PR-URL: #50066

This reverts commit c8da8c8.

PR-URL: #50151
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Jiawen Geng <[email protected]>

PR-URL: #47997
Backport-PR-URL: #50151
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>

PR-URL: #48746
Backport-PR-URL: #50151
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>

PR-URL: #48790
Backport-PR-URL: #50151
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Yongsheng Zhang <[email protected]>
Reviewed-By: Stephen Belanger <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>

PR-URL: #49582
Backport-PR-URL: #50151
Reviewed-By: Luigi Pinca <[email protected]>

PR-URL: #50121
Backport-PR-URL: #50151
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>

Using the JavaScript Hash class is unsafe because its internals can be
tampered with. In particular, an application can cause
Hash.prototype.digest() to return arbitrary values, thus allowing to
circumvent the integrity verification that policies are supposed to
guarantee.

Add and use a new C++ binding internalVerifyIntegrity() that (hopefully)
cannot be tampered with from JavaScript.

PR-URL: nodejs-private/node-private#462
Backport-PR-URL: nodejs-private/node-private#493
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2023-38552

createDynamicModule() properly escapes import names, but not export
names. In WebAssembly, any string is a valid export name. Importing a
WebAssembly module that uses a non-identifier export name leads to
either a syntax error in createDynamicModule() or to code injection,
that is, to the evaluation of almost arbitrary JavaScript code outside
of the WebAssembly module.

To address this issue, adopt the same mechanism in createExport() that
createImport() already uses. Add tests for both exports and imports.

PR-URL: nodejs-private/node-private#461
Backport-PR-URL: nodejs-private/node-private#490
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2023-39333

fixup

fixup

PR-URL: #50047
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Stephen Belanger <[email protected]>
Reviewed-By: Zeyu "Alex" Yang <[email protected]>

Signed-off-by: Matteo Collina <[email protected]>
PR-URL: #50153
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
Reviewed-By: Matthew Aitken <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
CVE-ID: CVE-2023-45143

This is a security release.

Notable changes:

* [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High)
* [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High)
* [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium)
* [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low)

PR-URL: nodejs-private/node-private#492