Skip to content

permission: fix spawnSync permission check#46975

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
RafaelGSS wants to merge 1 commit into from
Closed

permission: fix spawnSync permission check #46975

RafaelGSS wants to merge 1 commit into from

Conversation

@RafaelGSS
Copy link
Member

@RafaelGSSRafaelGSS commented Mar 6, 2023
edited
Loading

It was missing in the original PR #44004.

Fixes: https://github.com/nodejs-private/node-private/issues/394

@nodejs-github-botnodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. child_process Issues and PRs related to the child_process subsystem. needs-ci PRs that need a full CI run. labels Mar 6, 2023
@RafaelGSSRafaelGSS added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 6, 2023
cjihrig
cjihrig approved these changes Mar 6, 2023
View reviewed changes
Copy link
Contributor

@cjihrigcjihrig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Please also include:

Fixes: https://github.com/nodejs-private/node-private/issues/394

@github-actionsgithub-actionsbot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 6, 2023
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 6, 2023

CI: https://ci.nodejs.org/job/node-test-pull-request/50232/

@RafaelGSSRafaelGSS mentioned this pull request Mar 6, 2023
Merged
@RafaelGSSRafaelGSSforce-pushed the fix/add-permission-spawn-check branch from 41d0d74 to 693b833CompareMarch 6, 2023 19:42
@RafaelGSSRafaelGSS added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 6, 2023
@github-actionsgithub-actionsbot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 6, 2023
@RafaelGSSRafaelGSSforce-pushed the fix/add-permission-spawn-check branch from 693b833 to 67f3bceCompareMarch 6, 2023 22:07
@RafaelGSS
Copy link
MemberAuthor

RafaelGSS commented Mar 6, 2023
edited
Loading

CI https://ci.nodejs.org/job/node-test-pull-request/50242/

@github-actionsgithub-actionsbot mentioned this pull request Mar 7, 2023
Open
19 tasks
@RafaelGSSRafaelGSS added the fast-track PRs that do not need to wait for 48 hours to land. label Mar 7, 2023
@github-actions
Copy link
Contributor

github-actionsbot commented Mar 7, 2023

Fast-track has been requested by @RafaelGSS. Please 👍 to approve.

@RafaelGSS
Copy link
MemberAuthor

RafaelGSS commented Mar 7, 2023

Requesting fast-track because I'll work on the v19.8.0 proposal tomorrow and we need to have this patch.

@RafaelGSSRafaelGSS added the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 7, 2023
@nodejs-github-botnodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Mar 7, 2023
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 7, 2023

Commit Queue failed
- Loading data for nodejs/node/pull/46975 ✔ Done loading data for nodejs/node/pull/46975 ----------------------------------- PR info ------------------------------------ Title permission: fix spawnSync permission check (#46975) Author Rafael Gonzaga (@RafaelGSS) Branch RafaelGSS:fix/add-permission-spawn-check -> nodejs:main Labels child_process, c++, fast-track, needs-ci Commits 1 - permission: fix spawnSync permission check Committers 1 - RafaelGSS PR-URL: https://github.com/nodejs/node/pull/46975 Fixes: https://github.com/nodejs-private/node-private/issues/394 Reviewed-By: Colin Ihrig Reviewed-By: Anna Henningsen ------------------------------ Generated metadata ------------------------------ PR-URL: https://github.com/nodejs/node/pull/46975 Fixes: https://github.com/nodejs-private/node-private/issues/394 Reviewed-By: Colin Ihrig Reviewed-By: Anna Henningsen -------------------------------------------------------------------------------- ⚠ Commits were pushed since the last review: ⚠ - permission: fix spawnSync permission check ℹ This PR was created on Mon, 06 Mar 2023 16:46:11 GMT ✔ Approvals: 2 ✔ - Colin Ihrig (@cjihrig) (TSC): https://github.com/nodejs/node/pull/46975#pullrequestreview-1326742875 ✔ - Anna Henningsen (@addaleax): https://github.com/nodejs/node/pull/46975#pullrequestreview-1327221779 ℹ This PR is being fast-tracked ✔ Last GitHub CI successful ℹ Last Full PR CI on 2023-03-06T22:59:26Z: https://ci.nodejs.org/job/node-test-pull-request/50242/ - Querying data for job/node-test-pull-request/50242/ ✔ Last Jenkins CI successful -------------------------------------------------------------------------------- ✔ Aborted `git node land` session in /home/runner/work/node/node/.ncu
https://github.com/nodejs/node/actions/runs/4356000066

