Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

src: support for reading NODE_EXTRA_CA_CERTS from env file #51497

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

src: support for reading NODE_EXTRA_CA_CERTS from env file #51497

wants to merge 1 commit into from
+17 −7

Conversation

xsbchen
Copy link
Contributor

@xsbchen xsbchen commented Jan 17, 2024

Fixes: #51426

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/startup

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. labels Jan 17, 2024
@joyeecheung
Copy link
Member

It doesn't seem right to override this with the dot env files without checking privileges which was what SafeGetEnv was for. Maybe @bnoordhuis knows better whether this violates what it tried to guard against.

@anonrig anonrig self-requested a review January 17, 2024 15:55
anonrig
anonrig reviewed Jan 17, 2024
View reviewed changes
src/node_dotenv.cc Outdated
@@ -108,10 +108,14 @@ bool Dotenv::ParsePath(const std::string_view path) {
}

void Dotenv::AssignNodeOptionsIfAvailable(std::string* node_options) {
auto match = store_.find("NODE_OPTIONS");
AssignValueIfAvailable("NODE_OPTIONS", node_options);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need this function anymore. Ref: AssignNodeOptionsIfAvailable

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

got it, fixed

src/node_dotenv.cc Outdated
AssignValueIfAvailable("NODE_OPTIONS", node_options);
}

void Dotenv::AssignValueIfAvailable(const char* key, std::string* value) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
void Dotenv::AssignValueIfAvailable(const char* key, std::string* value) {
void Dotenv::AssignValueIfAvailable(const std::string& key, std::string* value) {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@anonrig anonrig requested a review from bnoordhuis January 17, 2024 18:13
@xsbchen
Copy link
Contributor Author

xsbchen commented Jan 18, 2024
edited
Loading

It doesn't seem right to override this with the dot env files without checking privileges which was what SafeGetEnv was for. Maybe @bnoordhuis knows better whether this violates what it tried to guard against.

Thanks @joyeecheung, I'm not sure whether this change is reliable. @bnoordhuis If you are free, please help to review it.

Update: I check the comment on SafeGetEnv, it says Look up the environment variable and allow the lookup if the current process only has the capability CAP_NET_BIND_SERVICE set. If the current process does not have any capabilities set and the process is running as setuid root then lookup will not be allowed.. It seems that only want we need to get environment variables from the system (by uv_os_getenv) need to consider this capability.

@xsbchen xsbchen force-pushed the env-file branch 2 times, most recently from 5f4f97a to b012fa7 Compare January 18, 2024 07:47
@xsbchen xsbchen requested a review from anonrig January 22, 2024 09:04
@xsbchen
Copy link
Contributor Author

xsbchen commented Feb 5, 2024

any update?

@joyeecheung
Copy link
Member

I think we need someone like @bnoorhuis or someone from @nodejs/security to review it and confirm that this is not introducing a attack vector

@lirantal
Copy link
Member

Just briefly looked at it so I hope I don't miss anything important. Here's my observation:

  • If someone already controls the --env-file, they could just as well use other command-line flags that are more problematic like loaders, etc.
  • However, what if someone doesn't control --env-file but they do control the actual environment config file (the .env)? Like for example, they could exploit a path traversal or arbitrary file writes to change the contents of .env with their own.

@joyeecheung
Copy link
Member

I think the original intent of SafeGetEnv is to guard against e.g. improper permission escalation when the binary gets the setuid bit set. Not sure what the threat model is. It might also make sense to completely ignore the .env file when the binary gets modified like that.

@xsbchen
Copy link
Contributor Author

xsbchen commented Feb 19, 2024
edited
Loading

so need to do the same check like SafeGetEnv before getting value from .env file right? @joyeecheung @lirantal

@joyeecheung
Copy link
Member

That would be what I'd do - just ignoring the .env too when the permission check fails - but I don't think I am familiar enough with the original threat model to make a call.

@Subnum12 Subnum12 mentioned this pull request Oct 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bnoordhuis bnoordhuis Awaiting requested review from bnoordhuis

@anonrig anonrig Awaiting requested review from anonrig

@joyeecheung joyeecheung Awaiting requested review from joyeecheung

@tniessen tniessen Awaiting requested review from tniessen

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NODE_EXTRA_CA_CERTS does not work when set in env file
5 participants
@xsbchen @nodejs-github-bot @joyeecheung @lirantal @anonrig