test: include strace openat test #46150
Conversation
nodejs-github-bot
added
needs-ci
|
|
||
| const file = line.match(/"(.*?)"/)[1]; | ||
| // skip .so reading attempt | ||
| if (file.match(/.+\.so(\.?)/) !== null) { |
There was a problem hiding this comment.
It might actually not be that bad to assert these as well – if we added a new .so dependency on Linux, we might want to know about that?
There was a problem hiding this comment.
In my case, it's reading the .so from shared locations, for instance: "/home/rafaelgss/.gvm/pkgsets/go1.15/global/overlay/lib/libpthread.so.0". How would we handle it?
There was a problem hiding this comment.
You could assert just the filename, ignoring the rest of the path, right?
There was a problem hiding this comment.
I'm not sure. That CVE mentioned in the PR description is really about it. Reading a file/library from an unexpected path.
There was a problem hiding this comment.
Yeah, please don’t consider this a blocking comment. This would test something different, that’s true, but it does seem valuable to test it regardless.
RafaelGSS
force-pushed
the
add-strace-openat-test
branch
from
b94519d
to
1208513
Compare
RafaelGSS
force-pushed
the
add-strace-openat-test
branch
from
1208513
to
132dfe4
Compare
I don't think you're going to be able to avoid this. Different versions of glibc open different files, to say nothing of other libcs. If you want to go fancy, you could wait until right before the child process does Another issue you or someone else inevitably is going to run into is that strace won't work on locked down systems ( |
What about skipping
Well, we can also run it only on CI, so I assume it will work all the time. |
That won't be enough. glibc can for any number of reasons decide to open files in /etc, /proc, /sys, /lib, etc. |
|
Requesting CI just to see how many use cases I would need to cover. Another viable option would be just logging it before publishing a release, however, it would require an extra step for a releaser, which is, definitely something I don't want. |
github-actions
bot
removed
the
request-ci
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
RafaelGSS
force-pushed
the
add-strace-openat-test
branch
from
132dfe4
to
3cc256f
Compare
Wouldn't it be consistent in the CI machine at least? Well, I think we won't have a better way to pursue this work, right? |
github-actions
bot
removed
the
request-ci
Signed-off-by: RafaelGSS rafael.nunu@hotmail.com
Opening it for early feedback. We need to find a way to do it cross-platform, either with other files (openat-linux-syscall, openat-osx-syscall, openat-windows-syscall) or with some magic cross-platform tool.
The idea is to address nodejs/security-wg#827. The CVE-2022-32222 is an example of the purpose of this test.
cc: @nodejs/security-wg @mhdawson