From 51e95ddcaddef70b21b5c70cae0544dceb221c97 Mon Sep 17 00:00:00 2001 From: Shelley Vohr Date: Wed, 23 Oct 2019 11:06:57 -0700 Subject: [PATCH] cli: whitelist new V8 flag in NODE_OPTIONS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Explicitly whitelists --disallow-code-generation-from-strings in NODE_OPTIONS as a new V8 flag. This flag prevents strings like eval() from performing code generation. PR-URL: https://github.com/nodejs/node/pull/30094 Reviewed-By: Luigi Pinca Reviewed-By: Anna Henningsen Reviewed-By: Michaƫl Zasso Reviewed-By: Gireesh Punathil Reviewed-By: Gus Caplan Reviewed-By: Colin Ihrig Reviewed-By: James M Snell --- doc/api/cli.md | 10 ++++++++++ doc/node.1 | 5 +++++ src/node_options.cc | 4 ++++ test/parallel/test-cli-node-options.js | 1 + 4 files changed, 20 insertions(+) diff --git a/doc/api/cli.md b/doc/api/cli.md index c01a85b26dd9f5..5ed1ea72a21af0 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -127,6 +127,15 @@ added: v12.0.0 Specify the file name of the CPU profile generated by `--cpu-prof`. +### `--disallow-code-generation-from-strings` + + +Make built-in language features like `eval` and `new Function` that generate +code from strings throw an exception instead. This does not affect the Node.js +`vm` module. + ### `--enable-fips` * `--abort-on-uncaught-exception` +* `--disallow-code-generation-from-strings` * `--interpreted-frames-native-stack` * `--max-old-space-size` * `--perf-basic-prof-only-functions` diff --git a/doc/node.1 b/doc/node.1 index dc29867a699b3c..fdc2644d42e46e 100644 --- a/doc/node.1 +++ b/doc/node.1 @@ -100,6 +100,11 @@ The default is File name of the V8 CPU profile generated with .Fl -cpu-prof . +.It Fl -disallow-code-generation-from-strings +Make built-in language features like `eval` and `new Function` that generate +code from strings throw an exception instead. This does not affect the Node.js +`vm` module. +. .It Fl -enable-fips Enable FIPS-compliant crypto at startup. Requires Node.js to be built with diff --git a/src/node_options.cc b/src/node_options.cc index 9371fc55622922..a54912c69310c5 100644 --- a/src/node_options.cc +++ b/src/node_options.cc @@ -594,6 +594,10 @@ PerIsolateOptionsParser::PerIsolateOptionsParser( V8Option{}, kAllowedInEnvironment); AddOption("--stack-trace-limit", "", V8Option{}, kAllowedInEnvironment); + AddOption("--disallow-code-generation-from-strings", + "disallow eval and friends", + V8Option{}, + kAllowedInEnvironment); #ifdef NODE_REPORT AddOption("--report-uncaught-exception", diff --git a/test/parallel/test-cli-node-options.js b/test/parallel/test-cli-node-options.js index 7e42139470e964..698f463b627644 100644 --- a/test/parallel/test-cli-node-options.js +++ b/test/parallel/test-cli-node-options.js @@ -60,6 +60,7 @@ if (common.hasCrypto) { // V8 options expect('--abort_on-uncaught_exception', 'B\n'); +expect('--disallow-code-generation-from-strings', 'B\n'); expect('--max-old-space-size=0', 'B\n'); expect('--stack-trace-limit=100', /(\s*at f \(\[eval\]:1:\d*\)\r?\n){100}/,