jiangcuo/node - node - Gitea: Git with a cup of tea

jiangcuo/node

Fork 0

mirror of https://github.com/nodejs/node.git synced 2025-05-16 12:34:33 +00:00

Commit Graph

Author	SHA1	Message	Date
Tobias Nießen	e673c03629	policy: use tamper-proof integrity check function Using the JavaScript Hash class is unsafe because its internals can be tampered with. In particular, an application can cause Hash.prototype.digest() to return arbitrary values, thus allowing to circumvent the integrity verification that policies are supposed to guarantee. Add and use a new C++ binding internalVerifyIntegrity() that (hopefully) cannot be tampered with from JavaScript. PR-URL: https://github.com/nodejs-private/node-private/pull/462 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> CVE-ID: CVE-2023-38552	2023-10-13 18:03:19 -03:00

Author

SHA1

Message

Date

Tobias Nießen

e673c03629

policy: use tamper-proof integrity check function

Using the JavaScript Hash class is unsafe because its internals can be
tampered with. In particular, an application can cause
Hash.prototype.digest() to return arbitrary values, thus allowing to
circumvent the integrity verification that policies are supposed to
guarantee.

Add and use a new C++ binding internalVerifyIntegrity() that (hopefully)
cannot be tampered with from JavaScript.

PR-URL: https://github.com/nodejs-private/node-private/pull/462
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2023-38552

2023-10-13 18:03:19 -03:00

1 Commits