diff options
author | Shelley Vohr <shelley.vohr@gmail.com> | 2019-10-23 11:06:57 -0700 |
---|---|---|
committer | Shelley Vohr <shelley.vohr@gmail.com> | 2019-10-28 08:15:08 -0700 |
commit | 1d89c5d1e16d67962db2735efc601b48bd78255d (patch) | |
tree | d6f2ec8fca92b22d178fab89428d0a873fc47316 | |
parent | 511f67bcb42b59c9a3a3efab8fed578db100afe1 (diff) | |
download | android-node-v8-1d89c5d1e16d67962db2735efc601b48bd78255d.tar.gz android-node-v8-1d89c5d1e16d67962db2735efc601b48bd78255d.tar.bz2 android-node-v8-1d89c5d1e16d67962db2735efc601b48bd78255d.zip |
cli: whitelist new V8 flag in NODE_OPTIONS
Explicitly whitelists --disallow-code-generation-from-strings in
NODE_OPTIONS as a new V8 flag. This flag prevents strings like eval()
from performing code generation.
PR-URL: https://github.com/nodejs/node/pull/30094
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaƫl Zasso <targos@protonmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
-rw-r--r-- | doc/api/cli.md | 10 | ||||
-rw-r--r-- | doc/node.1 | 5 | ||||
-rw-r--r-- | src/node_options.cc | 4 | ||||
-rw-r--r-- | test/parallel/test-cli-node-options.js | 1 |
4 files changed, 20 insertions, 0 deletions
diff --git a/doc/api/cli.md b/doc/api/cli.md index 2830f90358..d9d7d3ad5e 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -127,6 +127,15 @@ added: v12.0.0 Specify the file name of the CPU profile generated by `--cpu-prof`. +### `--disallow-code-generation-from-strings` +<!-- YAML +added: v9.8.0 +--> + +Make built-in language features like `eval` and `new Function` that generate +code from strings throw an exception instead. This does not affect the Node.js +`vm` module. + ### `--enable-fips` <!-- YAML added: v6.0.0 @@ -1079,6 +1088,7 @@ Node.js options that are allowed are: V8 options that are allowed are: <!-- node-options-v8 start --> * `--abort-on-uncaught-exception` +* `--disallow-code-generation-from-strings` * `--interpreted-frames-native-stack` * `--max-old-space-size` * `--perf-basic-prof-only-functions` diff --git a/doc/node.1 b/doc/node.1 index 9af077fc96..e9b7855b9b 100644 --- a/doc/node.1 +++ b/doc/node.1 @@ -100,6 +100,11 @@ The default is File name of the V8 CPU profile generated with .Fl -cpu-prof . +.It Fl -disallow-code-generation-from-strings +Make built-in language features like `eval` and `new Function` that generate +code from strings throw an exception instead. This does not affect the Node.js +`vm` module. +. .It Fl -enable-fips Enable FIPS-compliant crypto at startup. Requires Node.js to be built with diff --git a/src/node_options.cc b/src/node_options.cc index 8ec469d3ac..695d7cee65 100644 --- a/src/node_options.cc +++ b/src/node_options.cc @@ -589,6 +589,10 @@ PerIsolateOptionsParser::PerIsolateOptionsParser( V8Option{}, kAllowedInEnvironment); AddOption("--stack-trace-limit", "", V8Option{}, kAllowedInEnvironment); + AddOption("--disallow-code-generation-from-strings", + "disallow eval and friends", + V8Option{}, + kAllowedInEnvironment); #ifdef NODE_REPORT AddOption("--report-uncaught-exception", diff --git a/test/parallel/test-cli-node-options.js b/test/parallel/test-cli-node-options.js index 7e42139470..698f463b62 100644 --- a/test/parallel/test-cli-node-options.js +++ b/test/parallel/test-cli-node-options.js @@ -60,6 +60,7 @@ if (common.hasCrypto) { // V8 options expect('--abort_on-uncaught_exception', 'B\n'); +expect('--disallow-code-generation-from-strings', 'B\n'); expect('--max-old-space-size=0', 'B\n'); expect('--stack-trace-limit=100', /(\s*at f \(\[eval\]:1:\d*\)\r?\n){100}/, |