Node 18 reads openssl.cnf from /home/iojs/build/... upon startup on MacOS
Posted: Mon Jan 13, 2025 4:38 am
Similar to https://hackerone.com/reports/1623175 it looks like in Node 18 and later, when it starts
it attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf on MacOS which ordinarily doesn't exist. This is even after the fix for linux.
The attack would be an attacker with access to a shared MacOS host with a self-chosen username (iojs) being able to affect the OpenSSF configuration of other users. I believe the iojs home directory is something configured within the Node.js build/CI pipeline, as opposed to something internal to OpenSSL.
https://hackerone.com/reports/1695596
it attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf on MacOS which ordinarily doesn't exist. This is even after the fix for linux.
The attack would be an attacker with access to a shared MacOS host with a self-chosen username (iojs) being able to affect the OpenSSF configuration of other users. I believe the iojs home directory is something configured within the Node.js build/CI pipeline, as opposed to something internal to OpenSSL.
https://hackerone.com/reports/1695596