Node.js Security Advisory: libuv – Incorrect Revocation Order While Relinquishing Privileges


Share

A security vulnerability that potentially allows for local privilege escalation was recently announced (CVE-2015-0278). This affects node v0.10.36 and earlier.

It was found v0.10.36 and earlier that libuv did not call setgroups before calling setuid/setgid when spawning a child process. The child process might retain the privileges that were supposed to be dropped. This is fixed by also calling setgroups which removes any extraneous groups and drop the user to the expected privileges.

This security issue affects node applications that create child processes, while using the setuid or setgid option to limit the privileges that the child process has. Applications that do not use this feature are unaffected.
 
The newly released v0.10.37 has a fix to this above issue and can be downloaded from http://nodejs.org/dist/v0.10.37.

Please see the original bug report for more details and let me know if you have any further questions.

Subscribe to this thread in Google Groups to be notified of any security advisories related to Node.js and io.js from StrongLoop.

Using Dependency Injection in Your JavaScript Unit Tests with Rewire

Editor: Check out this guest blog post by Igor Ribeiro Lima on how to perform JavaScript unit testing using dependency injection.

You probably already know that to do JavaScript testing well, you need to make sure you are testing the following:

  • Injecting mocks for other modules
  • Leaking private variables
  • Overriding variables within the module

rewire is a tool for helping test for the above. It provides an easy way to perform dependency injection, plus adds a special setter and getter to modules so you can modify their behaviour. What rewire doesn’t do is load the file and evaluate the contents to emulate the require mechanism. It actually uses Node’s own require to load the module.

To get started with dependency injection, we’ll create a twitter rest api server and do unit tests using mocks and overriding variables within modules. This example will focus on back-end unit testing, but if you want to use rewire also on the client-side take a look at client-side bundlers.

Read more

JavaScript ES6 Variable Declarations with let and const

Everyone in the JavaScript world is talking about ECMAScript 6 (ES6, a.k.a. ES 2015) and the big changes coming to objects (class, super(), etc), functions (default params, etc), and modules (import/export), but less attention is being given to variables and how they are declared. In fact, some attention is being given, but perhaps without the right focus. I recently attended the jQuery UK conference where Dave Methvin gave a nice overview of ES6, with some great attention on let and const.

In this article I wanted to cover these two new keywords for declaring variables and differentiate them from var. And possibly more importantly, I want to identify what some folks are considering the new standard for declaring variables in ES6. The basic idea here is that let should, in time, replace var as the default declaration keyword. In fact, according to some, var should simply not be used at all in new code. The const keyword should be used for any variable where the reference should never be changed, and let for anything else.

Read more

Getting Started with the Saucie CLI to Make Cross Browser Testing Easier

Editor: Check out this guest blog post by Igor Ribeiro Lima on how use the commandline to perform cross browser testing.

We all know that testing your JavaScript code is a good thing, but one of the hurdles to overcome is how to test the code on different browsers. With this challenge in mind I developed a CLI tool named saucie. This CLI is a library hosted on NPM which allows you to integrate your frontend JavaScript tests with SauceLabs platform. SauceLabs already has awesome cross browser testing, and saucie makes it easier to do that cross browser testing via a CLI.

Read more

Testing and Documenting Node.js APIs with Mocha and Acquit

When people build REST APIs with Express, testing and documentation are often an afterthought. The situation with testing your documentation is often even worse. When’s the last time you built an automated testing system for your documentation’s examples? When I sat down to write acquit, I wanted a simple tool to generate documentation from mocha tests for mongoose. But, the paradigm of generating documentation from tests is even more useful for API-level integration tests. In this article, I’ll explain what API-level integration tests are and how to use acquit to parse integration tests into documentation.

Read more