PR-URL: #49932

Using the JavaScript Hash class is unsafe because its internals can be
tampered with. In particular, an application can cause
Hash.prototype.digest() to return arbitrary values, thus allowing to
circumvent the integrity verification that policies are supposed to
guarantee.

Add and use a new C++ binding internalVerifyIntegrity() that (hopefully)
cannot be tampered with from JavaScript.

PR-URL: nodejs-private/node-private#462
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2023-38552

createDynamicModule() properly escapes import names, but not export
names. In WebAssembly, any string is a valid export name. Importing a
WebAssembly module that uses a non-identifier export name leads to
either a syntax error in createDynamicModule() or to code injection,
that is, to the evaluation of almost arbitrary JavaScript code outside
of the WebAssembly module.

To address this issue, adopt the same mechanism in createExport() that
createImport() already uses. Add tests for both exports and imports.

PR-URL: nodejs-private/node-private#461
Backport-PR-URL: nodejs-private/node-private#489
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2023-39333

fixup

fixup

PR-URL: #50047
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Stephen Belanger <[email protected]>
Reviewed-By: Zeyu "Alex" Yang <[email protected]>

Signed-off-by: Matteo Collina <[email protected]>
PR-URL: #50153
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
Reviewed-By: Matthew Aitken <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
CVE-ID: CVE-2023-45143

PR-URL: #50121
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
CVE-ID: CVE-2023-44487

Always use the original implementation of pathModule.resolve. If the
application overwrites the value of pathModule.resolve with a custom
implementation, it should not have any effect on the permission model.

PR-URL: nodejs-private/node-private#456
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2023-39331

Previous security patches addressed path traversal vulnerabilities for
string and Buffer inputs, but ignored Uint8Array inputs. This commit
fixes the existing logic to account for the latter.

The previous implementation would silently ignore unexpected inputs,
whereas this commit introduces an explicit assertion to prevent that
unsafe behavior.

PR-URL: nodejs-private/node-private#456
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2023-39332

This is a security release.

Notable changes:

* CVE-2023-44487: `nghttp2` Security Release (High)
* CVE-2023-45143: `undici` Security Release (High)
* CVE-2023-39332: Path traversal through path stored in Uint8Array (High)
* CVE-2023-39331: Permission model improperly protects against path traversal (High)
* CVE-2023-38552:  Integrity checks according to policies can be circumvented (Medium)
* CVE-2023-39333: Code injection via WebAssembly export names (Low)

PR-URL: nodejs-private/node-private#491