage.patch - Build against Wayland 21 also on Leap 15.4 now that it's available * drop wayland-WL-SINCE-VERSION.patch * drop wayland_data_drag_controller-WL_SURFACE_OFFSET_SINCE_VERSION.patch OBS-URL: https://build.opensuse.org/request/show/1118117 OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs-electron?expand=0&rev=102
2023-10-16 22:04:02 +00:00
From eaf9083cf1e43bd897ac8244dcc0f4e3500150ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
Date: Sun, 6 Aug 2023 10:41:33 +0000
Subject: [PATCH] module: fix code injection through export names
createDynamicModule() properly escapes import names, but not export
names. In WebAssembly, any string is a valid export name. Importing a
WebAssembly module that uses a non-identifier export name leads to
either a syntax error in createDynamicModule() or to code injection,
that is, to the evaluation of almost arbitrary JavaScript code outside
of the WebAssembly module.
To address this issue, adopt the same mechanism in createExport() that
createImport() already uses. Add tests for both exports and imports.
PR-URL: https://github.com/nodejs-private/node-private/pull/461
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/490
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2023-39333
---
.../modules/esm/create_dynamic_module.js | 14 ++---
test/es-module/test-esm-wasm.mjs | 50 ++++++++++++++++++
.../export-name-code-injection.wasm | Bin 0 -> 98 bytes
.../es-modules/export-name-code-injection.wat | 8 +++
.../es-modules/export-name-syntax-error.wasm | Bin 0 -> 37 bytes
.../es-modules/export-name-syntax-error.wat | 6 +++
test/fixtures/es-modules/import-name.wasm | Bin 0 -> 237 bytes
test/fixtures/es-modules/import-name.wat | 10 ++++
8 files changed, 81 insertions(+), 7 deletions(-)
create mode 100644 test/fixtures/es-modules/export-name-code-injection.wasm
create mode 100644 test/fixtures/es-modules/export-name-code-injection.wat
create mode 100644 test/fixtures/es-modules/export-name-syntax-error.wasm
create mode 100644 test/fixtures/es-modules/export-name-syntax-error.wat
create mode 100644 test/fixtures/es-modules/import-name.wasm
create mode 100644 test/fixtures/es-modules/import-name.wat
diff --git a/lib/internal/modules/esm/create_dynamic_module.js b/lib/internal/modules/esm/create_dynamic_module.js
index f7c20083b6c91..c99da19d5c827 100644
--- a/third_party/electron_node/lib/internal/modules/esm/create_dynamic_module.js
+++ b/third_party/electron_node/lib/internal/modules/esm/create_dynamic_module.js
@@ -18,13 +18,13 @@ function createImport(impt, index) {
import.meta.imports[${imptPath}] = $import_${index};`;
}
-function createExport(expt) {
- const name = `${expt}`;
- return `let $${name};
-export { $${name} as ${name} };
-import.meta.exports.${name} = {
- get: () => $${name},
- set: (v) => $${name} = v,
+function createExport(expt, index) {
+ const nameStringLit = JSONStringify(expt);
+ return `let $export_${index};
+export { $export_${index} as ${nameStringLit} };
+import.meta.exports[${nameStringLit}] = {
+ get: () => $export_${index},
+ set: (v) => $export_${index} = v,
};`;
}
Copy Permalink