how to query for known CVE before setting argument flag --security-revert=CVE-xxxx-xxxxx

[intersides]

What is the problem this feature will solve?

Will prevent node throwing an error that prevent it to run if it can be detected that setting --security-revert=CVE-xxxx-xxxxx might not be needed.

What is the feature you are proposing to solve the problem?

When running node on dockers under different architectures the --security-revert=CVE-2023-46809 is required to keep using a certain encryption padding, but based on different architecture this flag might cause node to not start at all.
Instead of figuring out for which architecture this flag is needed it would be helpful to query if it can be set without compromising the running application

What alternatives have you considered?

writing scripts that try to determine from the current host if the flag should be omitted, since the node version on the different hosts are the same (21) but based on different architecture this flag might not be necessary, ex: x86_64

[meyfa]

Maybe a better solution would be that passing the flag doesn't prevent Node.js from starting on any platforms? If the revert doesn't apply for some reason, it could simply be a no-op.

What is the specific error you're seeing?

[intersides]

I am getting: Error: Attempt to revert an unknown CVE [CVE-2023-46809]

One solution, maybe not too elegant is to run node from a script (using javascript as an example) that does a sort of preflight such:

const nodePreFlight = await spawnSync("node", ["--security-revert=CVE-2023-46809", "--eval", "console.log(1234);"]);
    
    if(nodePreFlight.stderr.toString() !== ""){
        if(nodePreFlight.stderr.toString().includes("Attempt to revert an unknown CVE")){
          //then run node without --security-revert
        }
    else{
         //then run node WITH "--security-revert=CVE-2023-46809"
        }
    }

[mhdawson]

Is the issue that you have different versions of Node.js, some which support --security-revert=CVE-2023-46809 and some that are older and don't?

Or

Is the issue that some versions of OpenSSL have the fix which Node.js detects and therefore --security-revert=CVE-2023-46809 is uncessary even though it is supported?

[intersides]

It is not about the version of Node.js since it is running in a docker image that it is based on v. 21 but it is affected in which architecture that docker image is built.
The same docker image with version 21 of Node will throw the error. If it is on a EC2 instance x86_64 based it will not. If it is in on MacOs Silicon or an EC2 which is arm based that it will.

[mhdawson]

The same docker image with version 21 of Node will throw the error or not. If it is on a EC2 instance x86_64 based it will not. If it is in on MacOs Silicon or an EC2 which is arm based that it will.

This is the part that does not make sense to me. For a given version of Node.js either the --sercurity-revert flag is available or it is not.

[intersides]

initially I was writing a bash script to use the --security-revert based on the detected architecture:

#!/bin/bash

command='uname -m';
arch=$(eval "$command");

echo "arc is $arch"

run_command="pm2 start main.mjs --no-daemon"

if [ $arch == "x86_64" ]; then
    echo "can run without fix";
else
    echo "should run with fix since architecture is $arch";
    run_command="pm2 start main.mjs --node-args=\"--security-revert=CVE-2023-46809\" --no-daemon"
fi

echo "run as $run_command";

then I changed to the pre-flight approach not to bother about the architecture

#!/bin/bash


CVE_revert=true

#do a preflight to determine if node support reverting of CVE-2023-46809
#NOTE: 2>&1 means: redirects standard error to standard output
PREFLIGHT_OUTPUT=$(node --security-revert=CVE-2023-46809 --eval "console.log('OK');" 2>&1)

if [[ $PREFLIGHT_OUTPUT == *"Attempt to revert an unknown CVE"* ]]; then
  CVE_revert=false
fi

echo "reverting CVE-2023-46809 support:$CVE_revert"

exec="main.mjs"
if [[ $CVE_revert = true ]]; then
   exec="main.mjs --node-args=\"--security-revert=CVE-2023-46809\""
fi

run_command="pm2 start $exec --no-daemon"

echo "running as: $run_command";

eval "npx $run_command"

this script runs inside a docker container that install nodejs 21

FROM python:3

RUN pip3 install pandas openpyxl xgboost==1.4.2 scikit-learn

RUN curl --silent --location https://deb.nodesource.com/setup_21.x | bash -
RUN apt-get update && apt-get upgrade -y && \
    apt-get install -y nodejs vim

RUN mkdir -p /opt/backend

ADD . /opt/backend

WORKDIR /opt/backend

RUN npm i --verbose

EXPOSE 3000

RUN chmod +x docker-run.sh

CMD ["./docker-run.sh"]

[github-actions]

There has been no activity on this feature request for 5 months. To help maintain relevant open issues, please add the never-stale Mark issue so that it is never considered stale label or close this issue if it should be closed. If not, the issue will be automatically closed 6 months after the last non-automated comment.
For more information on how the project manages feature requests, please consult the feature request management document.

[github-actions]

There has been no activity on this feature request and it is being closed. If you feel closing this issue is not the right thing to do, please leave a comment.

For more information on how the project manages feature requests, please consult the feature request management document.