fix(builtin): fix node patches subprocess sandbox propogation #2017
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Two fixes here.
Set
--preserve-symlinks --preserve-symlinks-main
in the generated_node_bin/node
which comes from${process.env.NODE_REPOSITORY_ARGS}
. This will prevent the--require /path/to/node_patches.js
from being resolved to its location outside of the sandbox.However, if
preserve_symlinks=false
, which is still an option, the 2nd fix is to honour the value ofNP_SUBPROCESS_NODE_DIR
when runningnode_patches.js
for the subprocess. Even ifnode_patches.js
is resolved to outside of the sandbox for the subprocess and runs from there, it will still look for_node_bin/node
within the sandbox.The two fixes will prevent the
process.argv[0]
&&process.execPath
from being set to an invalid path outside of the sandbox such as/private/var/tmp/_bazel_gregmagolan/85775d8edd310fbe8df608eb90377ae5/external/build_bazel_rules_nodejs/internal/node/_node_bin/node
ininternal/node/node_patches.js
(which comes frompackages/node-patches/src/subprocess.ts
):if this does happen then the failure mode is
/private/var/tmp/_bazel_gregmagolan/85775d8edd310fbe8df608eb90377ae5/external/build_bazel_rules_nodejs/internal/node/_node_bin/node ENOENT
:PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
Issue Number: N/A
What is the new behavior?
Does this PR introduce a breaking change?
Other information