fix(NODE-6265): add Spectre Mitigation and CFG

[rzhao271]

Description

What is changing?

This PR adds Spectre mitigation and control flow guards to the generated binaries by adding those flags to the binding.gyp file.

Is there new documentation needed for these changes?

Potentially. Enabling Spectre mitigation requires that package maintainers and contributors install Spectre-mitigated libraries for Visual Studio, assuming that Windows developers need to run node-gyp rebuild. In my case, it seems that the prebuild-install script runs and skips over the rebuild command. Non-Windows OSes should not be affected by this PR in general.

What is the motivation for this change?

BinSkim (a Microsoft binary analyzer) has identified that kerberos.node is missing Spectre mitigation and control flow guard flags. This issue affects the compliance of Visual Studio Code downstream along with the general security of the kerberos.node binary.

Release Highlight

Double check the following

• Ran npm run check:lint script
• Self-review completed using the steps outlined here
• PR title follows the correct format: type(NODE-xxxx)[!]: description
  • Example: feat(NODE-1234)!: rewriting everything in coffeescript
• Changes are covered by tests
• New TODOs have a related JIRA ticket

[evergreen-ci-prod]

There is an existing patch(es) for this commit SHA:

• Evergreen patch with PR

Please note that the status that is posted is not in the context of this PR but rather the (latest) existing patch and that may affect some tests that may depend on the particular PR. If your tests do not rely on any PR-specific values (like base or head branch name) then your tests will report the same status. If you would like a patch to run in the context of this PR and abort the other(s), comment 'evergreen retry'.

[rzhao271]

evergreen retry

[evergreen-ci-prod]

There is an existing patch(es) for this commit SHA that will be aborted:

• Evergreen patch with PR

The status reported will be corresponding to this PR rather than the previous existing ones. If you would like a patch to run for another PR and to abort this one, comment 'evergreen retry' on the corresponding PR.

[nbbeeken]

Potentially. Enabling Spectre mitigation requires that package maintainers and contributors install Spectre-mitigated libraries for Visual Studio, assuming that Windows developers need to run node-gyp rebuild. In my case, it seems that the prebuild-install script runs and skips over the rebuild command.

Hi @rzhao271 thanks for the help here. The prebuild-install step downloads prebuilds from the github release so when our next release goes out the windows build will have been built with the flag you have added. So I believe there's no need to rebuild on the user's end after installing this library. Unless I misunderstand the bit about needing to "install Spectre-mitigated libraries". Is that an additional set of libraries needed to support this at runtime or only at build? (I assume at build only)

[rzhao271]

The libraries are only required during the build step, when node-gyp calls into MSVC to build the C++ files.

[nbbeeken]

LGTM