crypto: fix handling of malicious getters (scrypt) (!28838) · Merge requests · Rodrigo Test / Test Group-nodejs / node

Rodrigo Muino Tomonari requested to merge github/fork/tniessen/crypto-protect-scrypt-against-getters into master Jul 24, 2019

It is possible to bypass parameter validation in crypto.scrypt and crypto.scryptSync by crafting option objects with malicious getters as demonstrated in the regression test. After bypassing validation, any value can be passed to the C++ layer, causing an assertion to crash the process.

Fixes: https://github.com/nodejs/node/issues/28836

Checklist

make -j4 test (UNIX), or vcbuild test (Windows) passes
tests and/or benchmarks are included
commit message follows commit guidelines

Admin message

Admin message

crypto: fix handling of malicious getters (scrypt)

Checklist

Merge request reports