test(jest): revert CVE-2023-46809 to allow openpgp tests to pass (#…

…27409)
renovatebot · Feb 19, 2024 · 23f3df6 · 23f3df6
1 parent 7103ecd
commit 23f3df6
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 5 deletions.
diff --git a/package.json b/package.json
@@ -27,11 +27,9 @@
     "generate": "run-s 'generate:*'",
     "generate:imports": "node tools/generate-imports.mjs",
     "git-check": "node tools/check-git-version.mjs",
-    "jest": "NODE_OPTIONS=\"--experimental-vm-modules\" LOG_LEVEL=fatal GIT_ALLOW_PROTOCOL=file jest --logHeapUsage",
-    "jest:vscode": "NODE_OPTIONS=\"$NODE_OPTIONS --experimental-vm-modules\" LOG_LEVEL=fatal GIT_ALLOW_PROTOCOL=file jest --logHeapUsage",
-    "jest:14": "run-s 'jest {@}' --",
-    "jest:16": "run-s 'jest {@}' --",
-    "jest-debug": "NODE_OPTIONS=\"--inspect-brk --experimental-vm-modules\" jest --testTimeout=100000000",
+    "jest": "node tools/jest.mjs",
+    "jest:vscode": "node tools/jest.mjs",
+    "jest-debug": "NODE_OPTIONS='$NODE_OPTIONS --inspect-brk' node tools/jest.mjs --testTimeout=100000000",
     "lint": "run-s ls-lint type-check eslint prettier markdown-lint git-check doc-fence-check",
     "lint-fix": "run-s eslint-fix prettier-fix markdown-lint-fix",
     "ls-lint": "ls-lint",

diff --git a/tools/jest.mjs b/tools/jest.mjs
@@ -0,0 +1,28 @@
+import { spawnSync } from 'node:child_process';
+import { argv, env, version } from 'node:process';
+import semver from 'semver';
+
+// needed for tests
+env.GIT_ALLOW_PROTOCOL = 'file';
+// reduce logging
+env.LOG_LEVEL = 'fatal';
+
+const args = ['--experimental-vm-modules'];
+
+/*
+ * openpgp encryption is broken because it needs PKCS#1 v1.5
+ * - #27375
+ * - https://nodejs.org/en/blog/vulnerability/february-2024-security-releases#nodejs-is-vulnerable-to-the-marvin-attack-timing-variant-of-the-bleichenbacher-attack-against-pkcs1-v15-padding-cve-2023-46809---medium
+ *
+ * Sadly there is no way to suppress `SECURITY WARNING: Reverting CVE-2023-46809: Marvin attack on PKCS#1 padding` warining
+ */
+if (semver.satisfies(version, '^18.19.1 || ^20.11.1 || >=21.6.2')) {
+  args.push('--security-revert=CVE-2023-46809');
+}
+
+args.push('node_modules/jest/bin/jest.js', '--logHeapUsage');
+
+// add other args after `node tools/jest.mjs`
+args.push(...argv.slice(2));
+
+spawnSync('node', args, { stdio: 'inherit', env });