Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is it possible to make a process.send cmd: "NODE_*" attack while under --experimental-pemission? #1156

Closed
LongTengDao opened this issue Nov 21, 2023 · 3 comments

Comments

@LongTengDao
Copy link

LongTengDao commented Nov 21, 2023

child_process.fork('', [], {
    execArgv: [
        '--experimental-permission',
        '-e', 'process.send({ cmd: "NODE_*" });',
    ]
});

Will this api be a security problem in any case to cause parent process work wrong?

@RafaelGSS
Copy link
Member

No. The process.send() method is used to send messages via IPC, it can be a problem if you eval the message in the parent process.

@LongTengDao
Copy link
Author

@RafaelGSS the docs says cmd property with string value which start with NODE_ is for internal use:

https://github.com/nodejs/node/blame/1858341377c268c5ffce9345517dc07b0e6c240a/doc/api/child_process.md#L1536

@RafaelGSS
Copy link
Member

Yes, but it wouldn't trigger any fs call. Also, if the parent process was created using the experimental permission, it should be ok.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants