From 1d89c5d1e16d67962db2735efc601b48bd78255d Mon Sep 17 00:00:00 2001 From: Shelley Vohr Date: Wed, 23 Oct 2019 11:06:57 -0700 Subject: [PATCH] cli: whitelist new V8 flag in NODE_OPTIONS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Explicitly whitelists --disallow-code-generation-from-strings in NODE_OPTIONS as a new V8 flag. This flag prevents strings like eval() from performing code generation. PR-URL: https://github.com/nodejs/node/pull/30094 Reviewed-By: Luigi Pinca Reviewed-By: Anna Henningsen Reviewed-By: Michaƫl Zasso Reviewed-By: Gireesh Punathil Reviewed-By: Gus Caplan Reviewed-By: Colin Ihrig Reviewed-By: James M Snell --- doc/api/cli.md | 10 ++++++++++ doc/node.1 | 5 +++++ src/node_options.cc | 4 ++++ test/parallel/test-cli-node-options.js | 1 + 4 files changed, 20 insertions(+) diff --git a/doc/api/cli.md b/doc/api/cli.md index 2830f90358370c..d9d7d3ad5e7365 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -127,6 +127,15 @@ added: v12.0.0 Specify the file name of the CPU profile generated by `--cpu-prof`. +### `--disallow-code-generation-from-strings` + + +Make built-in language features like `eval` and `new Function` that generate +code from strings throw an exception instead. This does not affect the Node.js +`vm` module. + ### `--enable-fips` * `--abort-on-uncaught-exception` +* `--disallow-code-generation-from-strings` * `--interpreted-frames-native-stack` * `--max-old-space-size` * `--perf-basic-prof-only-functions` diff --git a/doc/node.1 b/doc/node.1 index 9af077fc96b4dc..e9b7855b9be483 100644 --- a/doc/node.1 +++ b/doc/node.1 @@ -100,6 +100,11 @@ The default is File name of the V8 CPU profile generated with .Fl -cpu-prof . +.It Fl -disallow-code-generation-from-strings +Make built-in language features like `eval` and `new Function` that generate +code from strings throw an exception instead. This does not affect the Node.js +`vm` module. +. .It Fl -enable-fips Enable FIPS-compliant crypto at startup. Requires Node.js to be built with diff --git a/src/node_options.cc b/src/node_options.cc index 8ec469d3ac3a99..695d7cee6541cc 100644 --- a/src/node_options.cc +++ b/src/node_options.cc @@ -589,6 +589,10 @@ PerIsolateOptionsParser::PerIsolateOptionsParser( V8Option{}, kAllowedInEnvironment); AddOption("--stack-trace-limit", "", V8Option{}, kAllowedInEnvironment); + AddOption("--disallow-code-generation-from-strings", + "disallow eval and friends", + V8Option{}, + kAllowedInEnvironment); #ifdef NODE_REPORT AddOption("--report-uncaught-exception", diff --git a/test/parallel/test-cli-node-options.js b/test/parallel/test-cli-node-options.js index 7e42139470e964..698f463b627644 100644 --- a/test/parallel/test-cli-node-options.js +++ b/test/parallel/test-cli-node-options.js @@ -60,6 +60,7 @@ if (common.hasCrypto) { // V8 options expect('--abort_on-uncaught_exception', 'B\n'); +expect('--disallow-code-generation-from-strings', 'B\n'); expect('--max-old-space-size=0', 'B\n'); expect('--stack-trace-limit=100', /(\s*at f \(\[eval\]:1:\d*\)\r?\n){100}/,