fix: add SHA-256 integrity check for cached .node files#230
Open
olegcS wants to merge 1 commit intoyao-pkg:mainfrom
Open
fix: add SHA-256 integrity check for cached .node files#230olegcS wants to merge 1 commit intoyao-pkg:mainfrom
olegcS wants to merge 1 commit intoyao-pkg:mainfrom
Conversation
Add integrity verification for cached .node files in the single-file code path (the else branch of process.dlopen). The node_modules path already had hash verification via copyFolderRecursiveSync, but the single-file path only checked fs.existsSync. A tampered or corrupted cached file is now detected and re-extracted from the snapshot. This closes a privilege escalation vector where native addons are extracted to user-writable directories (e.g. ~/.cache/pkg/) and can be replaced with malicious .node files that execute at the privilege level of the packaged application. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.nodefiles in the single-file code path ofprocess.dlopennode_modulespath already had hash verification viacopyFolderRecursiveSync, but the single-file path only checkedfs.existsSync— a tampered or corrupted cached file was silently loadedSecurity context
Native addons are extracted to user-writable directories (e.g.
~/.cache/pkg/). Without integrity verification, an attacker could replace a cached.nodefile with a malicious one that executes at the privilege level of the packaged application. This closes that privilege escalation vector.Relation to #228
This is the integrity-check-only portion of #228, split per reviewer feedback. The lazy
PKG_NATIVE_CACHE_PATHeval has been dropped from this PR.Test plan
elsebranch inprocess.dlopen.nodefile, confirm it gets re-extracted🤖 Generated with Claude Code