File CVE-2023-30581.patch of Package nodejs14.30230
commit a6f4e87bc913ff18c1859b8a350c24f744355e66
Author: RafaelGSS <rafael.nunu@hotmail.com>
Date: Mon May 29 16:40:15 2023 -0300
policy: handle mainModule.__proto__ bypass
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/418
PR-URL: https://github.com/nodejs-private/node-private/pull/416
Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=1877919
Reviewed-By: Rich Trott <rtrott@gmail.com>
CVE-ID: CVE-2023-30581
diff --git a/lib/internal/modules/cjs/loader.js b/lib/internal/modules/cjs/loader.js
index 93681ea243..97bb6e5b13 100644
--- a/lib/internal/modules/cjs/loader.js
+++ b/lib/internal/modules/cjs/loader.js
@@ -226,6 +226,8 @@ function Module(id = '', parent) {
redirects = policy.manifest.getDependencyMapper(moduleURL);
// TODO(rafaelgss): remove the necessity of this branch
setOwnProperty(this, 'require', makeRequireFunction(this, redirects));
+ // eslint-disable-next-line no-proto
+ setOwnProperty(this.__proto__, 'require', makeRequireFunction(this, redirects));
}
this[require_private_symbol] = internalRequire;
}
@@ -892,7 +894,7 @@ Module._load = function(request, parent, isMain) {
const module = cachedModule || new Module(filename, parent);
if (isMain) {
- process.mainModule = module;
+ setOwnProperty(process, 'mainModule', module);
setOwnProperty(module.require, 'main', process.mainModule);
module.id = '.';
}
diff --git a/test/fixtures/policy-manifest/main-module-proto-bypass.js b/test/fixtures/policy-manifest/main-module-proto-bypass.js
new file mode 100644
index 0000000000..6111aae140
--- /dev/null
+++ b/test/fixtures/policy-manifest/main-module-proto-bypass.js
@@ -0,0 +1 @@
+process.mainModule.__proto__.require("os")
diff --git a/test/parallel/test-policy-manifest.js b/test/parallel/test-policy-manifest.js
index f8bebdf4cf..5dfadb3631 100644
--- a/test/parallel/test-policy-manifest.js
+++ b/test/parallel/test-policy-manifest.js
@@ -66,3 +66,18 @@ const fixtures = require('../common/fixtures.js');
assert.strictEqual(result.status, 0);
}
+
+{
+ const policyFilepath = fixtures.path('policy-manifest', 'onerror-exit.json');
+ const mainModuleBypass = fixtures.path('policy-manifest', 'main-module-proto-bypass.js');
+ const result = spawnSync(process.execPath, [
+ '--experimental-policy',
+ policyFilepath,
+ mainModuleBypass,
+ ]);
+
+ assert.notStrictEqual(result.status, 0);
+ const stderr = result.stderr.toString();
+ assert.match(stderr, /ERR_MANIFEST_DEPENDENCY_MISSING/);
+ assert.match(stderr, /does not list os as a dependency specifier for conditions: require, node, node-addons/);
+}