-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lib: Add option to disable __proto__ accessors #32279
Conversation
39a58eb
to
8a31826
Compare
Maybe clarify somewhere that this only affects the main Context? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Does this also impact worker threads? I think it should and we could also add an option there.
I'm also perfectly fine in landing this as this and opening an issue for worker threads etc.
Worker threads inherit their |
Does it feasible to add an option to ignore the |
@legendecas How would that differ from |
@addaleax I tried the PR locally, it doesn't seem to be effective on the case of delete since only $ node --disable-proto=delete -p '({ __proto__: Array.prototype }).push === Array.prototype.push'
true What I'm understanding/expecting is: $ node --disable-proto=delete -p '({ __proto__: Array.prototype }).push'
undefined |
@legendecas object literals do not use the getter/setter and are a special case of syntax. They are not problematic for assignment like the accessors and not part of the CVEs in question |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should update doc/node.1
too.
@cjihrig can you verify i did the node.1 change correctly? i just kind of guessed based on other entries... |
@devsnek you can run EDIT: It looks good at a quick glance, but I don't really know the format and need to view it with |
7489319
to
5559f5f
Compare
The given solution might not provide protection against the following test case: "use strict";
const assert = require('assert');
const vm = require('vm');
(function patchProto() {
const protoThrow = () => {throw new Error(`Illegal __proto__ access`)}
Object.defineProperty(Object.prototype, '__proto__', {get: protoThrow, set: protoThrow, enumerable: false, configurable: false});
})();
function getCrossRealmObject() {
const ctx = vm.createContext({});
vm.runInContext('value = {"foreign":1}', ctx);
return ctx.value;
}
function testProto() {
const payload = '{"__proto__": {"evil": true}}';
const x = getCrossRealmObject();
try {
Object.assign(x, JSON.parse(payload));
} catch (err) {}
assert(!x.evil);
}
testProto(); If it does, please add such a test! |
@Slayer95 See @addaleax's #32279 (comment):
|
Adds `--disable-proto` CLI option which can be set to `delete` or `throw`. Fixes nodejs#31951 PR-URL: nodejs#32279 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Bradley Farias <bradley.meck@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
Adds `--disable-proto` CLI option which can be set to `delete` or `throw`. Fixes #31951 PR-URL: #32279 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Bradley Farias <bradley.meck@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
Adds `--disable-proto` CLI option which can be set to `delete` or `throw`. Fixes #31951 PR-URL: #32279 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Bradley Farias <bradley.meck@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
macOS package notarization and a change in builder configuration: The macOS binaries for this release, and future 13.x releases, are now being compiled on macOS 10.15 (Catalina) with Xcode 11 to support package notarization, a requirement for installing on .pkg files on macOS 10.15 and later. Previous builds of Node.js 13.x were compiled on macOS 10.11 (El Capitan) with Xcode 10. As binaries are still being compiled to support a minimum of macOS 10.10 (Yosemite) we do not anticipate this having a negative impact on Node.js 13.x users with older versions of macOS. Notable changes: * build: * macOS package notarization (Rod Vagg) #31459 * deps: * update npm to 6.14.3 (Myles Borins) #32368 * update to uvwasi 0.0.6 (Colin Ihrig) #32309 * upgrade to libuv 1.35.0 (Colin Ihrig) #32204 * lib: * add --disable-proto option to cli (Gus Caplan) #32279 * node_report: * move diagnostic reports to stable (Colin Ihrig) #32242 * worker: * allow URL in Worker constructor (Antoine du HAMEL) #31664 * util: * use a global symbol for `util.promisify.custom` (ExE Boss) #31672 PR-URL: #32376
macOS package notarization and a change in builder configuration: The macOS binaries for this release, and future 13.x releases, are now being compiled on macOS 10.15 (Catalina) with Xcode 11 to support package notarization, a requirement for installing on .pkg files on macOS 10.15 and later. Previous builds of Node.js 13.x were compiled on macOS 10.11 (El Capitan) with Xcode 10. As binaries are still being compiled to support a minimum of macOS 10.10 (Yosemite) we do not anticipate this having a negative impact on Node.js 13.x users with older versions of macOS. Notable changes: * build: * macOS package notarization (Rod Vagg) #31459 * deps: * upgrade npm to 6.14.4 (Ruy Adorno) #32495 * update to uvwasi 0.0.6 (Colin Ihrig) #32309 * upgrade to libuv 1.35.0 (Colin Ihrig) #32204 * lib: * add --disable-proto option to cli (Gus Caplan) #32279 * node_report: * move diagnostic reports to stable (Colin Ihrig) #32242 * worker: * allow URL in Worker constructor (Antoine du HAMEL) #31664 * util: * use a global symbol for `util.promisify.custom` (ExE Boss) #31672 PR-URL: #32376
macOS package notarization and a change in builder configuration: The macOS binaries for this release, and future 13.x releases, are now being compiled on macOS 10.15 (Catalina) with Xcode 11 to support package notarization, a requirement for installing on .pkg files on macOS 10.15 and later. Previous builds of Node.js 13.x were compiled on macOS 10.11 (El Capitan) with Xcode 10. As binaries are still being compiled to support a minimum of macOS 10.10 (Yosemite) we do not anticipate this having a negative impact on Node.js 13.x users with older versions of macOS. Notable changes: * build: * macOS package notarization (Rod Vagg) #31459 * deps: * upgrade npm to 6.14.4 (Ruy Adorno) #32495 * update to uvwasi 0.0.6 (Colin Ihrig) #32309 * upgrade to libuv 1.35.0 (Colin Ihrig) #32204 * lib: * add --disable-proto option to cli (Gus Caplan) #32279 * node_report: * move diagnostic reports to stable (Colin Ihrig) #32242 * worker: * allow URL in Worker constructor (Antoine du HAMEL) #31664 * util: * use a global symbol for `util.promisify.custom` (ExE Boss) #31672 PR-URL: #32376
macOS package notarization and a change in builder configuration: The macOS binaries for this release, and future 13.x releases, are now being compiled on macOS 10.15 (Catalina) with Xcode 11 to support package notarization, a requirement for installing on .pkg files on macOS 10.15 and later. Previous builds of Node.js 13.x were compiled on macOS 10.11 (El Capitan) with Xcode 10. As binaries are still being compiled to support a minimum of macOS 10.10 (Yosemite) we do not anticipate this having a negative impact on Node.js 13.x users with older versions of macOS. Notable changes: * build: * macOS package notarization (Rod Vagg) #31459 * deps: * upgrade npm to 6.14.4 (Ruy Adorno) #32495 * update to uvwasi 0.0.6 (Colin Ihrig) #32309 * upgrade to libuv 1.35.0 (Colin Ihrig) #32204 * lib: * add --disable-proto option to cli (Gus Caplan) #32279 * node_report: * move diagnostic reports to stable (Colin Ihrig) #32242 * worker: * allow URL in Worker constructor (Antoine du HAMEL) #31664 * util: * use a global symbol for `util.promisify.custom` (ExE Boss) #31672 PR-URL: #32376
Adds `--disable-proto` CLI option which can be set to `delete` or `throw`. Fixes nodejs#31951 PR-URL: nodejs#32279 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Bradley Farias <bradley.meck@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
Adds `--disable-proto` CLI option which can be set to `delete` or `throw`. Fixes #31951 PR-URL: #32279 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Bradley Farias <bradley.meck@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
Adds
--disable-proto
CLI option which can be set todelete
orthrow
.Fixes #31951
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes