src: add WDAC integration (Windows)

Add calls to Windows Defender Application Control
to enforce integrity of .js, .json, .node files.

add typings. fix version number

add integrity checks to esm loader

fix esm code integrity tests

only load code integrity module on Windows

address typings feedback

fix readability and formatting

fix naming conventions

fix error in merge

fix formatting

properly load isWindows

fix formatting

remove code_integrity from builtins on non windows

fix spacing before comment

only load code integrity module on Windows

clarify docs

fix comment

fix ordering of links

Author: rdw-msft

doc/api/code_integrity.md

@@ -0,0 +1,138 @@
+# Code Integrity
+
+<!--introduced_in=REPLACEME-->
+
+<!-- type=misc -->
+
+> Stability: 1.1 - Active development
+
+This feature is only available on Windows platforms.
+
+Code integrity refers to the assurance that software code has not been
+altered or tampered with in any unauthorized way. It ensures that
+the code running on a system is exactly what was intended by the developers.
+
+Code integrity in Node.js integrates with platform features for code integrity
+policy enforcement. See platform speficic sections below for more information.
+
+The Node.js threat model considers the code that the runtime executes to be
+trusted. As such, this feature is an additional safety belt, not a strict
+security boundary.
+
+If you find a potential security vulnerability, please refer to our
+[Security Policy][].
+
+## Code Integrity on Windows
+
+Code integrity is an opt-in feature that leverages Window Defender Application Control
+to verify the code executing conforms to system policy and has not been modified since
+signing time.
+
+There are three audiences that are involved when using Node.js in an
+environment enforcing code integrity: the application developers,
+those administrating the system enforcing code integrity, and
+the end user. The following sections describe how each audience
+can interact with code integrity enforcement.
+
+### Windows Code Integrity and Application Developers
+
+Windows Defender Application Control uses digital signatures to verify
+a file's integrity. Application developers are responsible for generating and
+distributing the signature information for their Node.js application.
+Application developers are also expected to design their application
+in robust ways to avoid unintended code execution. This includes
+avoiding the use of `eval` and avoiding loading modules outside
+of standard methods.
+
+Signature information for files which Node.js is intended to execute
+can be stored in a catalog file. Application developers can generate
+a Windows catalog file to store the hash of all files Node.js
+is expected to execute.
+
+A catalog can be generated using the `New-FileCatalog` Powershell
+cmdlet. For example
+
+```powershell
+New-FileCatalog -Version 2 -CatalogFilePath MyApplicationCatalog.cat -Path \my\application\path\
+```
+
+The `Path` argument should point to the root folder containing your application's code. If
+your application's code is fully contained in one file, `Path` can point to that single file.
+
+Be sure that the catalog is generated using the final version of the files that you intend to ship
+(i.e. after minifying).
+
+The application developer should then sign the generated catalog with their Code Signing certificate
+to ensure the catalog is not tampered with between distribution and execution.
+
+This can be done with the [Set-AuthenticodeSignature commandlet][].
+
+### Windows Code Integrity and System Administrators
+
+This section is intended for system administrators who want to enable Node.js
+code integrity features in their environments.
+
+This section assumes familiarity with managing WDAC polcies.
+[Official documentation for WDAC][].
+
+Code integrity enforcement on Windows has two toggleable settings:
+`EnforceCodeIntegrity` and `DisableInteractiveMode`. These settings are configured
+by WDAC policy.
+
+`EnforceCodeIntegrity` causes Node.js to call WldpCanExecuteFile whenever a module is loaded using `require`.
+WldpCanExecuteFile verifies that the file's integrity has not been tampered with from signing time.
+The system administrator should sign and install the application's file catalog where the application
+is running, per WDAC guidance.
+
+`DisableInteractiveMode` prevents Node.js from being run in interactive mode, and also disables the `-e` and `--eval`
+command line options.
+
+#### Enabling Code Integrity Enforcement
+
+On newer Windows versions (22H2+), the preferred method of configuring application settings is done using
+`AppSettings` in your WDAC Policy.
+
+```text
+<AppSettings>
+  <App Manifest="wdac-manifest.xml">
+    <Setting Name="EnforceCodeIntegrity" >
+      <Value>True</Value>
+    </Setting>
+    <Setting Name="DisableInteractiveMode" >
+      <Value>True</Value>
+    </Setting>
+  </App>
+</AppSettings>
+```
+
+On older Windows versions, use the `Settings` section of your WDAC Policy.
+
+```text
+<Settings>
+  <Setting Provider="Node.js" Key="Settings" ValueName="EnforceCodeIntegrity">
+    <Value>
+      <Boolean>true</Boolean>
+    </Value>
+  </Setting>
+  <Setting Provider="Node.js" Key="Settings" ValueName="DisableInteractiveMode">
+    <Value>
+      <Boolean>true</Boolean>
+    </Value>
+  </Setting>
+</Settings>
+```
+
+## Code Integrity on Linux
+
+Code integrity on Linux is not yet implemented. Plans for implementation will
+be made once the necessary APIs on Linux have been upstreamed. More information
+can be found here: <https://github.com/nodejs/security-wg/issues/1388>
+
+## Code Integrity on MacOS
+
+Code integrity on MacOS is not yet implemented. Currently, there is no
+timeline for implementation.
+
+[Official documentation for WDAC]: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/
+[Security Policy]: https://github.com/nodejs/node/blob/main/SECURITY.md
+[Set-AuthenticodeSignature commandlet]: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-authenticodesignature

