how to query for known CVE before setting argument flag --security-revert=CVE-xxxx-xxxxx #52196
Comments
intersides
added
the
feature request
|
Maybe a better solution would be that passing the flag doesn't prevent Node.js from starting on any platforms? If the revert doesn't apply for some reason, it could simply be a no-op. What is the specific error you're seeing? |
|
I am getting: Error: Attempt to revert an unknown CVE [CVE-2023-46809] One solution, maybe not too elegant is to run node from a script (using javascript as an example) that does a sort of preflight such: const nodePreFlight = await spawnSync("node", ["--security-revert=CVE-2023-46809", "--eval", "console.log(1234);"]);
if(nodePreFlight.stderr.toString() !== ""){
if(nodePreFlight.stderr.toString().includes("Attempt to revert an unknown CVE")){
//then run node without --security-revert
}
else{
//then run node WITH "--security-revert=CVE-2023-46809"
}
} |
|
Is the issue that you have different versions of Node.js, some which support Or Is the issue that some versions of OpenSSL have the fix which Node.js detects and therefore |
|
It is not about the version of Node.js since it is running in a docker image that it is based on v. 21 but it is affected in which architecture that docker image is built. |
This is the part that does not make sense to me. For a given version of Node.js either the --sercurity-revert flag is available or it is not. |
|
initially I was writing a bash script to use the --security-revert based on the detected architecture: #!/bin/bash
command='uname -m';
arch=$(eval "$command");
echo "arc is $arch"
run_command="pm2 start main.mjs --no-daemon"
if [ $arch == "x86_64" ]; then
echo "can run without fix";
else
echo "should run with fix since architecture is $arch";
run_command="pm2 start main.mjs --node-args=\"--security-revert=CVE-2023-46809\" --no-daemon"
fi
echo "run as $run_command";then I changed to the pre-flight approach not to bother about the architecture #!/bin/bash
CVE_revert=true
#do a preflight to determine if node support reverting of CVE-2023-46809
#NOTE: 2>&1 means: redirects standard error to standard output
PREFLIGHT_OUTPUT=$(node --security-revert=CVE-2023-46809 --eval "console.log('OK');" 2>&1)
if [[ $PREFLIGHT_OUTPUT == *"Attempt to revert an unknown CVE"* ]]; then
CVE_revert=false
fi
echo "reverting CVE-2023-46809 support:$CVE_revert"
exec="main.mjs"
if [[ $CVE_revert = true ]]; then
exec="main.mjs --node-args=\"--security-revert=CVE-2023-46809\""
fi
run_command="pm2 start $exec --no-daemon"
echo "running as: $run_command";
eval "npx $run_command"this script runs inside a docker container that install nodejs 21 FROM python:3
RUN pip3 install pandas openpyxl xgboost==1.4.2 scikit-learn
RUN curl --silent --location https://deb.nodesource.com/setup_21.x | bash -
RUN apt-get update && apt-get upgrade -y && \
apt-get install -y nodejs vim
RUN mkdir -p /opt/backend
ADD . /opt/backend
WORKDIR /opt/backend
RUN npm i --verbose
EXPOSE 3000
RUN chmod +x docker-run.sh
CMD ["./docker-run.sh"] |
What is the problem this feature will solve?
Will prevent node throwing an error that prevent it to run if it can be detected that setting --security-revert=CVE-xxxx-xxxxx might not be needed.
What is the feature you are proposing to solve the problem?
When running node on dockers under different architectures the --security-revert=CVE-2023-46809 is required to keep using a certain encryption padding, but based on different architecture this flag might cause node to not start at all.
Instead of figuring out for which architecture this flag is needed it would be helpful to query if it can be set without compromising the running application
What alternatives have you considered?
writing scripts that try to determine from the current host if the flag should be omitted, since the node version on the different hosts are the same (21) but based on different architecture this flag might not be necessary, ex: x86_64
The text was updated successfully, but these errors were encountered: