add DisableInteractiveMode code integrity setting

rdw-msft · rdw-msft · commit 05e012fd83f9 · 2024-10-29T10:26:17.000-07:00
diff --git a/lib/internal/code_integrity.js b/lib/internal/code_integrity.js
@@ -1,16 +1,28 @@
 'use strict';
 
+const { emitWarning } = require('internal/process/warning');
+
 let isCodeIntegrityEnforced;
 let alreadyQueriedSystemCodeEnforcmentMode = false;
 
 const {
   isFileTrustedBySystemCodeIntegrityPolicy,
+  isInteractiveModeDisabled,
   isSystemEnforcingCodeIntegrity,
 } = internalBinding('code_integrity');
 
 function isAllowedToExecuteFile(filepath) {
   if (!alreadyQueriedSystemCodeEnforcmentMode) {
     isCodeIntegrityEnforced = isSystemEnforcingCodeIntegrity();
+
+    if (isCodeIntegrityEnforced) {
+      emitWarning(
+        'Code integrity is being enforced by system policy.' +
+      '\nCode integrity is an experimental feature.' +
+      ' See docs for more info.',
+        'ExperimentalWarning');
+    }
+
     alreadyQueriedSystemCodeEnforcmentMode = true;
   }
 
@@ -24,5 +36,6 @@ function isAllowedToExecuteFile(filepath) {
 module.exports = {
   isAllowedToExecuteFile,
   isFileTrustedBySystemCodeIntegrityPolicy,
+  isInteractiveModeDisabled,
   isSystemEnforcingCodeIntegrity,
 };
diff --git a/lib/internal/main/eval_string.js b/lib/internal/main/eval_string.js
@@ -25,7 +25,7 @@ const {
 } = require('internal/errors');
 
 const ci = require('internal/code_integrity');
-if (ci.isSystemEnforcingCodeIntegrity()) {
+if (ci.isInteractiveModeDisabled()) {
   throw new ERR_CODE_INTEGRITY_BLOCKED('"eval"');
 }
 
diff --git a/src/node_code_integrity.cc b/src/node_code_integrity.cc
@@ -22,6 +22,8 @@ static pfnWldpGetApplicationSettingBoolean WldpGetApplicationSettingBoolean;
 static pfnWldpQuerySecurityPolicy WldpQuerySecurityPolicy;
 static PCWSTR NODEJS = L"Node.js";
 static PCWSTR ENFORCE_CODE_INTEGRITY_SETTING_NAME = L"EnforceCodeIntegrity";
+static PCWSTR DISABLE_INTERPRETIVE_MODE_SETTING_NAME =
+  L"DisableInteractiveMode";
 
 void InitWldp(Environment* env) {
   if (isWldpInitialized) {
@@ -101,6 +103,66 @@ static void IsFileTrustedBySystemCodeIntegrityPolicy(
   args.GetReturnValue().Set(isFileTrusted);
 }
 
+static void IsInteractiveModeDisabled(
+  const FunctionCallbackInfo<Value>& args) {
+  CHECK_EQ(args.Length(), 0);
+
+  Environment* env = Environment::GetCurrent(args);
+
+  if (!isWldpInitialized) {
+    InitWldp(env);
+  }
+
+  if (WldpGetApplicationSettingBoolean != nullptr) {
+    BOOL ret;
+    HRESULT hr = WldpGetApplicationSettingBoolean(
+      NODEJS,
+      DISABLE_INTERPRETIVE_MODE_SETTING_NAME,
+      &ret);
+
+    if (SUCCEEDED(hr)) {
+      args.GetReturnValue().Set(
+        Boolean::New(env->isolate(), ret));
+      return;
+    } else if (hr != E_NOTFOUND) {
+      // If the setting is not found, continue through to attempt
+      // WldpQuerySecurityPolicy, as the setting may be defined
+      // in the old settings format
+      args.GetReturnValue().Set(Boolean::New(env->isolate(), false));
+      return;
+    }
+  }
+
+  // WldpGetApplicationSettingBoolean is the preferred way for applications to
+  // query security policy values. However, this method only exists on Windows
+  // versions going back to circa Win10 2023H2. In order to support systems
+  // older than that (down to Win10RS2), we can use the deprecated
+  // WldpQuerySecurityPolicy
+  if (WldpQuerySecurityPolicy != nullptr) {
+    DECLARE_CONST_UNICODE_STRING(providerName, L"Node.js");
+    DECLARE_CONST_UNICODE_STRING(keyName, L"Settings");
+    DECLARE_CONST_UNICODE_STRING(valueName, L"DisableInteractiveMode");
+    WLDP_SECURE_SETTING_VALUE_TYPE valueType =
+      WLDP_SECURE_SETTING_VALUE_TYPE_BOOLEAN;
+    ULONG valueSize = sizeof(int);
+    int ret = 0;
+    HRESULT hr = WldpQuerySecurityPolicy(
+              &providerName,
+              &keyName,
+              &valueName,
+              &valueType,
+              &ret,
+              &valueSize);
+    if (FAILED(hr)) {
+      args.GetReturnValue().Set(Boolean::New(env->isolate(), false));
+      return;
+    }
+
+    args.GetReturnValue().Set(
+        Boolean::New(env->isolate(), static_cast<bool>(ret)));
+  }
+}
+
 static void IsSystemEnforcingCodeIntegrity(
   const FunctionCallbackInfo<Value>& args) {
   CHECK_EQ(args.Length(), 0);
@@ -168,6 +230,11 @@ static void IsFileTrustedBySystemCodeIntegrityPolicy(
     args.GetReturnValue().Set(true);
 }
 
+static void IsInterpretiveModeDisabled(
+  const FunctionCallbackInfo<Value>& args) {
+    args.GetReturnValue().Set(false);
+}
+
 static void IsSystemEnforcingCodeIntegrity(
   const FunctionCallbackInfo<Value>& args) {
     args.GetReturnValue().Set(false);
@@ -184,6 +251,12 @@ void Initialize(Local<Object> target,
     "isFileTrustedBySystemCodeIntegrityPolicy",
     IsFileTrustedBySystemCodeIntegrityPolicy);
 
+  SetMethod(
+    context,
+    target,
+    "isInteractiveModeDisabled",
+    IsInteractiveModeDisabled);
+
   SetMethod(
     context,
     target,
@@ -193,6 +266,7 @@ void Initialize(Local<Object> target,
 
 void RegisterExternalReferences(ExternalReferenceRegistry* registry) {
   registry->Register(IsFileTrustedBySystemCodeIntegrityPolicy);
+  registry->Register(IsInteractiveModeDisabled);
   registry->Register(IsSystemEnforcingCodeIntegrity);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ const {`
`25`	`25`	`} = require('internal/errors');`
`26`	`26`
`27`	`27`	`const ci = require('internal/code_integrity');`
`28`		`-if (ci.isSystemEnforcingCodeIntegrity()) {`
	`28`	`+if (ci.isInteractiveModeDisabled()) {`
`29`	`29`	`throw new ERR_CODE_INTEGRITY_BLOCKED('"eval"');`
`30`	`30`	`}`
`31`	`31`