Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: specify to use primordials when coding #52558

Closed
wants to merge 1 commit into from
Closed

doc: specify to use primordials when coding #52558

wants to merge 1 commit into from

Conversation

RedYetiDev
Copy link
Member

For security reasons, the use of primordials is important when editing the NodeJS core, and this should be reflected in the documentation on editing NodeJS.

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/tsc

@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Apr 16, 2024
anonrig
anonrig requested changes Apr 16, 2024
View reviewed changes
Copy link
Member

@anonrig anonrig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an ongoing process to investigate and remove primordials. I don't think we should encourage using it.

@RedYetiDev
Copy link
Member Author

There is an ongoing process to investigate and remove primordials. I don't think we should encourage using it.

If primordials are removed, wouldn't that threaten the security of Node.js? AFAIK primordials are needed to prevent prototype pollution and similar.

@aduh95
Copy link
Contributor

aduh95 commented Apr 16, 2024
edited
Loading

AFAIK primordials are needed to prevent prototype pollution and similar.

Primordials are a tool to workaround (some) prototype pollution, but it's not the only one. (e.g. native code is typically not subject to prototype pollution without using primordials)

wouldn't that threaten the security of Node.js?

Not necessarily, it depends what "removing primordials" mean. I think it's fallacious to think of primordials as a security feature, a code using primordials can still be subject to prototype pollution, and not all prototype pollution would fall under the threat model of Node.js. It's more useful to think of it as a tool that improves the reliability of Node.js internals.

@RedYetiDev RedYetiDev closed this Apr 16, 2024
@RedYetiDev RedYetiDev deleted the patch-9 branch April 16, 2024 17:17
@joyeecheung
Copy link
Member

joyeecheung commented Apr 16, 2024
edited
Loading

If primordials are removed, wouldn't that threaten the security of Node.js?

Primordials are not a security mechanism, under the threat model of Node.js, see discussions in nodejs/TSC#1158.

Node.js trusts everything else. As some examples this includes:

The code it is asked to run including JavaScript and native code, even if said code is dynamically loaded, e.g. all dependencies installed from the npm registry. The code run inherits all the privileges of the execution user.

They are only a UX enhancement mechanism (for the internals not crash badly when user code modify the prototype incorrectly, e.g. if you throw an error, you don't want the Node.js error handler to go crazy because someone modifies some prototype method it uses and it'll be a lot harder to fix said error).

If an attacker already has the ability to run arbitrary code in the process, they can just e.g. require("child_process").spawn or process.dlopen() or new require("inspector").Session() to do whatever they want. Polluting the prototype would be one of the least cost-effective ways to do an exploit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anonrig anonrig anonrig requested changes

Assignees
No one assigned
Labels
doc Issues and PRs related to the documentations.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@RedYetiDev @nodejs-github-bot @aduh95 @joyeecheung @anonrig