Adam Majer
ce54bd25e1
(bsc#1189369, CVE-2021-22939) (bsc#1188881, bsc#1189370, CVE-2021-3672, CVE-2021-22931) OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs10?expand=0&rev=170
85 lines
3.4 KiB
Diff
85 lines
3.4 KiB
Diff
From 1780bbc3291357f7c3370892eb311fc7a62afe8d Mon Sep 17 00:00:00 2001
|
|
From: Matteo Collina <hello@matteocollina.com>
|
|
Date: Wed, 4 Aug 2021 18:40:00 +0200
|
|
Subject: [PATCH] tls: validate "rejectUnauthorized: undefined"
|
|
|
|
Incomplete validation of rejectUnauthorized parameter (Low)
|
|
|
|
If the Node.js https API was used incorrectly and "undefined" was passed
|
|
in for the "rejectUnauthorized" parameter, no error was returned and
|
|
connections to servers with an expired certificate would have been
|
|
accepted.
|
|
|
|
CVE-ID: CVE-2021-22939
|
|
Refs: https://nvd.nist.gov/vuln/detail/CVE-2021-22939
|
|
Refs: https://hackerone.com/reports/1278254
|
|
PR-URL: https://github.com/nodejs-private/node-private/pull/276
|
|
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
|
Reviewed-By: Akshay K <iit.akshay@gmail.com>
|
|
Reviewed-By: Robert Nagy <ronagy@icloud.com>
|
|
Reviewed-By: Richard Lau <rlau@redhat.com>
|
|
---
|
|
lib/_tls_wrap.js | 17 ++++++++++++++++-
|
|
test/parallel/test-tls-client-reject.js | 13 +++++++++++++
|
|
2 files changed, 29 insertions(+), 1 deletion(-)
|
|
|
|
Index: node-v10.24.1/lib/_tls_wrap.js
|
|
===================================================================
|
|
--- node-v10.24.1.orig/lib/_tls_wrap.js
|
|
+++ node-v10.24.1/lib/_tls_wrap.js
|
|
@@ -1102,7 +1102,15 @@ function onConnectSecure() {
|
|
this.authorized = false;
|
|
this.authorizationError = verifyError.code || verifyError.message;
|
|
|
|
- if (options.rejectUnauthorized) {
|
|
+ // rejectUnauthorized property can be explicitly defined as `undefined`
|
|
+ // causing the assignment to default value (`true`) fail. Before assigning
|
|
+ // it to the tlssock connection options, explicitly check if it is false
|
|
+ // and update rejectUnauthorized property. The property gets used by
|
|
+ // TLSSocket connection handler to allow or reject connection if
|
|
+ // unauthorized.
|
|
+ // This check is potentially redundant, however it is better to keep it
|
|
+ // in case the option object gets modified somewhere.
|
|
+ if (options.rejectUnauthorized !== false) {
|
|
this.destroy(verifyError);
|
|
return;
|
|
} else {
|
|
@@ -1170,6 +1178,13 @@ exports.connect = function connect(...ar
|
|
requestOCSP: options.requestOCSP
|
|
});
|
|
|
|
+ // rejectUnauthorized property can be explicitly defined as `undefined`
|
|
+ // causing the assignment to default value (`true`) fail. Before assigning
|
|
+ // it to the tlssock connection options, explicitly check if it is false
|
|
+ // and update rejectUnauthorized property. The property gets used by TLSSocket
|
|
+ // connection handler to allow or reject connection if unauthorized
|
|
+ options.rejectUnauthorized = options.rejectUnauthorized !== false;
|
|
+
|
|
tlssock[kConnectOptions] = options;
|
|
|
|
if (cb)
|
|
Index: node-v10.24.1/test/parallel/test-tls-client-reject.js
|
|
===================================================================
|
|
--- node-v10.24.1.orig/test/parallel/test-tls-client-reject.js
|
|
+++ node-v10.24.1/test/parallel/test-tls-client-reject.js
|
|
@@ -67,6 +67,19 @@ function rejectUnauthorized() {
|
|
socket.write('ng');
|
|
}
|
|
|
|
+function rejectUnauthorizedUndefined() {
|
|
+ console.log('reject unauthorized undefined');
|
|
+ const socket = tls.connect(server.address().port, {
|
|
+ servername: 'localhost',
|
|
+ rejectUnauthorized: undefined
|
|
+ }, common.mustNotCall());
|
|
+ socket.on('data', common.mustNotCall());
|
|
+ socket.on('error', common.mustCall(function(err) {
|
|
+ authorized();
|
|
+ }));
|
|
+ socket.end('ng');
|
|
+}
|
|
+
|
|
function authorized() {
|
|
const socket = tls.connect(server.address().port, {
|
|
ca: [fixtures.readSync('test_cert.pem')],
|