From 2eeb44f3facb58dacbcb2f270d4f169a2c81ee08 Mon Sep 17 00:00:00 2001
From: Bradley Farias <bradley.meck@gmail.com>
Date: Wed, 5 Jun 2019 13:33:07 -0500
Subject: policy: add policy-integrity to mitigate policy tampering

PR-URL: https://github.com/nodejs/node/pull/28734
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
---
 lib/internal/bootstrap/pre_execution.js | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

(limited to 'lib')

diff --git a/lib/internal/bootstrap/pre_execution.js b/lib/internal/bootstrap/pre_execution.js
index bbb0786dcd..104ebaff32 100644
--- a/lib/internal/bootstrap/pre_execution.js
+++ b/lib/internal/bootstrap/pre_execution.js
@@ -4,6 +4,7 @@ const { Object, SafeWeakMap } = primordials;
 
 const { getOptionValue } = require('internal/options');
 const { Buffer } = require('buffer');
+const { ERR_MANIFEST_ASSERT_INTEGRITY } = require('internal/errors').codes;
 
 function prepareMainThreadExecution(expandArgv1 = false) {
   // Patch the process object with legacy properties and normalizations
@@ -332,6 +333,32 @@ function initializePolicy() {
     }
     const fs = require('fs');
     const src = fs.readFileSync(manifestURL, 'utf8');
+    const experimentalPolicyIntegrity = getOptionValue('--policy-integrity');
+    if (experimentalPolicyIntegrity) {
+      const SRI = require('internal/policy/sri');
+      const { createHash, timingSafeEqual } = require('crypto');
+      const realIntegrities = new Map();
+      const integrityEntries = SRI.parse(experimentalPolicyIntegrity);
+      let foundMatch = false;
+      for (var i = 0; i < integrityEntries.length; i++) {
+        const {
+          algorithm,
+          value: expected
+        } = integrityEntries[i];
+        const hash = createHash(algorithm);
+        hash.update(src);
+        const digest = hash.digest();
+        if (digest.length === expected.length &&
+          timingSafeEqual(digest, expected)) {
+          foundMatch = true;
+          break;
+        }
+        realIntegrities.set(algorithm, digest.toString('base64'));
+      }
+      if (!foundMatch) {
+        throw new ERR_MANIFEST_ASSERT_INTEGRITY(manifestURL, realIntegrities);
+      }
+    }
     require('internal/process/policy')
       .setup(src, manifestURL.href);
   }
-- 
cgit v1.2.3