crypto: fix handling of malicious getters (scrypt)

It is possible to bypass parameter validation in crypto.scrypt and crypto.scryptSync by crafting option objects with malicious getters as demonstrated in the regression test. After bypassing validation, any value can be passed to the C++ layer, causing an assertion to crash the process. Fixes: https://github.com/nodejs/node/issues/28836 PR-URL: https://github.com/nodejs/node/pull/28838 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
author: Tobias Nießen <tniessen@tnie.de> 2019-07-23 15:12:32 +0200
committer: Rich Trott <rtrott@gmail.com> 2019-07-26 10:19:28 -0700
commit: 499533f72a2dce111d6fde9c21b90b51fff35ab6 (patch)
tree: 158578631061383799317944243c883867758f72 /lib/internal/crypto
parent: 31d9b2f14fe9851b530c213b92e14b4646f6d131 (diff)
download: android-node-v8-499533f72a2dce111d6fde9c21b90b51fff35ab6.tar.gz
android-node-v8-499533f72a2dce111d6fde9c21b90b51fff35ab6.tar.bz2
android-node-v8-499533f72a2dce111d6fde9c21b90b51fff35ab6.zip
1 files changed, 6 insertions, 6 deletions
diff --git a/lib/internal/crypto/scrypt.js b/lib/internal/crypto/scrypt.js
index 2705611832..e2751f8fa5 100644
--- a/lib/internal/crypto/scrypt.js
+++ b/lib/internal/crypto/scrypt.js
@@ -80,31 +80,31 @@ function check(password, salt, keylen, options) {
   if (options && options !== defaults) {
     let has_N, has_r, has_p;
     if (has_N = (options.N !== undefined)) {
-      validateUint32(options.N, 'N');
       N = options.N;
+      validateUint32(N, 'N');
     }
     if (options.cost !== undefined) {
       if (has_N) throw new ERR_CRYPTO_SCRYPT_INVALID_PARAMETER();
-      validateUint32(options.cost, 'cost');
       N = options.cost;
+      validateUint32(N, 'cost');
     }
     if (has_r = (options.r !== undefined)) {
-      validateUint32(options.r, 'r');
       r = options.r;
+      validateUint32(r, 'r');
     }
     if (options.blockSize !== undefined) {
       if (has_r) throw new ERR_CRYPTO_SCRYPT_INVALID_PARAMETER();
-      validateUint32(options.blockSize, 'blockSize');
       r = options.blockSize;
+      validateUint32(r, 'blockSize');
     }
     if (has_p = (options.p !== undefined)) {
-      validateUint32(options.p, 'p');
       p = options.p;
+      validateUint32(p, 'p');
     }
     if (options.parallelization !== undefined) {
       if (has_p) throw new ERR_CRYPTO_SCRYPT_INVALID_PARAMETER();
-      validateUint32(options.parallelization, 'parallelization');
       p = options.parallelization;
+      validateUint32(p, 'parallelization');
     }
     if (options.maxmem !== undefined) {
       maxmem = options.maxmem;
author	Tobias Nießen <tniessen@tnie.de>	2019-07-23 15:12:32 +0200
committer	Rich Trott <rtrott@gmail.com>	2019-07-26 10:19:28 -0700
commit	499533f72a2dce111d6fde9c21b90b51fff35ab6 (patch)
tree	158578631061383799317944243c883867758f72 /lib/internal/crypto
parent	31d9b2f14fe9851b530c213b92e14b4646f6d131 (diff)
download	android-node-v8-499533f72a2dce111d6fde9c21b90b51fff35ab6.tar.gz android-node-v8-499533f72a2dce111d6fde9c21b90b51fff35ab6.tar.bz2 android-node-v8-499533f72a2dce111d6fde9c21b90b51fff35ab6.zip