test: include strace openat test #46150
Conversation
nodejs-github-bot
added
needs-ci
|
|
||
| const file = line.match(/"(.*?)"/)[1]; | ||
| // skip .so reading attempt | ||
| if (file.match(/.+\.so(\.?)/) !== null) { |
There was a problem hiding this comment.
It might actually not be that bad to assert these as well – if we added a new .so dependency on Linux, we might want to know about that?
There was a problem hiding this comment.
In my case, it's reading the .so from shared locations, for instance: "/home/rafaelgss/.gvm/pkgsets/go1.15/global/overlay/lib/libpthread.so.0". How would we handle it?
There was a problem hiding this comment.
You could assert just the filename, ignoring the rest of the path, right?
There was a problem hiding this comment.
I'm not sure. That CVE mentioned in the PR description is really about it. Reading a file/library from an unexpected path.
There was a problem hiding this comment.
Yeah, please don’t consider this a blocking comment. This would test something different, that’s true, but it does seem valuable to test it regardless.
RafaelGSS
force-pushed
the
add-strace-openat-test
branch
from
b94519d
to
1208513
Compare
RafaelGSS
force-pushed
the
add-strace-openat-test
branch
from
1208513
to
132dfe4
Compare
I don't think you're going to be able to avoid this. Different versions of glibc open different files, to say nothing of other libcs. If you want to go fancy, you could wait until right before the child process does Another issue you or someone else inevitably is going to run into is that strace won't work on locked down systems ( |
What about skipping
Well, we can also run it only on CI, so I assume it will work all the time. |
That won't be enough. glibc can for any number of reasons decide to open files in /etc, /proc, /sys, /lib, etc. |
|
Requesting CI just to see how many use cases I would need to cover. Another viable option would be just logging it before publishing a release, however, it would require an extra step for a releaser, which is, definitely something I don't want. |
github-actions
bot
removed
the
request-ci
RafaelGSS
force-pushed
the
add-strace-openat-test
branch
from
132dfe4
to
3cc256f
Compare
Wouldn't it be consistent in the CI machine at least? Well, I think we won't have a better way to pursue this work, right? |
github-actions
bot
removed
the
request-ci
RafaelGSS
force-pushed
the
add-strace-openat-test
branch
2 times, most recently
from
8c82218
to
534a61b
Compare
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
RafaelGSS
force-pushed
the
add-strace-openat-test
branch
from
b718aa0
to
fa16d9f
Compare
github-actions
bot
removed
the
request-ci
|
@bnoordhuis It seems to be fixed (considering we are skipping the test in a few situations), but based on your comment looks like we should also skip it when it's not running in the CI. Do you think it will be flaky somehow? |
github-actions
bot
removed
the
request-ci
RafaelGSS
added
the
commit-queue
nodejs-github-bot
removed
the
commit-queue
|
Landed in 86362b7 |
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #46150 Reviewed-By: Michael Dawson <midawson@redhat.com>
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #46150 Reviewed-By: Michael Dawson <midawson@redhat.com>
* chore: bump node in DEPS to v18.16.0 * build,test: add proper support for IBM i nodejs/node#46739 * lib: enforce use of trailing commas nodejs/node#46881 * src: add initial support for single executable applications nodejs/node#45038 * lib: do not crash using workers with disabled shared array buffers nodejs/node#41023 * src: remove shadowed variable in OptionsParser::Parse nodejs/node#46672 * src: allow embedder control of code generation policy nodejs/node#46368 * src: allow optional Isolate termination in node::Stop() nodejs/node#46583 * lib: fix BroadcastChannel initialization location nodejs/node#46864 * chore: fixup patch indices * chore: sync filenames.json * fix: add simdutf dep to src/inspector BUILD.gn - nodejs/node#46471 - nodejs/node#46472 * deps: replace url parser with Ada nodejs/node#46410 * tls: support automatic DHE nodejs/node#46978 * fixup! src: add initial support for single executable applications * http: unify header treatment nodejs/node#46528 * fix: libc++ buffer overflow in string_view ctor nodejs/node#46410 * test: include strace openat test nodejs/node#46150 * fixup! fixup! src: add initial support for single executable applications --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
Signed-off-by: RafaelGSS rafael.nunu@hotmail.com
Opening it for early feedback. We need to find a way to do it cross-platform, either with other files (openat-linux-syscall, openat-osx-syscall, openat-windows-syscall) or with some magic cross-platform tool.
The idea is to address nodejs/security-wg#827. The CVE-2022-32222 is an example of the purpose of this test.
cc: @nodejs/security-wg @mhdawson