node icon indicating copy to clipboard operation
node copied to clipboard
verified publisher icon nodejs

The kDisableNodeOptionsEnv option can be work around by using NODE_REPL_EXTERNAL_MODULE env

Open zcbenz opened this issue 2 years ago • 3 comments

Node has an kDisableNodeOptionsEnv embedder flag that disables NODE_OPTIONS env to avoid injecting external code into apps, however it can be bypassed by using the NODE_REPL_EXTERNAL_MODULE env as reported by https://github.com/electron/electron/pull/40770.

I understand kDisableNodeOptionsEnv only means to disable NODE_OPTIONS env, but if we don't also disable NODE_REPL_EXTERNAL_MODULE the protection would become meaningless.

I think we have 2 options to fix this:

  1. Disable NODE_REPL_EXTERNAL_MODULE env when kDisableNodeOptionsEnv is used.
  2. Deprecate kDisableNodeOptionsEnv and add a new flag that disables all possible ways to inject code.

I wonder which one would be preferred by Node team. /cc @addaleax @joyeecheung @bnoordhuis

zcbenz avatar Dec 20 '23 00:12 zcbenz

@nodejs/security-wg

avivkeller avatar Apr 26 '24 02:04 avivkeller

Dotenv isn't the correct label (no dotenv file), buts AFAIK the closest to env variables

avivkeller avatar Apr 26 '24 02:04 avivkeller

@zcbenz While the first option is trivial I assume it will be a breaking change for all users that rely on the current behavior. I believe a new flag should be a safer approach. Honestly, I'm fine with both options.

cc: @nodejs/tsc

RafaelGSS avatar Apr 29 '24 18:04 RafaelGSS