Skip to content

Commit d0a8264

Browse files
RafaelGSSRafaelGSS
committed
policy: handle mainModule.__proto__ bypass
PR-URL: nodejs-private/node-private#416 Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=1877919 Reviewed-By: Rich Trott <[email protected]> CVE-ID: CVE-2023-30581
1 parent 5621c1d commit d0a8264

4 files changed

Lines changed: 23 additions & 5 deletions

File tree

lib/internal/modules/cjs/loader.js

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -231,6 +231,8 @@ function Module(id = '', parent) {
231231
redirects = manifest.getDependencyMapper(moduleURL);
232232
// TODO(rafaelgss): remove the necessity of this branch
233233
setOwnProperty(this, 'require', makeRequireFunction(this, redirects));
234+
// eslint-disable-next-line no-proto
235+
setOwnProperty(this.__proto__, 'require', makeRequireFunction(this, redirects));
234236
}
235237
this[require_private_symbol] = internalRequire;
236238
}
@@ -943,7 +945,7 @@ Module._load = function(request, parent, isMain) {
943945
const module = cachedModule || new Module(filename, parent);
944946

945947
if (isMain) {
946-
process.mainModule = module;
948+
setOwnProperty(process, 'mainModule', module);
947949
setOwnProperty(module.require, 'main', process.mainModule);
948950
module.id = '.';
949951
}

test/fixtures/errors/force_colors.snapshot

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,10 @@ throw new Error('Should include grayed stack trace')
44

55
Error: Should include grayed stack trace
66
at Object.<anonymous> (/test*force_colors.js:1:7)
7-
 at Module._compile (node:internal*modules*cjs*loader:1255:14)
8-
 at Module._extensions..js (node:internal*modules*cjs*loader:1309:10)
9-
 at Module.load (node:internal*modules*cjs*loader:1113:32)
10-
 at Module._load (node:internal*modules*cjs*loader:960:12)
7+
 at Module._compile (node:internal*modules*cjs*loader:1257:14)
8+
 at Module._extensions..js (node:internal*modules*cjs*loader:1311:10)
9+
 at Module.load (node:internal*modules*cjs*loader:1115:32)
10+
 at Module._load (node:internal*modules*cjs*loader:962:12)
1111
 at Function.executeUserEntryPoint [as runMain] (node:internal*modules*run_main:83:12)
1212
 at node:internal*main*run_main_module:23:47
1313

test/fixtures/policy-manifest/main-module-proto-bypass.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
process.mainModule.__proto__.require("os")

test/parallel/test-policy-manifest.js

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,3 +66,18 @@ const fixtures = require('../common/fixtures.js');
6666

6767
assert.strictEqual(result.status, 0);
6868
}
69+
70+
{
71+
const policyFilepath = fixtures.path('policy-manifest', 'onerror-exit.json');
72+
const mainModuleBypass = fixtures.path('policy-manifest', 'main-module-proto-bypass.js');
73+
const result = spawnSync(process.execPath, [
74+
'--experimental-policy',
75+
policyFilepath,
76+
mainModuleBypass,
77+
]);
78+
79+
assert.notStrictEqual(result.status, 0);
80+
const stderr = result.stderr.toString();
81+
assert.match(stderr, /ERR_MANIFEST_DEPENDENCY_MISSING/);
82+
assert.match(stderr, /does not list os as a dependency specifier for conditions: require, node, node-addons/);
83+
}

0 commit comments

Comments
 (0)