From 2eeb44f3facb58dacbcb2f270d4f169a2c81ee08 Mon Sep 17 00:00:00 2001 From: Bradley Farias Date: Wed, 5 Jun 2019 13:33:07 -0500 Subject: policy: add policy-integrity to mitigate policy tampering PR-URL: https://github.com/nodejs/node/pull/28734 Reviewed-By: Gus Caplan Reviewed-By: Richard Lau Reviewed-By: Guy Bedford Reviewed-By: Colin Ihrig Reviewed-By: Rich Trott --- src/node_options.cc | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'src/node_options.cc') diff --git a/src/node_options.cc b/src/node_options.cc index 829154c3bf..2eed3f8222 100644 --- a/src/node_options.cc +++ b/src/node_options.cc @@ -116,6 +116,13 @@ void EnvironmentOptions::CheckOptions(std::vector* errors) { if (!userland_loader.empty() && !experimental_modules) { errors->push_back("--loader requires --experimental-modules be enabled"); } + if (has_policy_integrity_string && experimental_policy.empty()) { + errors->push_back("--policy-integrity requires " + "--experimental-policy be enabled"); + } + if (has_policy_integrity_string && experimental_policy_integrity.empty()) { + errors->push_back("--policy-integrity cannot be empty"); + } if (!module_type.empty()) { if (!experimental_modules) { @@ -321,6 +328,15 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() { "security policy", &EnvironmentOptions::experimental_policy, kAllowedInEnvironment); + AddOption("[has_policy_integrity_string]", + "", + &EnvironmentOptions::has_policy_integrity_string); + AddOption("--policy-integrity", + "ensure the security policy contents match " + "the specified integrity", + &EnvironmentOptions::experimental_policy_integrity, + kAllowedInEnvironment); + Implies("--policy-integrity", "[has_policy_integrity_string]"); AddOption("--experimental-repl-await", "experimental await keyword support in REPL", &EnvironmentOptions::experimental_repl_await, -- cgit v1.2.3