forked from pool/nodejs-electron
Bruno Pitrus
cef1ee1e83
- Add backported security patches: * CVE-2023-38552 bsc#1216272 CVE-2023-38552-node-integrity-checks-according-to-policies.patch * CVE-2023-39333 bsc#1216273 CVE-2023-39333-node-create_dynamic_module-code-injection.patch * CVE-2023-45143 bsc#1216205 CVE-2023-45143-undici-cookie-leakage.patch - Build against Wayland 21 also on Leap 15.4 now that it's available * drop wayland-WL-SINCE-VERSION.patch * drop wayland_data_drag_controller-WL_SURFACE_OFFSET_SINCE_VERSION.patch OBS-URL: https://build.opensuse.org/request/show/1118117 OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs-electron?expand=0&rev=102
62 lines
2.8 KiB
Diff
62 lines
2.8 KiB
Diff
From eaf9083cf1e43bd897ac8244dcc0f4e3500150ca Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
|
|
Date: Sun, 6 Aug 2023 10:41:33 +0000
|
|
Subject: [PATCH] module: fix code injection through export names
|
|
|
|
createDynamicModule() properly escapes import names, but not export
|
|
names. In WebAssembly, any string is a valid export name. Importing a
|
|
WebAssembly module that uses a non-identifier export name leads to
|
|
either a syntax error in createDynamicModule() or to code injection,
|
|
that is, to the evaluation of almost arbitrary JavaScript code outside
|
|
of the WebAssembly module.
|
|
|
|
To address this issue, adopt the same mechanism in createExport() that
|
|
createImport() already uses. Add tests for both exports and imports.
|
|
|
|
PR-URL: https://github.com/nodejs-private/node-private/pull/461
|
|
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/490
|
|
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
|
|
CVE-ID: CVE-2023-39333
|
|
---
|
|
.../modules/esm/create_dynamic_module.js | 14 ++---
|
|
test/es-module/test-esm-wasm.mjs | 50 ++++++++++++++++++
|
|
.../export-name-code-injection.wasm | Bin 0 -> 98 bytes
|
|
.../es-modules/export-name-code-injection.wat | 8 +++
|
|
.../es-modules/export-name-syntax-error.wasm | Bin 0 -> 37 bytes
|
|
.../es-modules/export-name-syntax-error.wat | 6 +++
|
|
test/fixtures/es-modules/import-name.wasm | Bin 0 -> 237 bytes
|
|
test/fixtures/es-modules/import-name.wat | 10 ++++
|
|
8 files changed, 81 insertions(+), 7 deletions(-)
|
|
create mode 100644 test/fixtures/es-modules/export-name-code-injection.wasm
|
|
create mode 100644 test/fixtures/es-modules/export-name-code-injection.wat
|
|
create mode 100644 test/fixtures/es-modules/export-name-syntax-error.wasm
|
|
create mode 100644 test/fixtures/es-modules/export-name-syntax-error.wat
|
|
create mode 100644 test/fixtures/es-modules/import-name.wasm
|
|
create mode 100644 test/fixtures/es-modules/import-name.wat
|
|
|
|
diff --git a/lib/internal/modules/esm/create_dynamic_module.js b/lib/internal/modules/esm/create_dynamic_module.js
|
|
index f7c20083b6c91..c99da19d5c827 100644
|
|
--- a/third_party/electron_node/lib/internal/modules/esm/create_dynamic_module.js
|
|
+++ b/third_party/electron_node/lib/internal/modules/esm/create_dynamic_module.js
|
|
@@ -18,13 +18,13 @@ function createImport(impt, index) {
|
|
import.meta.imports[${imptPath}] = $import_${index};`;
|
|
}
|
|
|
|
-function createExport(expt) {
|
|
- const name = `${expt}`;
|
|
- return `let $${name};
|
|
-export { $${name} as ${name} };
|
|
-import.meta.exports.${name} = {
|
|
- get: () => $${name},
|
|
- set: (v) => $${name} = v,
|
|
+function createExport(expt, index) {
|
|
+ const nameStringLit = JSONStringify(expt);
|
|
+ return `let $export_${index};
|
|
+export { $export_${index} as ${nameStringLit} };
|
|
+import.meta.exports[${nameStringLit}] = {
|
|
+ get: () => $export_${index},
|
|
+ set: (v) => $export_${index} = v,
|
|
};`;
|
|
}
|
|
|