-
Notifications
You must be signed in to change notification settings - Fork 29.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
src: add NODE_SECURITY_REVERT environment variable #52365
base: main
Are you sure you want to change the base?
Conversation
Review requested:
|
Some context in #52090 (comment). |
cc @anonrig If this can’t be defined in a |
I know we don't have any testing at this point, but I think definining a "dummy" security revert that can be used for tests could make sense. |
src/node.cc
Outdated
// Ignore the environment variable if the CLI argument was set. | ||
if (per_process::reverted_cve == 0) { | ||
std::string revert_error; | ||
for (const std::string_view& cve : SplitString(security_revert, ",")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit:
for (const std::string_view& cve : SplitString(security_revert, ",")) { | |
for (const auto& cve : SplitString(security_revert, ",")) { |
@anonrig Thank you for reviewing the implementation, I appreciate it. I admittedly threw this together during the collab summit rather quickly to discuss the idea, and if folks think this is the right approach, I'll be happy to fix up the implementation and mark it as ready for review :)
|
1b592f9
to
551fc8a
Compare
@GeoffreyBooth I added support for setting the variable through dotenv files. @mhdawson I added a test case. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This comment was marked as outdated.
This comment was marked as outdated.
1279a29
to
06bf754
Compare
Added more tests to cover precedence rules. |
|
||
{ | ||
// Ignore the environment variable if the CLI argument was set. | ||
Mutex::ScopedLock lock(per_process::cli_options_mutex); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we need to make them exclusive. I think it is already possible to revert a CVE twice from the command line so not sure we need to only allow one or the other?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This comment was marked as off-topic.
This comment was marked as off-topic.
The conflict should be resolved by #52543. |
Can you rebase @tniessen? |
Some vendors do not allow passing custom command-line flags to the node executable. There are concerns around allowing --security-revert in NODE_OPTIONS because it might be inherited by child processes unintentionally. This patch introduces a new environment variable that, if set, is unset immediately unless it ends with "+sticky". Aside from that optional suffix, its value is a comma-separated list of CVE identifiers for which the respective security patches should be reverted. Closes: nodejs#52017
06bf754
to
9b16f6b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Requesting changes until we resolve the coversation happening in #52090
It is big problem #52554 which is locked so we can only discuss here. yes we know we can use or else SHOULD WE have to translate this c routine into javascript? node/deps/uv/src/win/process.c Line 449 in a523c34
or else following this article? https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way |
FWIW, unlike any other operating system, Windows does not have a singular escaping mechanism for command-line arguments. Each executable potentially parses them differently. You can find a summary in golang/go#1849:
In other words, there is no single correct escaping algorithm for executing arbitrary child processes on Windows. libuv internally follows the default behavior of C applications that have been compiled using MSVC (essentially reverse-engineering
That looks mostly correct, except it will also fail when some executable does not follow the conventions of Unfortunately, this is a fundamental design mistake in Windows, and there is not much that Node.js can do about it. |
According to https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2
Why not solve the problem of the "improper handling"? Is it so complicated that a broken behaviour is the only solution? |
Some vendors do not allow passing custom command-line flags to the node executable. There are concerns around allowing
--security-revert
inNODE_OPTIONS
because it might be inherited by child processes unintentionally.This patch introduces a new environment variable that, if set, is unset immediately unless it ends with
"+sticky"
. Aside from that optional suffix, its value is a comma-separated list of CVE identifiers for which the respective security patches should be reverted.This is not a particularly elegant approach, but since this should only be used under exceptional circumstances, I am not too worried about that.
Closes: #52017