You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Node has an kDisableNodeOptionsEnv embedder flag that disables NODE_OPTIONS env to avoid injecting external code into apps, however it can be bypassed by using the NODE_REPL_EXTERNAL_MODULE env as reported by electron/electron#40770.
I understand kDisableNodeOptionsEnv only means to disable NODE_OPTIONS env, but if we don't also disable NODE_REPL_EXTERNAL_MODULE the protection would become meaningless.
I think we have 2 options to fix this:
Disable NODE_REPL_EXTERNAL_MODULE env when kDisableNodeOptionsEnv is used.
Deprecate kDisableNodeOptionsEnv and add a new flag that disables all possible ways to inject code.
@zcbenz While the first option is trivial I assume it will be a breaking change for all users that rely on the current behavior. I believe a new flag should be a safer approach. Honestly, I'm fine with both options.
Node has an
kDisableNodeOptionsEnv
embedder flag that disablesNODE_OPTIONS
env to avoid injecting external code into apps, however it can be bypassed by using theNODE_REPL_EXTERNAL_MODULE
env as reported by electron/electron#40770.I understand
kDisableNodeOptionsEnv
only means to disableNODE_OPTIONS
env, but if we don't also disableNODE_REPL_EXTERNAL_MODULE
the protection would become meaningless.I think we have 2 options to fix this:
NODE_REPL_EXTERNAL_MODULE
env whenkDisableNodeOptionsEnv
is used.kDisableNodeOptionsEnv
and add a new flag that disables all possible ways to inject code.I wonder which one would be preferred by Node team. /cc @addaleax @joyeecheung @bnoordhuis
The text was updated successfully, but these errors were encountered: