diff options
author | Bradley Farias <bradley.meck@gmail.com> | 2019-06-05 13:33:07 -0500 |
---|---|---|
committer | Rich Trott <rtrott@gmail.com> | 2019-07-20 13:24:58 -0700 |
commit | 6c288a704453ec7319928495efd0d3c482bcf754 (patch) | |
tree | 45793ed29535a70e9af1511111b47ac35702bb4f /test/parallel/test-policy-integrity-flag.js | |
parent | 0df3ea09faccd04dc0f0c3022e970e60403b9a6b (diff) | |
download | android-node-v8-6c288a704453ec7319928495efd0d3c482bcf754.tar.gz android-node-v8-6c288a704453ec7319928495efd0d3c482bcf754.tar.bz2 android-node-v8-6c288a704453ec7319928495efd0d3c482bcf754.zip |
policy: add policy-integrity to mitigate policy tampering
PR-URL: https://github.com/nodejs/node/pull/28734
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Diffstat (limited to 'test/parallel/test-policy-integrity-flag.js')
-rw-r--r-- | test/parallel/test-policy-integrity-flag.js | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/test/parallel/test-policy-integrity-flag.js b/test/parallel/test-policy-integrity-flag.js new file mode 100644 index 0000000000..3b332758d1 --- /dev/null +++ b/test/parallel/test-policy-integrity-flag.js @@ -0,0 +1,69 @@ +'use strict'; + +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const fixtures = require('../common/fixtures'); + +const assert = require('assert'); +const { spawnSync } = require('child_process'); +const fs = require('fs'); +const crypto = require('crypto'); + +const depPolicy = fixtures.path('policy', 'dep-policy.json'); +const dep = fixtures.path('policy', 'dep.js'); + +const emptyHash = crypto.createHash('sha512'); +emptyHash.update(''); +const emptySRI = `sha512-${emptyHash.digest('base64')}`; +const policyHash = crypto.createHash('sha512'); +policyHash.update(fs.readFileSync(depPolicy)); + +/* eslint-disable max-len */ +// When using \n only +const nixPolicySRI = 'sha512-u/nXI6UacK5fKDC2bopcgnuQY4JXJKlK3dESO3GIKKxwogVHjJqpF9rgk7Zw+TJXIc96xBUWKHuUgOzic8/4tQ=='; +// When \n is turned into \r\n +const windowsPolicySRI = 'sha512-OeyCPRo4OZMosHyquZXDHpuU1F4KzG9UHFnn12FMaHsvqFUt3TFZ+7wmZE7ThZ5rsQWkUjc9ZH0knGZ2e8BYPQ=='; +/* eslint-enable max-len */ + +const depPolicySRI = `${nixPolicySRI} ${windowsPolicySRI}`; +console.dir({ + depPolicySRI, + body: JSON.stringify(fs.readFileSync(depPolicy).toString('utf8')) +}); +{ + const { status, stderr } = spawnSync( + process.execPath, + [ + '--policy-integrity', emptySRI, + '--experimental-policy', depPolicy, dep, + ] + ); + + assert.ok(stderr.includes('ERR_MANIFEST_ASSERT_INTEGRITY')); + assert.strictEqual(status, 1); +} +{ + const { status, stderr } = spawnSync( + process.execPath, + [ + '--policy-integrity', '', + '--experimental-policy', depPolicy, dep, + ] + ); + + assert.ok(stderr.includes('--policy-integrity')); + assert.strictEqual(status, 9); +} +{ + const { status, stderr } = spawnSync( + process.execPath, + [ + '--policy-integrity', depPolicySRI, + '--experimental-policy', depPolicy, dep, + ] + ); + + assert.strictEqual(status, 0, `status: ${status}\nstderr: ${stderr}`); +} |