diff options
author | Bradley Farias <bradley.meck@gmail.com> | 2019-06-05 13:33:07 -0500 |
---|---|---|
committer | Rich Trott <rtrott@gmail.com> | 2019-07-20 13:24:58 -0700 |
commit | 6c288a704453ec7319928495efd0d3c482bcf754 (patch) | |
tree | 45793ed29535a70e9af1511111b47ac35702bb4f /src | |
parent | 0df3ea09faccd04dc0f0c3022e970e60403b9a6b (diff) | |
download | android-node-v8-6c288a704453ec7319928495efd0d3c482bcf754.tar.gz android-node-v8-6c288a704453ec7319928495efd0d3c482bcf754.tar.bz2 android-node-v8-6c288a704453ec7319928495efd0d3c482bcf754.zip |
policy: add policy-integrity to mitigate policy tampering
PR-URL: https://github.com/nodejs/node/pull/28734
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/node_options.cc | 16 | ||||
-rw-r--r-- | src/node_options.h | 2 |
2 files changed, 18 insertions, 0 deletions
diff --git a/src/node_options.cc b/src/node_options.cc index e0a766994b..9da1ed5fb8 100644 --- a/src/node_options.cc +++ b/src/node_options.cc @@ -116,6 +116,13 @@ void EnvironmentOptions::CheckOptions(std::vector<std::string>* errors) { if (!userland_loader.empty() && !experimental_modules) { errors->push_back("--loader requires --experimental-modules be enabled"); } + if (has_policy_integrity_string && experimental_policy.empty()) { + errors->push_back("--policy-integrity requires " + "--experimental-policy be enabled"); + } + if (has_policy_integrity_string && experimental_policy_integrity.empty()) { + errors->push_back("--policy-integrity cannot be empty"); + } if (!module_type.empty()) { if (!experimental_modules) { @@ -321,6 +328,15 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() { "security policy", &EnvironmentOptions::experimental_policy, kAllowedInEnvironment); + AddOption("[has_policy_integrity_string]", + "", + &EnvironmentOptions::has_policy_integrity_string); + AddOption("--policy-integrity", + "ensure the security policy contents match " + "the specified integrity", + &EnvironmentOptions::experimental_policy_integrity, + kAllowedInEnvironment); + Implies("--policy-integrity", "[has_policy_integrity_string]"); AddOption("--experimental-repl-await", "experimental await keyword support in REPL", &EnvironmentOptions::experimental_repl_await, diff --git a/src/node_options.h b/src/node_options.h index f988800fde..a15944aed9 100644 --- a/src/node_options.h +++ b/src/node_options.h @@ -106,6 +106,8 @@ class EnvironmentOptions : public Options { bool experimental_wasm_modules = false; std::string module_type; std::string experimental_policy; + std::string experimental_policy_integrity; + bool has_policy_integrity_string; bool experimental_repl_await = false; bool experimental_vm_modules = false; bool expose_internals = false; |