nodejs/nodejs12
SHA256
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
nodejs12/CVE-2023-32002.patch
Adam Majer e18377574e - CVE-2023-30581.patch: fixes mainModule.__proto__ Bypass 
Experimental Policy Mechanism (CVE-2023-30581, bsc#1212574)
- CVE-2023-30589.patch: HTTP Request Smuggling via empty headers
  separated by CR (CVE-2023-30589, bsc#1212582)
- CVE-2023-30590.patch: DiffieHellman does not generate keys
   after setting a private key (CVE-2023-30590, bsc#1212583)
- CVE-2023-23918.patch: fixes permissions policies can be
  bypassed via process.mainModule (bsc#1208481, CVE-2023-23918)
- CVE-2023-32002.patch:
  + fixes policies can be bypassed via Module._load
  + fixes policies can be bypassed by module.constructor.createRequire
    (CVE-2023-32002, CVE-2023-32006, bsc#1214150, bsc#1214156)
- CVE-2023-32559.patch: Policies can be bypassed via
  process.binding (CVE-2023-32559, bsc#1214154)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs12?expand=0&rev=150
2023-08-18 12:10:04 +00:00

123 lines
4.5 KiB
Diff
Raw Permalink Blame History

commit d8ccfe9ad4dce9da900cff9dd2b934dfa3600b8b
Author: RafaelGSS <rafael.nunu@hotmail.com>
Date: Mon May 29 19:45:33 2023 -0300
policy: handle Module.constructor and main.extensions bypass
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: https://github.com/nodejs-private/node-private/pull/445
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1960870
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2043807
CVE-ID: CVE-2023-32002,CVE-2023-32006
Index: node-v12.22.12/test/fixtures/policy-manifest/createRequire-bypass.js
===================================================================
--- /dev/null
+++ node-v12.22.12/test/fixtures/policy-manifest/createRequire-bypass.js
@@ -0,0 +1,2 @@
+const os = module.constructor.createRequire('file:///os-access-module.js')('os')
+os.cpus()
\ No newline at end of file
Index: node-v12.22.12/test/fixtures/policy-manifest/main-constructor-bypass.js
===================================================================
--- /dev/null
+++ node-v12.22.12/test/fixtures/policy-manifest/main-constructor-bypass.js
@@ -0,0 +1,2 @@
+const m = new require.main.constructor();
+m.require('./invalid-module')
Index: node-v12.22.12/test/fixtures/policy-manifest/main-constructor-extensions-bypass.js
===================================================================
--- /dev/null
+++ node-v12.22.12/test/fixtures/policy-manifest/main-constructor-extensions-bypass.js
@@ -0,0 +1,2 @@
+const m = new require.main.constructor();
+require.extensions['.js'](m, './invalid-module')
Index: node-v12.22.12/test/fixtures/policy-manifest/manifest-impersonate.json
===================================================================
--- /dev/null
+++ node-v12.22.12/test/fixtures/policy-manifest/manifest-impersonate.json
@@ -0,0 +1,13 @@
+{
+ "resources": {
+ "./createRequire-bypass.js": {
+ "integrity": true
+ },
+ "/os-access-module.js": {
+ "integrity": true,
+ "dependencies": {
+ "os": true
+ }
+ }
+ }
+}
\ No newline at end of file
Index: node-v12.22.12/test/fixtures/policy-manifest/module-constructor-bypass.js
===================================================================
--- /dev/null
+++ node-v12.22.12/test/fixtures/policy-manifest/module-constructor-bypass.js
@@ -0,0 +1 @@
+module.constructor._load('child_process');
Index: node-v12.22.12/test/parallel/test-policy-manifest.js
===================================================================
--- node-v12.22.12.orig/test/parallel/test-policy-manifest.js
+++ node-v12.22.12/test/parallel/test-policy-manifest.js
@@ -76,3 +76,58 @@ const fixtures = require('../common/fixt
assert.match(stderr, /The resource was not found in the policy/);
}
+
+{
+ const policyFilepath = fixtures.path('policy-manifest', 'onerror-exit.json');
+ const mainModuleBypass = fixtures.path('policy-manifest', 'module-constructor-bypass.js');
+ const result = spawnSync(process.execPath, [
+ '--experimental-policy',
+ policyFilepath,
+ mainModuleBypass,
+ ]);
+ assert.notStrictEqual(result.status, 0);
+ const stderr = result.stderr.toString();
+ assert.match(stderr, /ERR_MANIFEST_ASSERT_INTEGRITY/);
+}
+
+{
+ const policyFilepath = fixtures.path('policy-manifest', 'manifest-impersonate.json');
+ const createRequireBypass = fixtures.path('policy-manifest', 'createRequire-bypass.js');
+ const result = spawnSync(process.execPath, [
+ '--experimental-policy',
+ policyFilepath,
+ createRequireBypass,
+ ]);
+
+ assert.notStrictEqual(result.status, 0);
+ const stderr = result.stderr.toString();
+ assert.match(stderr, /policy is not defined/);
+}
+
+{
+ const policyFilepath = fixtures.path('policy-manifest', 'onerror-exit.json');
+ const mainModuleBypass = fixtures.path('policy-manifest', 'main-constructor-bypass.js');
+ const result = spawnSync(process.execPath, [
+ '--experimental-policy',
+ policyFilepath,
+ mainModuleBypass,
+ ]);
+
+ assert.notStrictEqual(result.status, 0);
+ const stderr = result.stderr.toString();
+ assert.match(stderr, /ERR_MANIFEST_ASSERT_INTEGRITY/);
+}
+
+{
+ const policyFilepath = fixtures.path('policy-manifest', 'onerror-exit.json');
+ const mainModuleBypass = fixtures.path('policy-manifest', 'main-constructor-extensions-bypass.js');
+ const result = spawnSync(process.execPath, [
+ '--experimental-policy',
+ policyFilepath,
+ mainModuleBypass,
+ ]);
+
+ assert.notStrictEqual(result.status, 0);
+ const stderr = result.stderr.toString();
+ assert.match(stderr, /ERR_MANIFEST_ASSERT_INTEGRITY/);
+}
Reference in New Issue View Git Blame Copy Permalink