Skip to content

Commit

Permalink
test(jest): revert CVE-2023-46809 to allow openpgp tests to pass (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
viceice authored Feb 19, 2024
1 parent 7103ecd commit 23f3df6
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 5 deletions.
8 changes: 3 additions & 5 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,9 @@
"generate": "run-s 'generate:*'",
"generate:imports": "node tools/generate-imports.mjs",
"git-check": "node tools/check-git-version.mjs",
"jest": "NODE_OPTIONS=\"--experimental-vm-modules\" LOG_LEVEL=fatal GIT_ALLOW_PROTOCOL=file jest --logHeapUsage",
"jest:vscode": "NODE_OPTIONS=\"$NODE_OPTIONS --experimental-vm-modules\" LOG_LEVEL=fatal GIT_ALLOW_PROTOCOL=file jest --logHeapUsage",
"jest:14": "run-s 'jest {@}' --",
"jest:16": "run-s 'jest {@}' --",
"jest-debug": "NODE_OPTIONS=\"--inspect-brk --experimental-vm-modules\" jest --testTimeout=100000000",
"jest": "node tools/jest.mjs",
"jest:vscode": "node tools/jest.mjs",
"jest-debug": "NODE_OPTIONS='$NODE_OPTIONS --inspect-brk' node tools/jest.mjs --testTimeout=100000000",
"lint": "run-s ls-lint type-check eslint prettier markdown-lint git-check doc-fence-check",
"lint-fix": "run-s eslint-fix prettier-fix markdown-lint-fix",
"ls-lint": "ls-lint",
Expand Down
28 changes: 28 additions & 0 deletions tools/jest.mjs
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
import { spawnSync } from 'node:child_process';
import { argv, env, version } from 'node:process';
import semver from 'semver';

// needed for tests
env.GIT_ALLOW_PROTOCOL = 'file';
// reduce logging
env.LOG_LEVEL = 'fatal';

const args = ['--experimental-vm-modules'];

/*
* openpgp encryption is broken because it needs PKCS#1 v1.5
* - #27375
* - https://nodejs.org/en/blog/vulnerability/february-2024-security-releases#nodejs-is-vulnerable-to-the-marvin-attack-timing-variant-of-the-bleichenbacher-attack-against-pkcs1-v15-padding-cve-2023-46809---medium
*
* Sadly there is no way to suppress `SECURITY WARNING: Reverting CVE-2023-46809: Marvin attack on PKCS#1 padding` warining
*/
if (semver.satisfies(version, '^18.19.1 || ^20.11.1 || >=21.6.2')) {
args.push('--security-revert=CVE-2023-46809');
}

args.push('node_modules/jest/bin/jest.js', '--logHeapUsage');

// add other args after `node tools/jest.mjs`
args.push(...argv.slice(2));

spawnSync('node', args, { stdio: 'inherit', env });

0 comments on commit 23f3df6

Please sign in to comment.