lib: makeRequireFunction patch when experimental policy

Signed-off-by: RafaelGSS <[email protected]>
CVE-ID: CVE-2023-23918
PR-URL: #358
Co-authored-by: Bradley Farias <[email protected]>
Reviewed-by: Bradley Farias <[email protected]>
Reviewed-by: Michael Dawson <[email protected]>

Author: RafaelGSS

lib/internal/modules/cjs/loader.js

@@ -230,10 +230,9 @@ function Module(id = '', parent) {
   if (manifest) {
     const moduleURL = pathToFileURL(id);
     redirects = manifest.getDependencyMapper(moduleURL);
+    // TODO(rafaelgss): remove the necessity of this branch
+    setOwnProperty(this, 'require', makeRequireFunction(this, redirects));
   }
-  setOwnProperty(this, 'require', makeRequireFunction(this, redirects));
-  // Loads a module at the given file path. Returns that module's
-  // `exports` property.
   this[require_private_symbol] = internalRequire;
 }
 
@@ -1144,6 +1143,23 @@ Module.prototype.load = function(filename) {
     cascadedLoader.cjsCache.set(this, exports);
 };
 
+// Loads a module at the given file path. Returns that module's
+// `exports` property.
+// Note: when using the experimental policy mechanism this function is overridden
+Module.prototype.require = function(id) {
+  validateString(id, 'id');
+  if (id === '') {
+    throw new ERR_INVALID_ARG_VALUE('id', id,
+                                    'must be a non-empty string');
+  }
+  requireDepth++;
+  try {
+    return Module._load(id, this, /* isMain */ false);
+  } finally {
+    requireDepth--;
+  }
+};
+
 // Resolved path to process.argv[1] will be lazily placed here
 // (needed for setting breakpoint when called with --inspect-brk)
 let resolvedArgv;
@@ -1212,10 +1228,11 @@ function wrapSafe(filename, content, cjsModuleInstance) {
 // Returns exception, if any.
 Module.prototype._compile = function(content, filename) {
   let moduleURL;
+  let redirects;
   const manifest = policy()?.manifest;
   if (manifest) {
     moduleURL = pathToFileURL(filename);
-    manifest.getDependencyMapper(moduleURL);
+    redirects = manifest.getDependencyMapper(moduleURL);
     manifest.assertIntegrity(moduleURL, content);
   }
 
@@ -1245,17 +1262,18 @@ Module.prototype._compile = function(content, filename) {
     }
   }
   const dirname = path.dirname(filename);
+  const require = makeRequireFunction(this, redirects);
   let result;
   const exports = this.exports;
   const thisValue = exports;
   const module = this;
   if (requireDepth === 0) statCache = new SafeMap();
   if (inspectorWrapper) {
     result = inspectorWrapper(compiledWrapper, thisValue, exports,
-                              module.require, module, filename, dirname);
+                              require, module, filename, dirname);
   } else {
     result = ReflectApply(compiledWrapper, thisValue,
-                          [exports, module.require, module, filename, dirname]);
+                          [exports, require, module, filename, dirname]);
   }
   hasLoadedAnyUserCJSModule = true;
   if (requireDepth === 0) statCache = null;

lib/internal/modules/helpers.js

@@ -115,7 +115,8 @@ function makeRequireFunction(mod, redirects) {
     };
   } else {
     require = function require(path) {
-      return mod[require_private_symbol](mod, path);
+      // When no policy manifest, the original prototype.require is sustained
+      return mod.require(path);
     };
   }