Mirrors/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-12-28 07:50:41 +00:00
Code Issues Actions 17 Packages Projects Releases Wiki Activity

src: remove erroneous CVE-2024-27980 revert option

Browse Source 
No security reverts should exist on the main branch.

PR-URL: https://github.com/nodejs/node/pull/52543
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This commit is contained in:
Tobias Nießen 2024-04-18 15:09:09 +02:00 committed by GitHub
parent cfca9e3cb6
commit 3790d524c1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 5 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/node_revert.h
View File

@ -15,9 +15,8 @@
**/
namespace node {
#define SECURITY_REVERSIONS(XX) \
XX(CVE_2024_27980, "CVE-2024-27980", "Unsafe Windows batch file execution")
// XX(CVE_2016_PEND, "CVE-2016-PEND", "Vulnerability Title")
#define SECURITY_REVERSIONS(XX) \
// XX(CVE_2016_PEND, "CVE-2016-PEND", "Vulnerability Title")
enum reversion {
#define V(code, ...) SECURITY_REVERT_##code,

5
src/util-inl.h
View File

@ -648,9 +648,8 @@ bool IsWindowsBatchFile(const char* filename) {
static constexpr bool kIsWindows = false;
#endif // _WIN32
if (kIsWindows)
if (!IsReverted(SECURITY_REVERT_CVE_2024_27980))
if (const char* p = strrchr(filename, '.'))
return StringEqualNoCase(p, ".bat") || StringEqualNoCase(p, ".cmd");
if (const char* p = strrchr(filename, '.'))
return StringEqualNoCase(p, ".bat") || StringEqualNoCase(p, ".cmd");
return false;
}

13
test/parallel/test-child-process-spawn-windows-batch-file.js
View File

@ -19,24 +19,13 @@ const cp = require('child_process');
const assert = require('assert');
const { isWindows } = common;
const arg = '--security-revert=CVE-2024-27980';
const isRevert = process.execArgv.includes(arg);
const expectedCode = isWindows && !isRevert ? 'EINVAL' : 'ENOENT';
const expectedCode = isWindows ? 'EINVAL' : 'ENOENT';
const expectedStatus = isWindows ? 1 : 127;
const suffixes =
'BAT bAT BaT baT BAt bAt Bat bat CMD cMD CmD cmD CMd cMd Cmd cmd'
.split(' ');
if (process.argv[2] === undefined) {
const a = cp.spawnSync(process.execPath, [__filename, 'child']);
const b = cp.spawnSync(process.execPath, [arg, __filename, 'child']);
assert.strictEqual(a.status, 0);
assert.strictEqual(b.status, 0);
return;
}
function testExec(filename) {
return new Promise((resolve) => {
cp.exec(filename).once('exit', common.mustCall(function(status) {