mirror of
https://github.com/nodejs/node.git
synced 2025-04-30 15:41:06 +00:00
64b67779f7
An undocumented feature of the Win32 CreateProcess API allows spawning batch files directly but is potentially insecure because arguments are not escaped (and sometimes cannot be unambiguously escaped), hence why they are refused starting today. PR-URL: https://github.com/nodejs-private/node-private/pull/560 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> CVE-ID: CVE-2024-27980
109 lines
3.0 KiB
JavaScript
109 lines
3.0 KiB
JavaScript
'use strict';
|
|
|
|
// Node.js on Windows should not be able to spawn batch files directly,
|
|
// only when the 'shell' option is set. An undocumented feature of the
|
|
// Win32 CreateProcess API allows spawning .bat and .cmd files directly
|
|
// but it does not sanitize arguments. We cannot do that automatically
|
|
// because it's sometimes impossible to escape arguments unambiguously.
|
|
//
|
|
// Expectation: spawn() and spawnSync() raise EINVAL if and only if:
|
|
//
|
|
// 1. 'shell' option is unset
|
|
// 2. Platform is Windows
|
|
// 3. Filename ends in .bat or .cmd, case-insensitive
|
|
//
|
|
// exec() and execSync() are unchanged.
|
|
|
|
const common = require('../common');
|
|
const cp = require('child_process');
|
|
const assert = require('assert');
|
|
const { isWindows } = common;
|
|
|
|
const arg = '--security-revert=CVE-2024-27980';
|
|
const isRevert = process.execArgv.includes(arg);
|
|
|
|
const expectedCode = isWindows && !isRevert ? 'EINVAL' : 'ENOENT';
|
|
const expectedStatus = isWindows ? 1 : 127;
|
|
|
|
const suffixes =
|
|
'BAT bAT BaT baT BAt bAt Bat bat CMD cMD CmD cmD CMd cMd Cmd cmd'
|
|
.split(' ');
|
|
|
|
if (process.argv[2] === undefined) {
|
|
const a = cp.spawnSync(process.execPath, [__filename, 'child']);
|
|
const b = cp.spawnSync(process.execPath, [arg, __filename, 'child']);
|
|
assert.strictEqual(a.status, 0);
|
|
assert.strictEqual(b.status, 0);
|
|
return;
|
|
}
|
|
|
|
function testExec(filename) {
|
|
return new Promise((resolve) => {
|
|
cp.exec(filename).once('exit', common.mustCall(function(status) {
|
|
assert.strictEqual(status, expectedStatus);
|
|
resolve();
|
|
}));
|
|
});
|
|
}
|
|
|
|
function testExecSync(filename) {
|
|
let e;
|
|
try {
|
|
cp.execSync(filename);
|
|
} catch (_e) {
|
|
e = _e;
|
|
}
|
|
if (!e) throw new Error(`Exception expected for ${filename}`);
|
|
assert.strictEqual(e.status, expectedStatus);
|
|
}
|
|
|
|
function testSpawn(filename, code) {
|
|
// Batch file case is a synchronous error, file-not-found is asynchronous.
|
|
if (code === 'EINVAL') {
|
|
let e;
|
|
try {
|
|
cp.spawn(filename);
|
|
} catch (_e) {
|
|
e = _e;
|
|
}
|
|
if (!e) throw new Error(`Exception expected for ${filename}`);
|
|
assert.strictEqual(e.code, code);
|
|
} else {
|
|
return new Promise((resolve) => {
|
|
cp.spawn(filename).once('error', common.mustCall(function(e) {
|
|
assert.strictEqual(e.code, code);
|
|
resolve();
|
|
}));
|
|
});
|
|
}
|
|
}
|
|
|
|
function testSpawnSync(filename, code) {
|
|
{
|
|
const r = cp.spawnSync(filename);
|
|
assert.strictEqual(r.error.code, code);
|
|
}
|
|
{
|
|
const r = cp.spawnSync(filename, { shell: true });
|
|
assert.strictEqual(r.status, expectedStatus);
|
|
}
|
|
}
|
|
|
|
testExecSync('./nosuchdir/nosuchfile');
|
|
testSpawnSync('./nosuchdir/nosuchfile', 'ENOENT');
|
|
for (const suffix of suffixes) {
|
|
testExecSync(`./nosuchdir/nosuchfile.${suffix}`);
|
|
testSpawnSync(`./nosuchdir/nosuchfile.${suffix}`, expectedCode);
|
|
}
|
|
|
|
go().catch((ex) => { throw ex; });
|
|
|
|
async function go() {
|
|
await testExec('./nosuchdir/nosuchfile');
|
|
await testSpawn('./nosuchdir/nosuchfile', 'ENOENT');
|
|
for (const suffix of suffixes) {
|
|
await testExec(`./nosuchdir/nosuchfile.${suffix}`);
|
|
await testSpawn(`./nosuchdir/nosuchfile.${suffix}`, expectedCode);
|
|
}
|
|
}
|