The kDisableNodeOptionsEnv option can be work around by using NODE_REPL_EXTERNAL_MODULE env #51227
Labels
security
Issues and PRs related to security.
Comments
|
@nodejs/security-wg |
|
Dotenv isn't the correct label (no dotenv file), buts AFAIK the closest to env variables |
|
@zcbenz While the first option is trivial I assume it will be a breaking change for all users that rely on the current behavior. I believe a new flag should be a safer approach. Honestly, I'm fine with both options. cc: @nodejs/tsc |
EliphazBouye
pushed a commit
to EliphazBouye/node
that referenced
this issue
Jun 20, 2024
PR-URL: nodejs#52905 Fixes: nodejs#51227 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
bmeck
pushed a commit
to bmeck/node
that referenced
this issue
Jun 22, 2024
PR-URL: nodejs#52905 Fixes: nodejs#51227 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Node has an
kDisableNodeOptionsEnvembedder flag that disablesNODE_OPTIONSenv to avoid injecting external code into apps, however it can be bypassed by using theNODE_REPL_EXTERNAL_MODULEenv as reported by electron/electron#40770.I understand
kDisableNodeOptionsEnvonly means to disableNODE_OPTIONSenv, but if we don't also disableNODE_REPL_EXTERNAL_MODULEthe protection would become meaningless.I think we have 2 options to fix this:
NODE_REPL_EXTERNAL_MODULEenv whenkDisableNodeOptionsEnvis used.kDisableNodeOptionsEnvand add a new flag that disables all possible ways to inject code.I wonder which one would be preferred by Node team. /cc @addaleax @joyeecheung @bnoordhuis
The text was updated successfully, but these errors were encountered: