fix(node): avoid PATH-dependent shell execution in musl probe#11

Open

NeerajCodz wants to merge 1 commit into

mainfrom

codex/fix-command-execution-vulnerability-in-node-loader

NeerajCodz commented May 4, 2026

Contributor

Motivation

The Node loader's fallback in isMusl() used child_process.execSync('which ldd'), which invokes a shell and resolves which through PATH, enabling local PATH-poisoning to execute attacker-controlled binaries during module import on older Node runtimes.
The musl probe is invoked during Linux native binding selection, so importing the generated N-API loader could trigger this command execution.

Description

Replace the PATH-dependent execSync('which ldd') probe with a safe fixed-path check that inspects /usr/bin/ldd and /bin/ldd using existsSync and readFileSync in bindings/node/index.js.
Preserve the existing fallback behavior by returning true on probe errors and leave the remaining loader selection logic unchanged.

Testing

Ran node --check bindings/node/index.js to validate the modified file is syntactically valid, and it succeeded.
No other automated tests were modified or required for this change.


          fix(node): remove PATH-based shell call in musl detection

e43cbca

NeerajCodz added aardvark codex labels

— with

ChatGPT Codex Connector

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels