Skip to content

Commit

Permalink
win,msi: set install directory permission
Browse files Browse the repository at this point in the history 
Explicitly set permission for Windows install directory.

CVE-ID: CVE-2021-22921
Refs: https://hackerone.com/reports/1211160
PR-URL: nodejs-private/node-private#269
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
  • Loading branch information
@kumarak @richardlau
kumarak authored and richardlau committed Jun 28, 2021
1 parent a7496ab commit d0b449d
Showing 1 changed file with 23 additions and 0 deletions.
23 changes: 23 additions & 0 deletions tools/msvs/msi/product.wxs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,13 @@
<Property Id="ApplicationFolderName" Value="nodejs"/>
<Property Id="WIXUI_INSTALLDIR" Value="INSTALLDIR"/>

<!-- PropertyRef of the account users for setting InstallDir permission explicitly -->
<Property Id="AUTHENTICATED_USERS" Value="Authenticated Users"/>

This comment has been minimized.

Sign in to view

Copy link
@striezel

striezel Jul 1, 2021

@kumarak + @richardlau:
Should Value="Authenticated Users" really be hard-coded here? In Windows installations that do not run with English as current language that may cause problems.

This comment has been minimized.

Sign in to view

Copy link
@richardlau

richardlau Jul 1, 2021

Member

Probably not.

cc @nodejs/platform-windows

This comment has been minimized.

Sign in to view

Copy link
@Trott

Trott Jul 3, 2021
edited
Loading

Member

For the benefit of anyone coming to this thread at a later date: #39241

<PropertyRef Id="WIX_ACCOUNT_LOCALSYSTEM" />
<PropertyRef Id="WIX_ACCOUNT_USERS" />
<PropertyRef Id="WIX_ACCOUNT_ADMINISTRATORS" />

<Property Id="INSTALLDIR" Secure="yes">
<RegistrySearch Id="InstallPathRegistry"
Type="raw"
Expand Down Expand Up @@ -73,6 +80,7 @@
<ComponentRef Id="NodeStartMenu"/>
<ComponentRef Id="AppData" />
<ComponentRef Id="InstallToolsBat" />
<ComponentRef Id="SetInstallDirPermission" />
<ComponentGroupRef Id="Product.Generated"/>

<Feature Id="NodeEtwSupport"
Expand All @@ -93,6 +101,7 @@
<ComponentRef Id="NpxBashScript"/>
<ComponentRef Id="NpmConfigurationFile"/>
<ComponentRef Id="AppData" />
<ComponentRef Id="SetInstallDirPermission" />
<ComponentGroupRef Id="NpmSourceFiles"/>
</Feature>

Expand Down Expand Up @@ -169,6 +178,20 @@
<?endif?>
</DirectoryRef>

<DirectoryRef Id="INSTALLDIR">
<!-- Create component for setting the install directory permission explicitly -->
<Component Id="SetInstallDirPermission" Guid="{EFFC4F74-183A-4237-BBD7-0CAD2B950053}">
<CreateFolder>
<Permission User="[WIX_ACCOUNT_USERS]" GenericRead="yes" Traverse="yes" GenericExecute="yes" Synchronize="yes"
GenericWrite="no" WriteAttributes="no" WriteExtendedAttributes="no"/>
<Permission User="[AUTHENTICATED_USERS]" GenericRead="yes" Traverse="yes" GenericExecute="yes" Synchronize="yes"
GenericWrite="no" WriteAttributes="no" WriteExtendedAttributes="no"/>
<Permission User="[WIX_ACCOUNT_ADMINISTRATORS]" GenericAll="yes"/>
<Permission User="[WIX_ACCOUNT_LOCALSYSTEM]" GenericAll="yes"/>
</CreateFolder>
</Component>
</DirectoryRef>

<DirectoryRef Id="ApplicationProgramsFolder">
<Component Id="NodeStartMenu">
<!-- RegistryValue needed because every Component must have a KeyPath.
Expand Down

0 comments on commit d0b449d

Please sign in to comment.