nodejs/nodejs12
SHA256
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
nodejs12/CVE-2023-30581.patch
Adam Majer e18377574e - CVE-2023-30581.patch: fixes mainModule.__proto__ Bypass 
Experimental Policy Mechanism (CVE-2023-30581, bsc#1212574)
- CVE-2023-30589.patch: HTTP Request Smuggling via empty headers
  separated by CR (CVE-2023-30589, bsc#1212582)
- CVE-2023-30590.patch: DiffieHellman does not generate keys
   after setting a private key (CVE-2023-30590, bsc#1212583)
- CVE-2023-23918.patch: fixes permissions policies can be
  bypassed via process.mainModule (bsc#1208481, CVE-2023-23918)
- CVE-2023-32002.patch:
  + fixes policies can be bypassed via Module._load
  + fixes policies can be bypassed by module.constructor.createRequire
    (CVE-2023-32002, CVE-2023-32006, bsc#1214150, bsc#1214156)
- CVE-2023-32559.patch: Policies can be bypassed via
  process.binding (CVE-2023-32559, bsc#1214154)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs12?expand=0&rev=150
2023-08-18 12:10:04 +00:00

63 lines
2.6 KiB
Diff
Raw Permalink Blame History

commit a6f4e87bc913ff18c1859b8a350c24f744355e66
Author: RafaelGSS <rafael.nunu@hotmail.com>
Date: Mon May 29 16:40:15 2023 -0300
policy: handle mainModule.__proto__ bypass
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/418
PR-URL: https://github.com/nodejs-private/node-private/pull/416
Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=1877919
Reviewed-By: Rich Trott <rtrott@gmail.com>
CVE-ID: CVE-2023-30581
Index: node-v12.22.12/lib/internal/modules/cjs/loader.js
===================================================================
--- node-v12.22.12.orig/lib/internal/modules/cjs/loader.js
+++ node-v12.22.12/lib/internal/modules/cjs/loader.js
@@ -167,6 +167,7 @@ function Module(id = '', parent) {
if (manifest) {
const moduleURL = pathToFileURL(id);
redirects = manifest.getRedirector(moduleURL);
+ setOwnProperty(this.__proto__, 'require', makeRequireFunction(this, redirects));
}
setOwnProperty(this, 'require', makeRequireFunction(this, redirects));
// Loads a module at the given file path. Returns that module's
@@ -708,7 +709,7 @@ Module._load = function(request, parent,
const module = cachedModule || new Module(filename, parent);
if (isMain) {
- process.mainModule = module;
+ setOwnProperty(process, 'mainModule', module);
setOwnProperty(module.require, 'main', process.mainModule);
module.id = '.';
}
Index: node-v12.22.12/test/fixtures/policy-manifest/main-module-proto-bypass.js
===================================================================
--- /dev/null
+++ node-v12.22.12/test/fixtures/policy-manifest/main-module-proto-bypass.js
@@ -0,0 +1 @@
+process.mainModule.__proto__.require("os")
Index: node-v12.22.12/test/parallel/test-policy-manifest.js
===================================================================
--- node-v12.22.12.orig/test/parallel/test-policy-manifest.js
+++ node-v12.22.12/test/parallel/test-policy-manifest.js
@@ -61,3 +61,18 @@ const fixtures = require('../common/fixt
assert.strictEqual(result.status, 0);
}
+{
+ const policyFilepath = fixtures.path('policy-manifest', 'onerror-exit.json');
+ const mainModuleBypass = fixtures.path('policy-manifest', 'main-module-proto-bypass.js');
+ const result = spawnSync(process.execPath, [
+ '--experimental-policy',
+ policyFilepath,
+ mainModuleBypass,
+ ]);
+
+ assert.notStrictEqual(result.status, 0);
+ const stderr = result.stderr.toString();
+ assert.match(stderr, /ERR_MANIFEST_ASSERT_INTEGRITY/);
+ assert.match(stderr, /The resource was not found in the policy/);
+}
+
Reference in New Issue View Git Blame Copy Permalink