diff options
author | Jose M. Palacios Diaz <jmpd1988@gmail.com> | 2018-02-01 11:13:35 -0500 |
---|---|---|
committer | Ruben Bridgewater <ruben@bridgewater.de> | 2018-02-16 17:42:21 +0100 |
commit | 916cfeca774e83925466f9a171f11c9bc73e4756 (patch) | |
tree | da62a6e56ce15d852ab5b5359b9daa044c5e0e86 /src/node_util.cc | |
parent | ec9e7922bb72ce17b453d345232a0e725883a470 (diff) | |
download | android-node-v8-916cfeca774e83925466f9a171f11c9bc73e4756.tar.gz android-node-v8-916cfeca774e83925466f9a171f11c9bc73e4756.tar.bz2 android-node-v8-916cfeca774e83925466f9a171f11c9bc73e4756.zip |
lib,src: audit process.env in lib/ for setuid binary
Wrap SafeGetenv() in util binding with the purpose of protecting
the cases when env vars are accessed with the privileges of another
user in jsland.
PR-URL: https://github.com/nodejs/node/pull/18511
Fixes: https://github.com/nodejs/node/issues/9160
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Diffstat (limited to 'src/node_util.cc')
-rw-r--r-- | src/node_util.cc | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/src/node_util.cc b/src/node_util.cc index 0c4eaa4aa7..1542b533f3 100644 --- a/src/node_util.cc +++ b/src/node_util.cc @@ -14,6 +14,7 @@ using v8::Object; using v8::Private; using v8::Promise; using v8::Proxy; +using v8::String; using v8::Value; @@ -174,6 +175,16 @@ void PromiseReject(const FunctionCallbackInfo<Value>& args) { args.GetReturnValue().Set(ret.FromMaybe(false)); } +void SafeGetenv(const FunctionCallbackInfo<Value>& args) { + CHECK(args[0]->IsString()); + Utf8Value strenvtag(args.GetIsolate(), args[0]); + std::string text; + if (!node::SafeGetenv(*strenvtag, &text)) return; + args.GetReturnValue() + .Set(String::NewFromUtf8( + args.GetIsolate(), text.c_str(), + v8::NewStringType::kNormal).ToLocalChecked()); +} void Initialize(Local<Object> target, Local<Value> unused, @@ -225,6 +236,8 @@ void Initialize(Local<Object> target, env->SetMethod(target, "createPromise", CreatePromise); env->SetMethod(target, "promiseResolve", PromiseResolve); env->SetMethod(target, "promiseReject", PromiseReject); + + env->SetMethod(target, "safeGetenv", SafeGetenv); } } // namespace util |