src: add NODE_SECURITY_REVERT environment variable

Some vendors do not allow passing custom command-line flags to the node executable. There are concerns around allowing --security-revert in NODE_OPTIONS because it might be inherited by child processes unintentionally. This patch introduces a new environment variable that, if set, is unset immediately unless it ends with "+sticky". Aside from that optional suffix, its value is a comma-separated list of CVE identifiers for which the respective security patches should be reverted. Closes: nodejs#52017
tniessen · Apr 4, 2024 · 1b592f9 · 1b592f9
1 parent d7aa8fc
commit 1b592f9
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/src/node.cc b/src/node.cc
@@ -956,6 +956,36 @@ static ExitCode InitializeNodeWithArgsInternal(
     if (exit_code != ExitCode::kNoFailure) return exit_code;
   }
 
+  std::string security_revert;
+  if (credentials::SafeGetenv("NODE_SECURITY_REVERT", &security_revert)) {
+    Mutex::ScopedLock lock(per_process::cli_options_mutex);
+    // We unset the environment variable by default to prevent it from being
+    // inherited by child processes. This can be prevented by the user by
+    // appending "+sticky" to the value of the environment variable.
+    bool sticky = false;
+    size_t maybe_sticky_pos = security_revert.length() - strlen("+sticky");
+    if (security_revert.rfind("+sticky") == maybe_sticky_pos) {
+      security_revert.erase(maybe_sticky_pos);
+      sticky = true;
+    }
+    // Ignore the environment variable if the CLI argument was set.
+    if (per_process::reverted_cve == 0) {
+      std::string revert_error;
+      for (const std::string_view& cve : SplitString(security_revert, ",")) {
+        Revert(std::string(cve).c_str(), &revert_error);
+        if (!revert_error.empty()) {
+          errors->emplace_back(std::move(revert_error));
+          // TODO(joyeecheung): merge into kInvalidCommandLineArgument.
+          return ExitCode::kInvalidCommandLineArgument2;
+        }
+      }
+    }
+    // Unset the environment variable unless it has been marked as sticky.
+    if (!sticky) {
+      uv_os_unsetenv("NODE_SECURITY_REVERT");
+    }
+  }
+
   // Set the process.title immediately after processing argv if --title is set.
   if (!per_process::cli_options->title.empty())
     uv_set_process_title(per_process::cli_options->title.c_str());