doc/api/errors.md

@@ -794,6 +794,22 @@ changes:
 There was an attempt to use a `MessagePort` instance in a closed
 state, usually after `.close()` has been called.
 
+<a id="ERR_CODE_INTEGRITY_BLOCKED"></a>
+
+### `ERR_CODE_INTEGRITY_BLOCKED`
+
+> Stability: 1.1 - Active development
+
+Feature has been disabled due to OS Code Integrity policy.
+
+<a id="ERR_CODE_INTEGRITY_VIOLATION"></a>
+
+### `ERR_CODE_INTEGRITY_VIOLATION`
+
+> Stability: 1.1 - Active development
+
+JavaScript code intended to be executed was rejected by system code integrity policy.
+
 <a id="ERR_CONSOLE_WRITABLE_STREAM"></a>
 
 ### `ERR_CONSOLE_WRITABLE_STREAM`

doc/api/index.md

@@ -19,6 +19,7 @@
 * [C++ embedder API](embedding.md)
 * [Child processes](child_process.md)
 * [Cluster](cluster.md)
+* [Code integrity](code_integrity.md)
 * [Command-line options](cli.md)
 * [Console](console.md)
 * [Crypto](crypto.md)

doc/api/wdac-manifest.xml

@@ -0,0 +1,7 @@
+<!-- Manifest for WDAC integration on Windows. See docs/api/code_integrity.md for
+more information regarding WDAC and code integrity -->
+<?xml version="1.0" encoding="utf-8"?>
+<AppManifest Id="Node.js" xmlns="urn:schemas-microsoft-com:windows-defender-application-control">
+  <SettingDefinition Name="EnforceCodeIntegrity" Type="Bool" IgnoreAuditPolicies="false"/>
+  <SettingDefinition Name="DisableInteractiveMode" Type="Bool" IgnoreAuditPolicies="false"/>
+</AppManifest>

