policy: add policy-integrity to mitigate policy tampering

PR-URL: https://github.com/nodejs/node/pull/28734
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

3 files changed, 78 insertions, 0 deletions

diff --git a/test/fixtures/policy/dep-policy.json b/test/fixtures/policy/dep-policy.json
new file mode 100644
index 0000000000..6cc483a578
--- /dev/null
+++ b/test/fixtures/policy/dep-policy.json
@@ -0,0 +1,7 @@
+{
+  "resources": {
+    "./dep.js": {
+      "integrity": "sha512-7CMcc2oytFfMnGQaXbJk84gYWF2J7p/fmWPW7dsnJyniD+vgxtK9VAZ/22UxFOA4q5d27RoGLxSqNZ/nGCJkMw== sha512-scgN9Td0bGMlGH2lUHvEeHtz92Hx6AO+sYhU3WRI6bn3jEUCXbXJs68nOOsGzRWR7a2tbqGoETnOCpHHf1Njhw=="
+    }
+  }
+}
diff --git a/test/fixtures/policy/dep.js b/test/fixtures/policy/dep.js
new file mode 100644
index 0000000000..1c61a090d2
--- /dev/null
+++ b/test/fixtures/policy/dep.js
@@ -0,0 +1,2 @@
+'use strict';
+module.exports = 'The Secret Ingredient';
diff --git a/test/parallel/test-policy-integrity-flag.js b/test/parallel/test-policy-integrity-flag.js
new file mode 100644
index 0000000000..3b332758d1
--- /dev/null
+++ b/test/parallel/test-policy-integrity-flag.js
@@ -0,0 +1,69 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const fixtures = require('../common/fixtures');
+
+const assert = require('assert');
+const { spawnSync } = require('child_process');
+const fs = require('fs');
+const crypto = require('crypto');
+
+const depPolicy = fixtures.path('policy', 'dep-policy.json');
+const dep = fixtures.path('policy', 'dep.js');
+
+const emptyHash = crypto.createHash('sha512');
+emptyHash.update('');
+const emptySRI = `sha512-${emptyHash.digest('base64')}`;
+const policyHash = crypto.createHash('sha512');
+policyHash.update(fs.readFileSync(depPolicy));
+
+/* eslint-disable max-len */
+// When using \n only
+const nixPolicySRI = 'sha512-u/nXI6UacK5fKDC2bopcgnuQY4JXJKlK3dESO3GIKKxwogVHjJqpF9rgk7Zw+TJXIc96xBUWKHuUgOzic8/4tQ==';
+// When \n is turned into \r\n
+const windowsPolicySRI = 'sha512-OeyCPRo4OZMosHyquZXDHpuU1F4KzG9UHFnn12FMaHsvqFUt3TFZ+7wmZE7ThZ5rsQWkUjc9ZH0knGZ2e8BYPQ==';
+/* eslint-enable max-len */
+
+const depPolicySRI = `${nixPolicySRI} ${windowsPolicySRI}`;
+console.dir({
+  depPolicySRI,
+  body: JSON.stringify(fs.readFileSync(depPolicy).toString('utf8'))
+});
+{
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--policy-integrity', emptySRI,
+      '--experimental-policy', depPolicy, dep,
+    ]
+  );
+
+  assert.ok(stderr.includes('ERR_MANIFEST_ASSERT_INTEGRITY'));
+  assert.strictEqual(status, 1);
+}
+{
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--policy-integrity', '',
+      '--experimental-policy', depPolicy, dep,
+    ]
+  );
+
+  assert.ok(stderr.includes('--policy-integrity'));
+  assert.strictEqual(status, 9);
+}
+{
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--policy-integrity', depPolicySRI,
+      '--experimental-policy', depPolicy, dep,
+    ]
+  );
+
+  assert.strictEqual(status, 0, `status: ${status}\nstderr: ${stderr}`);
+}