fix: ignore all NODE_ envs from foreign parent in node process (#40770)

* fix: ignore all NODE_ envs from foreign parent

* fix: recognize ad-hoc signed binary
This commit is contained in:
Cheng Zhao 2024-01-04 16:34:08 +09:00 committed by GitHub
parent baca2e302d
commit dfce1a9eb4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 115 additions and 16 deletions

View file

@ -5,15 +5,60 @@
#include "shell/common/mac/codesign_util.h"
#include "base/apple/foundation_util.h"
#include "base/apple/osstatus_logging.h"
#include "base/apple/scoped_cftyperef.h"
#include "third_party/abseil-cpp/absl/types/optional.h"
#include <CoreFoundation/CoreFoundation.h>
#include <Security/Security.h>
namespace electron {
bool ProcessBelongToCurrentApp(pid_t pid) {
absl::optional<bool> IsUnsignedOrAdHocSigned(SecCodeRef code) {
base::apple::ScopedCFTypeRef<SecStaticCodeRef> static_code;
OSStatus status = SecCodeCopyStaticCode(code, kSecCSDefaultFlags,
static_code.InitializeInto());
if (status == errSecCSUnsigned) {
return true;
}
if (status != errSecSuccess) {
OSSTATUS_LOG(ERROR, status) << "SecCodeCopyStaticCode";
return absl::optional<bool>();
}
// Copy the signing info from the SecStaticCodeRef.
base::apple::ScopedCFTypeRef<CFDictionaryRef> signing_info;
status =
SecCodeCopySigningInformation(static_code.get(), kSecCSSigningInformation,
signing_info.InitializeInto());
if (status != errSecSuccess) {
OSSTATUS_LOG(ERROR, status) << "SecCodeCopySigningInformation";
return absl::optional<bool>();
}
// Look up the code signing flags. If the flags are absent treat this as
// unsigned. This decision is consistent with the StaticCode source:
// https://github.com/apple-oss-distributions/Security/blob/Security-60157.40.30.0.1/OSX/libsecurity_codesigning/lib/StaticCode.cpp#L2270
CFNumberRef signing_info_flags =
base::apple::GetValueFromDictionary<CFNumberRef>(signing_info.get(),
kSecCodeInfoFlags);
if (!signing_info_flags) {
return true;
}
// Using a long long to extract the value from the CFNumberRef to be
// consistent with how it was packed by Security.framework.
// https://github.com/apple-oss-distributions/Security/blob/Security-60157.40.30.0.1/OSX/libsecurity_utilities/lib/cfutilities.h#L262
long long flags;
if (!CFNumberGetValue(signing_info_flags, kCFNumberLongLongType, &flags)) {
LOG(ERROR) << "CFNumberGetValue";
return absl::optional<bool>();
}
if (static_cast<uint32_t>(flags) & kSecCodeSignatureAdhoc) {
return true;
}
return false;
}
bool ProcessSignatureIsSameWithCurrentApp(pid_t pid) {
// Get and check the code signature of current app.
base::apple::ScopedCFTypeRef<SecCodeRef> self_code;
OSStatus status =
@ -22,6 +67,15 @@ bool ProcessBelongToCurrentApp(pid_t pid) {
OSSTATUS_LOG(ERROR, status) << "SecCodeCopyGuestWithAttributes";
return false;
}
absl::optional<bool> not_signed = IsUnsignedOrAdHocSigned(self_code.get());
if (!not_signed.has_value()) {
// Error happened.
return false;
}
if (not_signed.value()) {
// Current app is not signed.
return true;
}
// Get the code signature of process.
base::apple::ScopedCFTypeRef<CFNumberRef> process_cf(
CFNumberCreate(nullptr, kCFNumberIntType, &pid));
@ -46,9 +100,14 @@ bool ProcessBelongToCurrentApp(pid_t pid) {
OSSTATUS_LOG(ERROR, status) << "SecCodeCopyDesignatedRequirement";
return false;
}
DCHECK(self_requirement.get());
// Check whether the process meets the signature requirement of current app.
status = SecCodeCheckValidity(process_code.get(), kSecCSDefaultFlags,
self_requirement.get());
if (status != errSecSuccess && status != errSecCSReqFailed) {
OSSTATUS_LOG(ERROR, status) << "SecCodeCheckValidity";
return false;
}
return status == errSecSuccess;
}

View file

@ -10,9 +10,14 @@
namespace electron {
// Given a pid, check if the process belongs to current app by comparing its
// code signature with current app.
bool ProcessBelongToCurrentApp(pid_t pid);
// Given a pid, return true if the process has the same code signature with
// with current app.
// This API returns true if current app is not signed or ad-hoc signed, because
// checking code signature is meaningless in this case, and failing the
// signature check would break some features with unsigned binary (for example,
// process.send stops working in processes created by child_process.fork, due
// to the NODE_CHANNEL_ID env getting removed).
bool ProcessSignatureIsSameWithCurrentApp(pid_t pid);
} // namespace electron

View file

@ -7,6 +7,7 @@
#include <vector>
#include "build/build_config.h"
#include "v8/include/v8.h"
namespace node {
@ -26,6 +27,12 @@ v8::MaybeLocal<v8::Value> CompileAndCall(
std::vector<v8::Local<v8::String>>* parameters,
std::vector<v8::Local<v8::Value>>* arguments);
#if BUILDFLAG(IS_MAC)
// Unset all environment variables that start with NODE_. Return false if there
// is no node env at all.
bool UnsetAllNodeEnvs();
#endif
} // namespace electron::util
#endif // ELECTRON_SHELL_COMMON_NODE_UTIL_H_

View file

@ -0,0 +1,23 @@
// Copyright (c) 2023 Microsoft, Inc.
// Use of this source code is governed by the MIT license that can be
// found in the LICENSE file.
#include "shell/common/node_util.h"
#include <Foundation/Foundation.h>
namespace electron::util {
bool UnsetAllNodeEnvs() {
bool has_unset = false;
for (NSString* env in NSProcessInfo.processInfo.environment) {
if (![env hasPrefix:@"NODE_"])
continue;
const char* name = [[env componentsSeparatedByString:@"="][0] UTF8String];
unsetenv(name);
has_unset = true;
}
return has_unset;
}
} // namespace electron::util