child_process: harden the API
Ensure that the options object used by exec
, execSync
, execFile
, execFileSync
, spawn
, spawnSync
, and fork
, isn't susceptible to prototype pollution.
This is achieved by copying all the properties of the options object into another object that doesn't have a prototype.
Background
If an attacker is able to successfully pollute the prototype just before a call to exec
, execSync
, execFile
, execFileSync
, spawn
, spawnSync
, or fork
, they will be able to perform RCE on most Linux systems by manipulating the env
option.
Recommended alternative
If this PR doesn't land, or if you're running a version of Node.js that doesn't include this change, the recommended way to spawn a child process is:
const options = Object.create(null)
options.env = Object.assign(Object.create(null), process.env)
spawn(command, options)
By actively passing in an options
object that contains an env
property you ensure that one isn't created internally which inherits from Object.prototype
.
The above example uses spawn
, but this approach is also relevant for exec
, execSync
, execFile
, execFileSync
, spawnSync
, and fork
.
Checklist
-
make -j4 test
(UNIX), orvcbuild test
(Windows) passes -
tests and/or benchmarks are included -
documentation is changed or added -
commit message follows commit guidelines -
Run child_process
benchmarks