lib/internal/code_integrity.js

@@ -0,0 +1,44 @@
+// Code integrity is a security feature which prevents unsigned
+// code from executing. More information can be found in the docs
+// doc/api/code_integrity.md
+
+'use strict';
+
+const { emitWarning } = require('internal/process/warning');
+const {
+  isFileTrustedBySystemCodeIntegrityPolicy,
+  isInteractiveModeDisabled,
+  isSystemEnforcingCodeIntegrity,
+} = internalBinding('code_integrity');
+
+let isCodeIntegrityEnforced;
+let alreadyQueriedSystemCodeEnforcmentMode = false;
+
+function isAllowedToExecuteFile(filepath) {
+  if (!alreadyQueriedSystemCodeEnforcmentMode) {
+    isCodeIntegrityEnforced = isSystemEnforcingCodeIntegrity();
+
+    if (isCodeIntegrityEnforced) {
+      emitWarning(
+        'Code integrity is being enforced by system policy.' +
+      '\nCode integrity is an experimental feature.' +
+      ' See docs for more info.',
+        'ExperimentalWarning');
+    }
+
+    alreadyQueriedSystemCodeEnforcmentMode = true;
+  }
+
+  if (!isCodeIntegrityEnforced) {
+    return true;
+  }
+
+  return isFileTrustedBySystemCodeIntegrityPolicy(filepath);
+}
+
+module.exports = {
+  isAllowedToExecuteFile,
+  isFileTrustedBySystemCodeIntegrityPolicy,
+  isInteractiveModeDisabled,
+  isSystemEnforcingCodeIntegrity,
+};

lib/internal/errors.js

@@ -1157,6 +1157,10 @@ E('ERR_CHILD_PROCESS_IPC_REQUIRED',
   Error);
 E('ERR_CHILD_PROCESS_STDIO_MAXBUFFER', '%s maxBuffer length exceeded',
   RangeError);
+E('ERR_CODE_INTEGRITY_BLOCKED',
+  'The feature "%s" is blocked by OS Code Integrity policy', Error);
+E('ERR_CODE_INTEGRITY_VIOLATION',
+  'The file %s did not pass OS Code Integrity validation', Error);
 E('ERR_CONSOLE_WRITABLE_STREAM',
   'Console expects a writable stream instance for %s', TypeError);
 E('ERR_CONTEXT_NOT_INITIALIZED', 'context used is not initialized', Error);

lib/internal/main/eval_string.js

@@ -23,10 +23,24 @@ const {
 const { addBuiltinLibsToObject } = require('internal/modules/helpers');
 const { getOptionValue } = require('internal/options');
 
+const {
+  codes: {
+    ERR_CODE_INTEGRITY_BLOCKED,
+  },
+} = require('internal/errors');
+
 prepareMainThreadExecution();
 addBuiltinLibsToObject(globalThis, '<eval>');
 markBootstrapComplete();
 
+const { isWindows } = require('internal/util');
+if (isWindows) {
+  const ci = require('internal/code_integrity');
+  if (ci.isInteractiveModeDisabled()) {
+    throw new ERR_CODE_INTEGRITY_BLOCKED('"eval"');
+  }
+}
+
 const code = getOptionValue('--eval');
 
 const print = getOptionValue('--print');

lib/internal/modules/cjs/loader.js

@@ -181,6 +181,7 @@ const {
 
 const {
   codes: {
+    ERR_CODE_INTEGRITY_VIOLATION,
     ERR_INVALID_ARG_TYPE,
     ERR_INVALID_ARG_VALUE,
     ERR_INVALID_MODULE_SPECIFIER,
@@ -216,6 +217,11 @@ const onRequire = getLazy(() => tracingChannel('module.require'));
 
 const relativeResolveCache = { __proto__: null };
 
+let ci;
+if (isWindows) {
+  ci = require('internal/code_integrity');
+}
+
 let requireDepth = 0;
 let isPreloading = false;
 let statCache = null;
@@ -1180,6 +1186,13 @@ Module._load = function(request, parent, isMain) {
   // For backwards compatibility, if the request itself starts with node:, load it before checking
   // Module._cache. Otherwise, load it after the check.
   if (StringPrototypeStartsWith(request, 'node:')) {
+
+    if (isWindows) {
+      const isAllowedToExecute = ci.isAllowedToExecuteFile(filename);
+      if (!isAllowedToExecute) {
+        throw new ERR_CODE_INTEGRITY_VIOLATION(filename);
+      }
+    }
     const result = loadBuiltinWithHooks(filename, url, format);
     if (result) {
       return result;
@@ -1210,6 +1223,13 @@ Module._load = function(request, parent, isMain) {
     cachedModule[kModuleCircularVisited] = true;
   }
 
+  if (isWindows) {
+    const isAllowedToExecute = ci.isAllowedToExecuteFile(filename);
+    if (!isAllowedToExecute) {
+      throw new ERR_CODE_INTEGRITY_VIOLATION(filename);
+    }
+  }
+
   if (BuiltinModule.canBeRequiredWithoutScheme(filename)) {
     const result = loadBuiltinWithHooks(filename, url, format);
     if (result) {

lib/internal/modules/esm/load.js

@@ -4,6 +4,7 @@ const {
   RegExpPrototypeExec,
 } = primordials;
 const {
+  isWindows,
   kEmptyObject,
 } = require('internal/util');
 
@@ -13,8 +14,9 @@ const { readFileSync } = require('fs');
 
 const { Buffer: { from: BufferFrom } } = require('buffer');
 
-const { URL } = require('internal/url');
+const { URL, fileURLToPath } = require('internal/url');
 const {
+  ERR_CODE_INTEGRITY_VIOLATION,
   ERR_INVALID_URL,
   ERR_UNKNOWN_MODULE_FORMAT,
   ERR_UNSUPPORTED_ESM_URL_SCHEME,
@@ -24,6 +26,11 @@ const {
   dataURLProcessor,
 } = require('internal/data_url');
 
+let ci;
+if (isWindows) {
+  ci = require('internal/code_integrity');
+}
+
 /**
  * @param {URL} url URL to the module
  * @param {LoadContext} context used to decorate error messages
@@ -34,6 +41,12 @@ function getSourceSync(url, context) {
   const responseURL = href;
   let source;
   if (protocol === 'file:') {
+    if (isWindows) {
+      const isAllowedToExecute = ci.isAllowedToExecuteFile(fileURLToPath(url));
+      if (!isAllowedToExecute) {
+        throw new ERR_CODE_INTEGRITY_VIOLATION(url);
+      }
+    }
     source = readFileSync(url);
   } else if (protocol === 'data:') {
     const result = dataURLProcessor(url);

node.gyp

@@ -232,6 +232,7 @@
       'src/node_blob.h',
       'src/node_buffer.h',
       'src/node_builtins.h',
+      'src/node_code_integrity.h',
       'src/node_config_file.h',
       'src/node_constants.h',
       'src/node_context_data.h',
@@ -455,6 +456,14 @@
       }, {
         'use_openssl_def%': 0,
       }],
+      # Only compile node_code_integrity on Windows
+      [ 'OS=="win"', {
+        'node_sources': [
+          '<(node_sources)',
+          'src/node_code_integrity.cc',
+          'src/node_code_integrity.h',
+        ],
+      }],
     ],
   },
 

src/node_binding.cc

@@ -97,14 +97,21 @@
   V(worker)                                                                    \
   V(zlib)
 
+#define NODE_BUILTIN_OS_SPECIFIC_BINDINGS(V)
+
+#ifdef _WIN32
+#define NODE_BUILTIN_OS_SPECIFIC_BINDINGS(V) V(code_integrity)
+#endif
+
 #define NODE_BUILTIN_BINDINGS(V)                                               \
   NODE_BUILTIN_STANDARD_BINDINGS(V)                                            \
   NODE_BUILTIN_OPENSSL_BINDINGS(V)                                             \
   NODE_BUILTIN_ICU_BINDINGS(V)                                                 \
   NODE_BUILTIN_PROFILER_BINDINGS(V)                                            \
   NODE_BUILTIN_DEBUG_BINDINGS(V)                                               \
   NODE_BUILTIN_QUIC_BINDINGS(V)                                                \
-  NODE_BUILTIN_SQLITE_BINDINGS(V)
+  NODE_BUILTIN_SQLITE_BINDINGS(V)                                              \
+  NODE_BUILTIN_OS_SPECIFIC_BINDINGS(V)
 
 // This is used to load built-in bindings. Instead of using
 // __attribute__((constructor)), we call the _register_<modname>