test: include strace openat test#46150
Uh oh!
There was an error while loading. Please reload this page.
Conversation
nodejs-github-bot added needs-ci 
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
| const file = line.match(/"(.*?)"/)[1]; | ||
| // skip .so reading attempt | ||
| if (file.match(/.+\.so(\.?)/) !== null){ |
There was a problem hiding this comment.
It might actually not be that bad to assert these as well – if we added a new .so dependency on Linux, we might want to know about that?
There was a problem hiding this comment.
In my case, it's reading the .so from shared locations, for instance: "/home/rafaelgss/.gvm/pkgsets/go1.15/global/overlay/lib/libpthread.so.0". How would we handle it?
There was a problem hiding this comment.
You could assert just the filename, ignoring the rest of the path, right?
There was a problem hiding this comment.
I'm not sure. That CVE mentioned in the PR description is really about it. Reading a file/library from an unexpected path.
There was a problem hiding this comment.
Yeah, please don’t consider this a blocking comment. This would test something different, that’s true, but it does seem valuable to test it regardless.
Uh oh!
There was an error while loading. Please reload this page.
RafaelGSSforce-pushed the add-strace-openat-test branch from b94519d to 1208513Compare
Uh oh!
There was an error while loading. Please reload this page.
RafaelGSSforce-pushed the add-strace-openat-test branch from 1208513 to 132dfe4Compare
bnoordhuis commented Jan 10, 2023
I don't think you're going to be able to avoid this. Different versions of glibc open different files, to say nothing of other libcs. If you want to go fancy, you could wait until right before the child process does Another issue you or someone else inevitably is going to run into is that strace won't work on locked down systems ( |
RafaelGSS commented Jan 13, 2023
What about skipping
Well, we can also run it only on CI, so I assume it will work all the time. |
bnoordhuis commented Jan 13, 2023
That won't be enough. glibc can for any number of reasons decide to open files in /etc, /proc, /sys, /lib, etc. |
RafaelGSS commented Jan 21, 2023
Requesting CI just to see how many use cases I would need to cover. Another viable option would be just logging it before publishing a release, however, it would require an extra step for a releaser, which is, definitely something I don't want. |
github-actionsbot removed the request-ci 
nodejs-github-bot commented Jan 21, 2023
RafaelGSSforce-pushed the add-strace-openat-test branch from 132dfe4 to 3cc256fCompareRafaelGSS commented Jan 30, 2023
Wouldn't it be consistent in the CI machine at least? Well, I think we won't have a better way to pursue this work, right? |
github-actionsbot removed the request-ci nodejs-github-bot commented Jan 31, 2023
RafaelGSSforce-pushed the add-strace-openat-test branch 2 times, most recently from 8c82218 to 534a61bCompare
Signed-off-by: RafaelGSS <[email protected]>
RafaelGSSforce-pushed the add-strace-openat-test branch from b718aa0 to fa16d9fComparegithub-actionsbot removed the request-ci nodejs-github-bot commented Feb 6, 2023
nodejs-github-bot commented Feb 6, 2023
RafaelGSS commented Feb 7, 2023
@bnoordhuis It seems to be fixed (considering we are skipping the test in a few situations), but based on your comment looks like we should also skip it when it's not running in the CI. Do you think it will be flaky somehow? |
github-actionsbot removed the request-ci nodejs-github-bot commented Feb 22, 2023
RafaelGSS added the commit-queue nodejs-github-bot removed the commit-queue nodejs-github-bot commented Feb 23, 2023
Landed in 86362b7 |
Signed-off-by: RafaelGSS <[email protected]> PR-URL: #46150 Reviewed-By: Michael Dawson <[email protected]>
Signed-off-by: RafaelGSS <[email protected]> PR-URL: #46150 Reviewed-By: Michael Dawson <[email protected]>
* chore: bump node in DEPS to v18.16.0 * build,test: add proper support for IBM i nodejs/node#46739 * lib: enforce use of trailing commas nodejs/node#46881 * src: add initial support for single executable applications nodejs/node#45038 * lib: do not crash using workers with disabled shared array buffers nodejs/node#41023 * src: remove shadowed variable in OptionsParser::Parse nodejs/node#46672 * src: allow embedder control of code generation policy nodejs/node#46368 * src: allow optional Isolate termination in node::Stop() nodejs/node#46583 * lib: fix BroadcastChannel initialization location nodejs/node#46864 * chore: fixup patch indices * chore: sync filenames.json * fix: add simdutf dep to src/inspector BUILD.gn - nodejs/node#46471 - nodejs/node#46472 * deps: replace url parser with Ada nodejs/node#46410 * tls: support automatic DHE nodejs/node#46978 * fixup! src: add initial support for single executable applications * http: unify header treatment nodejs/node#46528 * fix: libc++ buffer overflow in string_view ctor nodejs/node#46410 * test: include strace openat test nodejs/node#46150 * fixup! fixup! src: add initial support for single executable applications --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Shelley Vohr <[email protected]>
6 participants
Signed-off-by: RafaelGSS [email protected]
Opening it for early feedback. We need to find a way to do it cross-platform, either with other files (openat-linux-syscall, openat-osx-syscall, openat-windows-syscall) or with some magic cross-platform tool.
The idea is to address nodejs/security-wg#827. The CVE-2022-32222 is an example of the purpose of this test.
cc: @nodejs/security-wg @mhdawson