Skip to content

Commit 1b592f9

Browse files
tniessentniessen
committed
src: add NODE_SECURITY_REVERT environment variable
Some vendors do not allow passing custom command-line flags to the node executable. There are concerns around allowing --security-revert in NODE_OPTIONS because it might be inherited by child processes unintentionally. This patch introduces a new environment variable that, if set, is unset immediately unless it ends with "+sticky". Aside from that optional suffix, its value is a comma-separated list of CVE identifiers for which the respective security patches should be reverted. Closes: #52017
1 parent d7aa8fc commit 1b592f9

1 file changed

Lines changed: 30 additions & 0 deletions

File tree

src/node.cc

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -956,6 +956,36 @@ static ExitCode InitializeNodeWithArgsInternal(
956956
if (exit_code != ExitCode::kNoFailure) return exit_code;
957957
}
958958

959+
std::string security_revert;
960+
if (credentials::SafeGetenv("NODE_SECURITY_REVERT", &security_revert)) {
961+
Mutex::ScopedLock lock(per_process::cli_options_mutex);
962+
// We unset the environment variable by default to prevent it from being
963+
// inherited by child processes. This can be prevented by the user by
964+
// appending "+sticky" to the value of the environment variable.
965+
bool sticky = false;
966+
size_t maybe_sticky_pos = security_revert.length() - strlen("+sticky");
967+
if (security_revert.rfind("+sticky") == maybe_sticky_pos) {
968+
security_revert.erase(maybe_sticky_pos);
969+
sticky = true;
970+
}
971+
// Ignore the environment variable if the CLI argument was set.
972+
if (per_process::reverted_cve == 0) {
973+
std::string revert_error;
974+
for (const std::string_view& cve : SplitString(security_revert, ",")) {
975+
Revert(std::string(cve).c_str(), &revert_error);
976+
if (!revert_error.empty()) {
977+
errors->emplace_back(std::move(revert_error));
978+
// TODO(joyeecheung): merge into kInvalidCommandLineArgument.
979+
return ExitCode::kInvalidCommandLineArgument2;
980+
}
981+
}
982+
}
983+
// Unset the environment variable unless it has been marked as sticky.
984+
if (!sticky) {
985+
uv_os_unsetenv("NODE_SECURITY_REVERT");
986+
}
987+
}
988+
959989
// Set the process.title immediately after processing argv if --title is set.
960990
if (!per_process::cli_options->title.empty())
961991
uv_set_process_title(per_process::cli_options->title.c_str());

0 commit comments

Comments
 (0)