Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

child_process: check array readability in spawn #56625

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

child_process: check array readability in spawn #56625

wants to merge 2 commits into from

Conversation

jazelly
Copy link
Member

@jazelly jazelly commented Jan 16, 2025
edited
Loading

With previous example issues caused by prototype pollution, I don't think we should add a test, as this PR fixes it from hard crash, but does not guarantee a defined behaviour. For example,

const {exec} = require('node:child_process');

Object.defineProperty(Array.prototype, "2", {
  set: function () {},
});

(async function () {
  exec('pwd', (err, stdout, stderr) => {
    console.log(stdout);
  });
})();

gives

node:internal/util/inspect:2063
      totalLength += output[i].length;
                               ^

TypeError: Cannot read properties of undefined (reading 'length')
    at isBelowBreakLength (node:internal/util/inspect:2063:32)
    at reduceToSingleString (node:internal/util/inspect:2106:13)
    at formatRaw (node:internal/util/inspect:1138:15)
    at formatValue (node:internal/util/inspect:883:10)
    at Object.inspect (node:internal/util/inspect:386:10)
    at TypeError.<anonymous> (node:internal/errors:1441:45)
    at getMessage (node:internal/errors:598:12)
    at new NodeError (node:internal/errors:470:20)
    at stdioStringToArray (node:internal/child_process:253:13)
    at getValidStdio (node:internal/child_process:997:13)

Node.js v24.0.0-pre

In case we does check if array is readable in some other modules, the error would likely be different.

Fixes: #56531

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. child_process Issues and PRs related to the child_process subsystem. needs-ci PRs that need a full CI run. labels Jan 16, 2025
@codecov Codecov
Copy link

codecov bot commented Jan 16, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 62.50000% with 3 lines in your changes missing coverage. Please review.

Project coverage is 89.20%. Comparing base (9230f22) to head (eed306c).
Report is 66 commits behind head on main.

Files with missing lines Patch % Lines
lib/internal/child_process.js 62.50% 3 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #56625      +/-   ##
==========================================
+ Coverage   89.17%   89.20%   +0.03%     
==========================================
  Files         662      662              
  Lines      191761   191901     +140     
  Branches    36905    36937      +32     
==========================================
+ Hits       171006   171194     +188     
+ Misses      13620    13546      -74     
- Partials     7135     7161      +26
Files with missing lines Coverage Δ
lib/internal/child_process.js 94.75% <62.50%> (-0.23%) ⬇️

... and 78 files with indirect coverage changes

cjihrig
cjihrig reviewed Jan 16, 2025
View reviewed changes
lib/internal/child_process.js Outdated Show resolved Hide resolved
src/process_wrap.cc Outdated Show resolved Hide resolved
src/process_wrap.cc Outdated Show resolved Hide resolved
@jazelly jazelly changed the title src: check process wrap type emptiness in ParseStdioOptions child_process: check array readability in spawn Jan 18, 2025
@jazelly jazelly removed the c++ Issues and PRs that require attention from people who are familiar with C++. label Jan 18, 2025
@jakecastelli jakecastelli added the request-ci Add this label to start a Jenkins CI on a PR. label Jan 18, 2025
lpinca
lpinca reviewed Jan 19, 2025
View reviewed changes
lib/internal/child_process.js
@@ -247,6 +247,13 @@ function stdioStringToArray(stdio, channel) {
throw new ERR_INVALID_ARG_VALUE('stdio', stdio);
}

for (let i = 0; i < options.length; i++) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment for future readers? FWIW, I think we should not "fix" this. There are probably other crashes like the one this is fixing if built-in prototypes are modified.

Copy link
Member Author

@jazelly jazelly Jan 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, I had the same thought. Sure I will add a comment.

Edit: leaving this unresolved for more input.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a less brittle and easier to understand fix would be to initialize the array with let options; and then use options = [a, b, c] instead of ArrayPrototypePush

@github-actions github-actions bot added request-ci-failed An error occurred while starting CI via request-ci label, and manual interventon is needed. and removed request-ci Add this label to start a Jenkins CI on a PR. labels Jan 21, 2025
@github-actions GitHub Actions
Copy link
Contributor

Failed to start CI
   ⚠  No approving reviews found
   ✘  Refusing to run CI on potentially unsafe PR
https://github.com/nodejs/node/actions/runs/12894525741

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cjihrig cjihrig cjihrig left review comments

@targos targos targos left review comments

@lpinca lpinca lpinca left review comments

@addaleax addaleax addaleax left review comments

Assignees
No one assigned
Labels
child_process Issues and PRs related to the child_process subsystem. needs-ci PRs that need a full CI run. request-ci-failed An error occurred while starting CI via request-ci label, and manual interventon is needed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

FATAL ERROR: v8::ToLocalChecked Empty MaybeLocal
7 participants
@jazelly @addaleax @lpinca @targos @cjihrig @nodejs-github-bot @jakecastelli