child_process: harden the API (!30008) · Merge requests · Rodrigo Test / Test Group-nodejs / node

Rodrigo Muino Tomonari requested to merge github/fork/watson/hardening_child_process into master Oct 17, 2019

Ensure that the options object used by exec, execSync, execFile, execFileSync, spawn, spawnSync, and fork, isn't susceptible to prototype pollution.

This is achieved by copying all the properties of the options object into another object that doesn't have a prototype.

Background

If an attacker is able to successfully pollute the prototype just before a call to exec, execSync, execFile, execFileSync, spawn, spawnSync, or fork, they will be able to perform RCE on most Linux systems by manipulating the env option.

Recommended alternative

If this PR doesn't land, or if you're running a version of Node.js that doesn't include this change, the recommended way to spawn a child process is:

const options = Object.create(null)
options.env = Object.assign(Object.create(null), process.env)
spawn(command, options)

By actively passing in an options object that contains an env property you ensure that one isn't created internally which inherits from Object.prototype.

The above example uses spawn, but this approach is also relevant for exec, execSync, execFile, execFileSync, spawnSync, and fork.

Checklist

make -j4 test (UNIX), or vcbuild test (Windows) passes
tests and/or benchmarks are included
documentation is changed or added
commit message follows commit guidelines
Run child_process benchmarks

Admin message

Admin message

child_process: harden the API

Background

Recommended alternative

Checklist

Merge request reports