src: add process.cveRevert

Refs: nodejs#52017 Add API to enable CVE reverts for use in environments where the command line option cannot be used. Signed-off-by: Michael Dawson <midawson@redhat.com>
mhdawson · Mar 15, 2024 · 3879f4e · 3879f4e
1 parent b360532
commit 3879f4e
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 6 deletions.
diff --git a/lib/internal/bootstrap/node.js b/lib/internal/bootstrap/node.js
@@ -189,6 +189,8 @@ const rawMethods = internalBinding('process_methods');
     process.stdin.resume();
     return process.stdin;
   };
+
+  process.cveRevert = rawMethods.cveRevert;
 }
 
 const credentials = internalBinding('credentials');

diff --git a/src/node_process.h b/src/node_process.h
@@ -7,6 +7,8 @@
 #include "v8-fast-api-calls.h"
 #include "v8.h"
 
+#define REVERT_PREFIX "REVERT_"
+
 namespace node {
 
 class Environment;

diff --git a/src/node_process_methods.cc b/src/node_process_methods.cc
@@ -9,6 +9,7 @@
 #include "node_external_reference.h"
 #include "node_internals.h"
 #include "node_process-inl.h"
+#include "node_revert.h"
 #include "util-inl.h"
 #include "uv.h"
 #include "v8-fast-api-calls.h"
@@ -499,6 +500,38 @@ static void LoadEnvFile(const v8::FunctionCallbackInfo<v8::Value>& args) {
   }
 }
 
+static void CveRevert(const FunctionCallbackInfo<Value>& args) {
+  Environment* env = Environment::GetCurrent(args);
+  CHECK_EQ(args.Length(), 1);
+  CHECK(args[0]->IsString());
+  Utf8Value cve_string(env->isolate(), args[0]);
+  std::string revert_error;
+
+  Revert(*cve_string, &revert_error);
+  if (revert_error.empty()) {
+    // Revert sets the reversion at the C level but we have to
+    // set the property on the Object as it does not do that
+    Isolate* isolate = env->isolate();
+    Local<Context> context = env->context();
+#define V(code, label, __)                                                     \
+  do {                                                                         \
+    if (strcmp(*cve_string, label) == 0) {                                     \
+      READONLY_PROPERTY(args.This(), REVERT_PREFIX #code, True(isolate));      \
+    }                                                                          \
+  } while (0);
+    SECURITY_REVERSIONS(V)
+#undef V
+  }
+
+  Local<String> revert_error_return =
+      String::NewFromUtf8(env->isolate(),
+                          revert_error.c_str(),
+                          NewStringType::kNormal,
+                          revert_error.length())
+          .ToLocalChecked();
+  args.GetReturnValue().Set(revert_error_return);
+}
+
 namespace process {
 
 BindingData::BindingData(Realm* realm,
@@ -655,6 +688,7 @@ static void CreatePerIsolateProperties(IsolateData* isolate_data,
   SetMethod(isolate, target, "patchProcessObject", PatchProcessObject);
 
   SetMethod(isolate, target, "loadEnvFile", LoadEnvFile);
+  SetMethod(isolate, target, "cveRevert", CveRevert);
 }
 
 static void CreatePerContextProperties(Local<Object> target,
@@ -695,6 +729,8 @@ void RegisterExternalReferences(ExternalReferenceRegistry* registry) {
   registry->Register(PatchProcessObject);
 
   registry->Register(LoadEnvFile);
+
+  registry->Register(CveRevert);
 }
 
 }  // namespace process

diff --git a/src/node_process_object.cc b/src/node_process_object.cc
@@ -213,11 +213,11 @@ void PatchProcessObject(const FunctionCallbackInfo<Value>& args) {
                              GetParentProcessId).FromJust());
 
   // --security-revert flags
-#define V(code, _, __)                                                        \
-  do {                                                                        \
-    if (IsReverted(SECURITY_REVERT_ ## code)) {                               \
-      READONLY_PROPERTY(process, "REVERT_" #code, True(isolate));             \
-    }                                                                         \
+#define V(code, _, __)                                                         \
+  do {                                                                         \
+    if (IsReverted(SECURITY_REVERT_##code)) {                                  \
+      READONLY_PROPERTY(process, REVERT_PREFIX #code, True(isolate));          \
+    }                                                                          \
   } while (0);
   SECURITY_REVERSIONS(V)
 #undef V

diff --git a/src/node_revert.h b/src/node_revert.h
@@ -15,7 +15,9 @@
  **/
 namespace node {
 
-#define SECURITY_REVERSIONS(XX)                                            \
+#define SECURITY_REVERSIONS(XX)                                                \
+  XX(CVE_2000_TST1, "CVE-2000-TST1", "First test cve")                         \
+  XX(CVE_2000_TST2, "CVE-2000-TST2", "Second test cve")
 //  XX(CVE_2016_PEND, "CVE-2016-PEND", "Vulnerability Title")
 
 enum reversion {