jiangcuo/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-04-30 15:41:06 +00:00
Code Issues Actions 19 Packages Projects Releases Wiki Activity
43,938 Commits 57 Branches 878 Tags 2 GiB
33d8e03d9d
Commit Graph

3 Commits

Author SHA1 Message Date
RafaelGSS
39f207023a src: handle permissive extension on cmd check 
PR-URL: https://github.com/nodejs-private/node-private/pull/596
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2024-36138
 2024-07-08 15:38:39 -03:00
Tobias Nießen
3790d524c1
src: remove erroneous CVE-2024-27980 revert option 
No security reverts should exist on the main branch.

PR-URL: https://github.com/nodejs/node/pull/52543
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
 2024-04-18 13:09:09 +00:00
Ben Noordhuis
64b67779f7 src: disallow direct .bat and .cmd file spawning 
An undocumented feature of the Win32 CreateProcess API allows spawning
batch files directly but is potentially insecure because arguments are
not escaped (and sometimes cannot be unambiguously escaped), hence why
they are refused starting today.

PR-URL: https://github.com/nodejs-private/node-private/pull/560
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2024-27980
 2024-04-10 17:11:15 -03:00