fix: ignore all NODE_ envs from foreign parent in node process (#40770)
* fix: ignore all NODE_ envs from foreign parent * fix: recognize ad-hoc signed binary
This commit is contained in:
parent
baca2e302d
commit
dfce1a9eb4
8 changed files with 115 additions and 16 deletions
|
@ -5,15 +5,60 @@
|
|||
|
||||
#include "shell/common/mac/codesign_util.h"
|
||||
|
||||
#include "base/apple/foundation_util.h"
|
||||
#include "base/apple/osstatus_logging.h"
|
||||
#include "base/apple/scoped_cftyperef.h"
|
||||
#include "third_party/abseil-cpp/absl/types/optional.h"
|
||||
|
||||
#include <CoreFoundation/CoreFoundation.h>
|
||||
#include <Security/Security.h>
|
||||
|
||||
namespace electron {
|
||||
|
||||
bool ProcessBelongToCurrentApp(pid_t pid) {
|
||||
absl::optional<bool> IsUnsignedOrAdHocSigned(SecCodeRef code) {
|
||||
base::apple::ScopedCFTypeRef<SecStaticCodeRef> static_code;
|
||||
OSStatus status = SecCodeCopyStaticCode(code, kSecCSDefaultFlags,
|
||||
static_code.InitializeInto());
|
||||
if (status == errSecCSUnsigned) {
|
||||
return true;
|
||||
}
|
||||
if (status != errSecSuccess) {
|
||||
OSSTATUS_LOG(ERROR, status) << "SecCodeCopyStaticCode";
|
||||
return absl::optional<bool>();
|
||||
}
|
||||
// Copy the signing info from the SecStaticCodeRef.
|
||||
base::apple::ScopedCFTypeRef<CFDictionaryRef> signing_info;
|
||||
status =
|
||||
SecCodeCopySigningInformation(static_code.get(), kSecCSSigningInformation,
|
||||
signing_info.InitializeInto());
|
||||
if (status != errSecSuccess) {
|
||||
OSSTATUS_LOG(ERROR, status) << "SecCodeCopySigningInformation";
|
||||
return absl::optional<bool>();
|
||||
}
|
||||
// Look up the code signing flags. If the flags are absent treat this as
|
||||
// unsigned. This decision is consistent with the StaticCode source:
|
||||
// https://github.com/apple-oss-distributions/Security/blob/Security-60157.40.30.0.1/OSX/libsecurity_codesigning/lib/StaticCode.cpp#L2270
|
||||
CFNumberRef signing_info_flags =
|
||||
base::apple::GetValueFromDictionary<CFNumberRef>(signing_info.get(),
|
||||
kSecCodeInfoFlags);
|
||||
if (!signing_info_flags) {
|
||||
return true;
|
||||
}
|
||||
// Using a long long to extract the value from the CFNumberRef to be
|
||||
// consistent with how it was packed by Security.framework.
|
||||
// https://github.com/apple-oss-distributions/Security/blob/Security-60157.40.30.0.1/OSX/libsecurity_utilities/lib/cfutilities.h#L262
|
||||
long long flags;
|
||||
if (!CFNumberGetValue(signing_info_flags, kCFNumberLongLongType, &flags)) {
|
||||
LOG(ERROR) << "CFNumberGetValue";
|
||||
return absl::optional<bool>();
|
||||
}
|
||||
if (static_cast<uint32_t>(flags) & kSecCodeSignatureAdhoc) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
bool ProcessSignatureIsSameWithCurrentApp(pid_t pid) {
|
||||
// Get and check the code signature of current app.
|
||||
base::apple::ScopedCFTypeRef<SecCodeRef> self_code;
|
||||
OSStatus status =
|
||||
|
@ -22,6 +67,15 @@ bool ProcessBelongToCurrentApp(pid_t pid) {
|
|||
OSSTATUS_LOG(ERROR, status) << "SecCodeCopyGuestWithAttributes";
|
||||
return false;
|
||||
}
|
||||
absl::optional<bool> not_signed = IsUnsignedOrAdHocSigned(self_code.get());
|
||||
if (!not_signed.has_value()) {
|
||||
// Error happened.
