From 3790d524c1781334ccc504a6eb510bc53ee2ad64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Thu, 18 Apr 2024 15:09:09 +0200 Subject: [PATCH] src: remove erroneous CVE-2024-27980 revert option No security reverts should exist on the main branch. PR-URL: https://github.com/nodejs/node/pull/52543 Reviewed-By: Richard Lau Reviewed-By: Yagiz Nizipli Reviewed-By: Rafael Gonzaga Reviewed-By: Luigi Pinca --- src/node_revert.h | 5 ++--- src/util-inl.h | 5 ++--- .../test-child-process-spawn-windows-batch-file.js | 13 +------------ 3 files changed, 5 insertions(+), 18 deletions(-) diff --git a/src/node_revert.h b/src/node_revert.h index 908a69750834bf..da212af076dfef 100644 --- a/src/node_revert.h +++ b/src/node_revert.h @@ -15,9 +15,8 @@ **/ namespace node { -#define SECURITY_REVERSIONS(XX) \ - XX(CVE_2024_27980, "CVE-2024-27980", "Unsafe Windows batch file execution") -// XX(CVE_2016_PEND, "CVE-2016-PEND", "Vulnerability Title") +#define SECURITY_REVERSIONS(XX) \ + // XX(CVE_2016_PEND, "CVE-2016-PEND", "Vulnerability Title") enum reversion { #define V(code, ...) SECURITY_REVERT_##code, diff --git a/src/util-inl.h b/src/util-inl.h index dc13d1063d3721..463f982c91c71b 100644 --- a/src/util-inl.h +++ b/src/util-inl.h @@ -648,9 +648,8 @@ bool IsWindowsBatchFile(const char* filename) { static constexpr bool kIsWindows = false; #endif // _WIN32 if (kIsWindows) - if (!IsReverted(SECURITY_REVERT_CVE_2024_27980)) - if (const char* p = strrchr(filename, '.')) - return StringEqualNoCase(p, ".bat") || StringEqualNoCase(p, ".cmd"); + if (const char* p = strrchr(filename, '.')) + return StringEqualNoCase(p, ".bat") || StringEqualNoCase(p, ".cmd"); return false; } diff --git a/test/parallel/test-child-process-spawn-windows-batch-file.js b/test/parallel/test-child-process-spawn-windows-batch-file.js index 81d0c64500d7ed..242f2d2d1bb468 100644 --- a/test/parallel/test-child-process-spawn-windows-batch-file.js +++ b/test/parallel/test-child-process-spawn-windows-batch-file.js @@ -19,24 +19,13 @@ const cp = require('child_process'); const assert = require('assert'); const { isWindows } = common; -const arg = '--security-revert=CVE-2024-27980'; -const isRevert = process.execArgv.includes(arg); - -const expectedCode = isWindows && !isRevert ? 'EINVAL' : 'ENOENT'; +const expectedCode = isWindows ? 'EINVAL' : 'ENOENT'; const expectedStatus = isWindows ? 1 : 127; const suffixes = 'BAT bAT BaT baT BAt bAt Bat bat CMD cMD CmD cmD CMd cMd Cmd cmd' .split(' '); -if (process.argv[2] === undefined) { - const a = cp.spawnSync(process.execPath, [__filename, 'child']); - const b = cp.spawnSync(process.execPath, [arg, __filename, 'child']); - assert.strictEqual(a.status, 0); - assert.strictEqual(b.status, 0); - return; -} - function testExec(filename) { return new Promise((resolve) => { cp.exec(filename).once('exit', common.mustCall(function(status) {