child_process: fix incomplete prototype pollution hardening

Prior pull request (#48726) hardened against prototype pollution vulnerabilities but effectively missed some use-cases which opened a window for prototype pollution for some child_process functions such as spawn(), spawnSync(), and execFileSync().
nodejs · Jul 9, 2024 · 1317a3e · 1317a3e
1 parent cbd2c38
commit 1317a3e
Showing 1 changed file with 33 additions and 1 deletion.
diff --git a/test/parallel/test-child-process-prototype-tampering.mjs b/test/parallel/test-child-process-prototype-tampering.mjs
@@ -1,7 +1,7 @@
 import * as common from '../common/index.mjs';
 import * as fixtures from '../common/fixtures.mjs';
 import { EOL } from 'node:os';
-import { strictEqual } from 'node:assert';
+import { strictEqual, notStrictEqual, throws } from 'node:assert';
 import cp from 'node:child_process';
 
 // TODO(LiviaMedeiros): test on different platforms
@@ -57,3 +57,35 @@ for (const tamperedUID of [0, 1, 999, 1000, 0n, 'gwak']) {
 
   delete Object.prototype.execPath;
 }
+
+for (const shellCommandArgument of ['-L && echo "tampered"']) {
+  Object.prototype.shell = true;
+  const cmd = 'pwd';
+  let cmdExitCode = '';
+
+  const program = cp.spawn(cmd, [shellCommandArgument], { cwd: expectedCWD });
+  program.stderr.on('data', common.mustCall());
+  program.stdout.on('data', common.mustNotCall());
+
+  program.on('exit', common.mustCall((code) => {
+    notStrictEqual(code, 0);
+  }));
+
+  cp.execFile(cmd, [shellCommandArgument], { cwd: expectedCWD },
+              common.mustCall((err) => {
+                notStrictEqual(err.code, 0);
+              })
+  );
+
+  throws(() => {
+    cp.execFileSync(cmd, [shellCommandArgument], { cwd: expectedCWD });
+  }, (e) => {
+    notStrictEqual(e.status, 0);
+    return true;
+  });
+
+  cmdExitCode = cp.spawnSync(cmd, [shellCommandArgument], { cwd: expectedCWD }).status;
+  notStrictEqual(cmdExitCode, 0);
+
+  delete Object.prototype.shell;
+}