|
||||
return false;
|
||||
}
|
||||
if (not_signed.value()) {
|
||||
// Current app is not signed.
|
||||
return true;
|
||||
}
|
||||
// Get the code signature of process.
|
||||
base::apple::ScopedCFTypeRef<CFNumberRef> process_cf(
|
||||
CFNumberCreate(nullptr, kCFNumberIntType, &pid));
|
||||
|
@ -46,9 +100,14 @@ bool ProcessBelongToCurrentApp(pid_t pid) {
|
|||
OSSTATUS_LOG(ERROR, status) << "SecCodeCopyDesignatedRequirement";
|
||||
return false;
|
||||
}
|
||||
DCHECK(self_requirement.get());
|
||||
// Check whether the process meets the signature requirement of current app.
|
||||
status = SecCodeCheckValidity(process_code.get(), kSecCSDefaultFlags,
|
||||
self_requirement.get());
|
||||
if (status != errSecSuccess && status != errSecCSReqFailed) {
|
||||
OSSTATUS_LOG(ERROR, status) << "SecCodeCheckValidity";
|
||||
return false;
|
||||
}
|
||||
return status == errSecSuccess;
|
||||
}
|
||||
|
||||
|
|
|
@ -10,9 +10,14 @@
|
|||
|
||||
namespace electron {
|
||||
|
||||
// Given a pid, check if the process belongs to current app by comparing its
|
||||
// code signature with current app.
|
||||
bool ProcessBelongToCurrentApp(pid_t pid);
|
||||
// Given a pid, return true if the process has the same code signature with
|
||||
// with current app.
|
||||
// This API returns true if current app is not signed or ad-hoc signed, because
|
||||
// checking code signature is meaningless in this case, and failing the
|
||||
// signature check would break some features with unsigned binary (for example,
|
||||
// process.send stops working in processes created by child_process.fork, due
|
||||
// to the NODE_CHANNEL_ID env getting removed).
|
||||
bool ProcessSignatureIsSameWithCurrentApp(pid_t pid);
|
||||
|
||||
} // namespace electron
|
||||
|
||||
|
|
|
@ -7,6 +7,7 @@
|
|||
|
||||
#include <vector>
|
||||
|
||||
#include "build/build_config.h"
|
||||
#include "v8/include/v8.h"
|
||||
|
||||
namespace node {
|
||||
|
@ -26,6 +27,12 @@ v8::MaybeLocal<v8::Value> CompileAndCall(
|
|||
std::vector<v8::Local<v8::String>>* parameters,
|
||||
std::vector<v8::Local<v8::Value>>* arguments);
|
||||
|
||||
#if BUILDFLAG(IS_MAC)
|
||||
// Unset all environment variables that start with NODE_. Return false if there
|
||||
// is no node env at all.
|
||||
bool UnsetAllNodeEnvs();
|
||||
#endif
|
||||
|
||||
} // namespace electron::util
|
||||
|
||||
#endif // ELECTRON_SHELL_COMMON_NODE_UTIL_H_
|
||||
|
|
23
shell/common/node_util_mac.mm
Normal file
23
shell/common/node_util_mac.mm
Normal file
|
@ -0,0 +1,23 @@
|
|||
// Copyright (c) 2023 Microsoft, Inc.
|
||||
// Use of this source code is governed by the MIT license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
#include "shell/common/node_util.h"
|
||||
|
||||
#include <Foundation/Foundation.h>
|
||||
|
||||
namespace electron::util {
|
||||
|
||||
bool UnsetAllNodeEnvs() {
|
||||
bool has_unset = false;
|
||||
for (NSString* env in NSProcessInfo.processInfo.environment) {
|
||||
if (![env hasPrefix:@"NODE_"])
|
||||
continue;
|
||||
const char* name = [[env componentsSeparatedByString:@"="][0] UTF8String];
|
||||
unsetenv(name);
|
||||
has_unset = true;
|
||||
}
|
||||
return has_unset;
|
||||
}
|
||||
|
||||
} // namespace electron::util
|
Loading…
Add table
Add a link
Reference in a new issue