@RafaelGSS
Copy link
MemberAuthor

RafaelGSS commented Mar 7, 2023

Landed in b164038

RafaelGSS added a commit that referenced this pull request Mar 7, 2023
@RafaelGSS
permission: fix spawnSync permission check
b164038
Fixes: nodejs-private/node-private#394 Signed-off-by: RafaelGSS <[email protected]> PR-URL: #46975 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Richard Lau <[email protected]>
@tniessen
Copy link
Member

tniessen commented Mar 7, 2023

Requesting fast-track because I'll work on the v19.8.0 proposal tomorrow and we need to have this patch.

Maybe we should consider letting it bake on main for a while longer, given that this kind of bug would otherwise trigger the security release workflow?

@RafaelGSS
Copy link
MemberAuthor

RafaelGSS commented Mar 7, 2023

Maybe we should consider letting it bake on main for a while longer, given that this kind of bug would otherwise trigger the security release workflow?

I don't see much value in it, at least for this particular feature. It's useful when it's a significant change or notable change being released in an LTS release. @cjihrig found the bug as a Node.js maintainer, I don't see other Node.js contributors finding it as they are unlikely to use it. Errors like this will be encountered (if any) by users and as you stated, would be fixed in a security release -- but, I don't see the baking time avoiding it though.

However, if you feel strongly about the baking time of this feature, I can postpone it to v19.9.0. Just let me know.

@tniessen
Copy link
Member

tniessen commented Mar 7, 2023

That's a good point. I don't feel strongly about it. I am only bringing this up because I think it is very likely that this feature will lead to vulnerability reports shortly after being released, simply because it significantly increases the attack surface and has only been reviewed by very few people so far. Letting it bake might lead to more issues like this being found that can be fixed publicly, but it might just as well be unlikely.

@RafaelGSS
Copy link
MemberAuthor

RafaelGSS commented Mar 7, 2023

Well, skipping it for v19.8.0 won't hurt. Let's release the permission model in v19.9.0 then. I will include the blocked label.

@RafaelGSSRafaelGSS added the blocked PRs that are blocked by other issues or PRs. label Mar 7, 2023
@RafaelGSSRafaelGSS mentioned this pull request Mar 7, 2023
Merged
This was referenced Mar 8, 2023
Open
Open
Open
Open
Open
targos pushed a commit that referenced this pull request Mar 13, 2023
@RafaelGSS@targos
permission: fix spawnSync permission check
4329c49
Fixes: nodejs-private/node-private#394 Signed-off-by: RafaelGSS <[email protected]> PR-URL: #46975 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Richard Lau <[email protected]>
@targostargos added backport-blocked-v19.x and removed blocked PRs that are blocked by other issues or PRs. labels Mar 14, 2023
This was referenced Mar 14, 2023
Closed
Closed
@RafaelGSSRafaelGSS mentioned this pull request Apr 3, 2023
Merged
@RafaelGSSRafaelGSS added dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. backport-blocked-v16.x and removed dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. backport-blocked-v16.x labels Apr 3, 2023
@tniessentniessen added the permission Issues and PRs related to the Permission Model label Aug 10, 2023
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@addaleaxaddaleaxaddaleax approved these changes

@cjihrigcjihrigcjihrig approved these changes

@richardlaurichardlaurichardlau approved these changes

Assignees

No one assigned

Labels

c++Issues and PRs that require attention from people who are familiar with C++.child_processIssues and PRs related to the child_process subsystem.commit-queue-failedAn error occurred while landing this pull request using GitHub Actions.fast-trackPRs that do not need to wait for 48 hours to land.needs-ciPRs that need a full CI run.permissionIssues and PRs related to the Permission Model

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@RafaelGSS@nodejs-github-bot@tniessen@addaleax@cjihrig@richardlau@targos