Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit993bb3b

Browse files
lirantalmarco-ippolito
authored andcommitted
child_process: fix incomplete prototype pollution hardening
Prior pull request (#48726) hardened against prototype pollutionvulnerabilities but effectively missed some use-cases whichopened a window for prototype pollution for some child_processfunctions such as spawn(), spawnSync(), and execFileSync().PR-URL:#53781Reviewed-By: Vinícius Lourenço Claro Cardoso <contact@viniciusl.com.br>Reviewed-By: Matteo Collina <matteo.collina@gmail.com>Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
1 parent9c5beab commit993bb3b

File tree

2 files changed

+34
-1
lines changed

2 files changed

+34
-1
lines changed

‎lib/child_process.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -569,6 +569,7 @@ function normalizeSpawnArguments(file, args, options) {
569569
else
570570
validateObject(options,'options');
571571

572+
options={__proto__:null, ...options};
572573
letcwd=options.cwd;
573574

574575
// Validate the cwd, if present.

‎test/parallel/test-child-process-prototype-tampering.mjs

Lines changed: 33 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
import*ascommonfrom'../common/index.mjs';
22
import*asfixturesfrom'../common/fixtures.mjs';
33
import{EOL}from'node:os';
4-
import{strictEqual}from'node:assert';
4+
import{strictEqual,notStrictEqual,throws}from'node:assert';
55
importcpfrom'node:child_process';
66

77
// TODO(LiviaMedeiros): test on different platforms
@@ -57,3 +57,35 @@ for (const tamperedUID of [0, 1, 999, 1000, 0n, 'gwak']) {
5757

5858
deleteObject.prototype.execPath;
5959
}
60+
61+
for(constshellCommandArgumentof['-L && echo "tampered"']){
62+
Object.prototype.shell=true;
63+
constcmd='pwd';
64+
letcmdExitCode='';
65+
66+
constprogram=cp.spawn(cmd,[shellCommandArgument],{cwd:expectedCWD});
67+
program.stderr.on('data',common.mustCall());
68+
program.stdout.on('data',common.mustNotCall());
69+
70+
program.on('exit',common.mustCall((code)=>{
71+
notStrictEqual(code,0);
72+
}));
73+
74+
cp.execFile(cmd,[shellCommandArgument],{cwd:expectedCWD},
75+
common.mustCall((err)=>{
76+
notStrictEqual(err.code,0);
77+
})
78+
);
79+
80+
throws(()=>{
81+
cp.execFileSync(cmd,[shellCommandArgument],{cwd:expectedCWD});
82+
},(e)=>{
83+
notStrictEqual(e.status,0);
84+
returntrue;
85+
});
86+
87+
cmdExitCode=cp.spawnSync(cmd,[shellCommandArgument],{cwd:expectedCWD}).status;
88+
notStrictEqual(cmdExitCode,0);
89+
90+
deleteObject.prototype.shell;
91+
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp