msi: do not create AppData\Roaming\npm

This effectively reverts e431cae due to security concerns. The directory is being created with elevated privileges but its path may depend on an unprivileged user's environment variables. Creating a directory in certain sensitive locations can cause Windows to become inoperable. Creating AppData\Roaming\npm was an intentional addition in order to resolve nodejs/node-v0.x-archive#8141, which appears to have been a common issue for users of npm. However, this was implemented before 4cfe5eb, which changed the MSI installation scope to perMachine. There were concerns about creating the npm directory in that PR, albeit not related to security (see nodejs/node-v0.x-archive#25640). Refs: nodejs/node-v0.x-archive#8141 Refs: nodejs/node-v0.x-archive#8838 Refs: nodejs/node-v0.x-archive#25640 PR-URL: nodejs-private/node-private#408 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> CVE-ID: CVE-2023-30585
nodejs · Jun 19, 2023 · 9c17e33 · 9c17e33
1 parent c39a43b
commit 9c17e33
Showing 1 changed file with 0 additions and 12 deletions.
diff --git a/tools/msvs/msi/nodemsi/product.wxs b/tools/msvs/msi/nodemsi/product.wxs
@@ -69,7 +69,6 @@
       <ComponentRef Id="NodeRegistryEntries"/>
       <ComponentRef Id="NodeVarsScript"/>
       <ComponentRef Id="NodeStartMenu"/>
-      <ComponentRef Id="AppData" />
       <ComponentRef Id="InstallToolsBat" />
       <ComponentRef Id="SetInstallDirPermission" />
     </Feature>
@@ -92,7 +91,6 @@
       <ComponentRef Id="NpxCmdScript"/>
       <ComponentRef Id="NpxBashScript"/>
       <ComponentRef Id="NpmConfigurationFile"/>
-      <ComponentRef Id="AppData" />
       <ComponentRef Id="SetInstallDirPermission" />
       <ComponentGroupRef Id="NpmSourceFiles"/>
     </Feature>
@@ -243,16 +241,6 @@
       </Directory>
     </DirectoryRef>
 
-    <StandardDirectory Id="AppDataFolder">
-      <Directory Id="AppDataDir" Name="npm">
-        <Component Id="AppData" Guid="D3B35D0E-D0F9-4D11-A773-D4608E90E1D1">
-          <CreateFolder />
-          <RemoveFolder Id="AppDataDir" On="uninstall" />
-          <RegistryValue Root="HKCU" Key="$(var.RegistryKeyPath)\Components" Type="string" Value="" />
-        </Component>
-      </Directory>
-    </StandardDirectory>
-
     <DirectoryRef Id="ApplicationProgramsFolder">
       <Component Id="DocumentationShortcuts">
         <RegistryValue Root="HKCU"