Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

child_process: check array readability in spawn #56625

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

child_process: check array readability in spawn #56625

wants to merge 1 commit into from

Conversation

jazelly
Copy link
Member

@jazelly jazelly commented Jan 16, 2025
edited
Loading

With previous example issues caused by prototype pollution, I don't think we should add a test, as this PR fixes it from hard crash, but does not guarantee a defined behaviour. For example,

const {exec} = require('node:child_process');

Object.defineProperty(Array.prototype, "2", {
  set: function () {},
});

(async function () {
  exec('pwd', (err, stdout, stderr) => {
    console.log(stdout);
  });
})();

gives

node:internal/util/inspect:2063
      totalLength += output[i].length;
                               ^

TypeError: Cannot read properties of undefined (reading 'length')
    at isBelowBreakLength (node:internal/util/inspect:2063:32)
    at reduceToSingleString (node:internal/util/inspect:2106:13)
    at formatRaw (node:internal/util/inspect:1138:15)
    at formatValue (node:internal/util/inspect:883:10)
    at Object.inspect (node:internal/util/inspect:386:10)
    at TypeError.<anonymous> (node:internal/errors:1441:45)
    at getMessage (node:internal/errors:598:12)
    at new NodeError (node:internal/errors:470:20)
    at stdioStringToArray (node:internal/child_process:253:13)
    at getValidStdio (node:internal/child_process:997:13)

Node.js v24.0.0-pre

In case we does check if array is readable in some other modules, the error would likely be different.

Fixes: #56531

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. child_process Issues and PRs related to the child_process subsystem. needs-ci PRs that need a full CI run. labels Jan 16, 2025
@codecov Codecov
Copy link

codecov bot commented Jan 16, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.20%. Comparing base (9230f22) to head (ad812e9).
Report is 139 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #56625      +/-   ##
==========================================
+ Coverage   89.17%   89.20%   +0.03%     
==========================================
  Files         662      663       +1     
  Lines      191761   192012     +251     
  Branches    36905    36929      +24     
==========================================
+ Hits       171006   171291     +285     
+ Misses      13620    13586      -34     
  Partials     7135     7135
Files with missing lines Coverage Δ
lib/internal/child_process.js 94.97% <100.00%> (ø)

... and 95 files with indirect coverage changes

cjihrig
cjihrig reviewed Jan 16, 2025
View reviewed changes
lib/internal/child_process.js Outdated Show resolved Hide resolved
src/process_wrap.cc Outdated Show resolved Hide resolved
src/process_wrap.cc Outdated Show resolved Hide resolved
@jazelly jazelly force-pushed the fix-56531 branch 2 times, most recently from 872e7ce to e9296b7 Compare January 18, 2025 01:59
@jazelly jazelly changed the title src: check process wrap type emptiness in ParseStdioOptions child_process: check array readability in spawn Jan 18, 2025
@jazelly jazelly removed the c++ Issues and PRs that require attention from people who are familiar with C++. label Jan 18, 2025
@jakecastelli jakecastelli added the request-ci Add this label to start a Jenkins CI on a PR. label Jan 18, 2025
lpinca
lpinca reviewed Jan 19, 2025
View reviewed changes
lib/internal/child_process.js Outdated
@@ -247,6 +247,13 @@ function stdioStringToArray(stdio, channel) {
throw new ERR_INVALID_ARG_VALUE('stdio', stdio);
}

for (let i = 0; i < options.length; i++) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment for future readers? FWIW, I think we should not "fix" this. There are probably other crashes like the one this is fixing if built-in prototypes are modified.

Copy link
Member Author

@jazelly jazelly Jan 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, I had the same thought. Sure I will add a comment.

Edit: leaving this unresolved for more input.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a less brittle and easier to understand fix would be to initialize the array with let options; and then use options = [a, b, c] instead of ArrayPrototypePush

@github-actions github-actions bot added request-ci-failed An error occurred while starting CI via request-ci label, and manual interventon is needed. and removed request-ci Add this label to start a Jenkins CI on a PR. labels Jan 21, 2025
@github-actions GitHub Actions
Copy link
Contributor

Failed to start CI
   ⚠  No approving reviews found
   ✘  Refusing to run CI on potentially unsafe PR
https://github.com/nodejs/node/actions/runs/12894525741

@jazelly @jakecastelli
child_process: initialize stdio options by assigning array
ad812e9 
Co-authored-by: Jake Yuesong Li <jake.yuesong@gmail.com>
@jazelly jazelly marked this pull request as draft January 30, 2025 06:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@addaleax addaleax addaleax left review comments

@lpinca lpinca lpinca left review comments

@targos targos targos left review comments

@cjihrig cjihrig cjihrig left review comments

Assignees
No one assigned
Labels
child_process Issues and PRs related to the child_process subsystem. needs-ci PRs that need a full CI run. request-ci-failed An error occurred while starting CI via request-ci label, and manual interventon is needed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

FATAL ERROR: v8::ToLocalChecked Empty MaybeLocal
7 participants
@jazelly @addaleax @lpinca @targos @cjihrig @nodejs-github-bot @jakecastelli