src: add WDAC integration (Windows)

Add calls to Windows Defender Application Control to enforce
integrity of .js, .json, .node files.

Author: rdw-msft

doc/api/errors.md

@@ -789,6 +789,18 @@ changes:
 There was an attempt to use a `MessagePort` instance in a closed
 state, usually after `.close()` has been called.
 
+<a id="ERR_CODE_INTEGRITY_BLOCKED"></a>
+
+### `ERR_CODE_INTEGRITY_BLOCKED`
+
+Feature has been disabled due to OS Code Integrity policy.
+
+<a id="ERR_CODE_INTEGRITY_VIOLATION"></a>
+
+### `ERR_CODE_INTEGRITY_VIOLATION`
+
+Javascript code intended to be executed was rejected by system code integrity policy.
+
 <a id="ERR_CONSOLE_WRITABLE_STREAM"></a>
 
 ### `ERR_CONSOLE_WRITABLE_STREAM`

lib/code_integrity.js

@@ -0,0 +1,28 @@
+'use strict';
+
+let isCodeIntegrityEnforced;
+let alreadyQueriedSystemCodeEnforcmentMode = false;
+
+const {
+  isFileTrustedBySystemCodeIntegrityPolicy,
+  isSystemEnforcingCodeIntegrity,
+} = internalBinding('code_integrity');
+
+function isAllowedToExecuteFile(filepath) {
+  if (!alreadyQueriedSystemCodeEnforcmentMode) {
+    isCodeIntegrityEnforced = isSystemEnforcingCodeIntegrity();
+    alreadyQueriedSystemCodeEnforcmentMode = true;
+  }
+
+  if (!isCodeIntegrityEnforced) {
+    return true;
+  }
+
+  return isFileTrustedBySystemCodeIntegrityPolicy(filepath);
+}
+
+module.exports = {
+  isAllowedToExecuteFile,
+  isFileTrustedBySystemCodeIntegrityPolicy,
+  isSystemEnforcingCodeIntegrity,
+};

lib/internal/errors.js

@@ -1144,6 +1144,10 @@ E('ERR_CHILD_PROCESS_IPC_REQUIRED',
   Error);
 E('ERR_CHILD_PROCESS_STDIO_MAXBUFFER', '%s maxBuffer length exceeded',
   RangeError);
+E('ERR_CODE_INTEGRITY_BLOCKED',
+  'The feature "%s" is blocked by OS Code Integrity policy', Error);
+E('ERR_CODE_INTEGRITY_VIOLATION',
+  'The file %s did not pass OS Code Integrity validation', Error);
 E('ERR_CONSOLE_WRITABLE_STREAM',
   'Console expects a writable stream instance for %s', TypeError);
 E('ERR_CONTEXT_NOT_INITIALIZED', 'context used is not initialized', Error);

lib/internal/main/eval_string.js

@@ -18,6 +18,17 @@ const { addBuiltinLibsToObject, stripTypeScriptTypes } = require('internal/modul
 
 const { getOptionValue } = require('internal/options');
 
+const {
+  codes: {
+    ERR_CODE_INTEGRITY_BLOCKED,
+  },
+} = require('internal/errors');
+
+const ci = require('code_integrity');
+if (ci.isSystemEnforcingCodeIntegrity()) {
+  throw new ERR_CODE_INTEGRITY_BLOCKED('"eval"');
+}
+
 prepareMainThreadExecution();
 addBuiltinLibsToObject(globalThis, '<eval>');
 markBootstrapComplete();

lib/internal/modules/cjs/loader.js

@@ -165,6 +165,7 @@ const {
 
 const {
   codes: {
+    ERR_CODE_INTEGRITY_VIOLATION,
     ERR_INVALID_ARG_VALUE,
     ERR_INVALID_MODULE_SPECIFIER,
     ERR_REQUIRE_CYCLE_MODULE,
@@ -199,6 +200,8 @@ const onRequire = getLazy(() => tracingChannel('module.require'));
 
 const relativeResolveCache = { __proto__: null };
 
+const ci = require('code_integrity');
+
 let requireDepth = 0;
 let isPreloading = false;
 let statCache = null;
@@ -1671,6 +1674,11 @@ Module._extensions['.js'] = function(module, filename) {
   // If already analyzed the source, then it will be cached.
   const content = getMaybeCachedSource(module, filename);
 
+  const isAllowedToExecute = ci.isAllowedToExecuteFile(filename);
+  if (!isAllowedToExecute) {
+    throw new ERR_CODE_INTEGRITY_VIOLATION(filename);
+  }
+
   let format;
   if (StringPrototypeEndsWith(filename, '.js')) {
     const pkg = packageJsonReader.getNearestParentPackageJSON(filename);
@@ -1717,6 +1725,11 @@ Module._extensions['.js'] = function(module, filename) {
  * @param {string} filename The file path of the module
  */
 Module._extensions['.json'] = function(module, filename) {
+  const isAllowedToExecute = ci.isAllowedToExecuteFile(filename);
+  if (!isAllowedToExecute) {
+    throw new ERR_CODE_INTEGRITY_VIOLATION(filename);
+  }
+
   const content = fs.readFileSync(filename, 'utf8');
 
   try {
@@ -1733,6 +1746,10 @@ Module._extensions['.json'] = function(module, filename) {
  * @param {string} filename The file path of the module
  */
 Module._extensions['.node'] = function(module, filename) {
+  const isAllowedToExecute = ci.isAllowedToExecuteFile(filename);
+  if (!isAllowedToExecute) {
+    throw new ERR_CODE_INTEGRITY_VIOLATION(filename);
+  }
   // Be aware this doesn't use `content`
   return process.dlopen(module, path.toNamespacedPath(filename));
 };

node.gyp

@@ -103,6 +103,7 @@
       'src/node_blob.cc',
       'src/node_buffer.cc',
       'src/node_builtins.cc',
+      'src/node_code_integrity.cc',
       'src/node_config.cc',
       'src/node_constants.cc',
       'src/node_contextify.cc',
@@ -228,6 +229,7 @@
       'src/node_blob.h',
       'src/node_buffer.h',
       'src/node_builtins.h',
+      'src/node_code_integrity.h',
       'src/node_constants.h',
       'src/node_context_data.h',
       'src/node_contextify.h',

src/node_binding.cc

@@ -42,6 +42,7 @@
   V(buffer)                                                                    \
   V(builtins)                                                                  \
   V(cares_wrap)                                                                \
+  V(code_integrity)                                                            \
   V(config)                                                                    \
   V(constants)                                                                 \
   V(contextify)                                                                \

src/node_code_integrity.cc

@@ -0,0 +1,208 @@
+#include "node_code_integrity.h"
+#include "v8.h"
+#include "node.h"
+#include "env-inl.h"
+#include "node_external_reference.h"
+
+namespace node {
+
+using v8::Boolean;
+using v8::Context;
+using v8::FunctionCallbackInfo;
+using v8::Local;
+using v8::Object;
+using v8::Value;
+
+namespace codeintegrity {
+
+#ifdef _WIN32
+static bool isWldpInitialized = false;
+static pfnWldpCanExecuteFile WldpCanExecuteFile;
+static pfnWldpGetApplicationSettingBoolean WldpGetApplicationSettingBoolean;
+static pfnWldpQuerySecurityPolicy WldpQuerySecurityPolicy;
+static PCWSTR NODEJS = L"Node.js";
+static PCWSTR ENFORCE_CODE_INTEGRITY_SETTING_NAME = L"EnforceCodeIntegrity";
+
+void InitWldp(Environment* env) {
+
+  if (isWldpInitialized)
+  {
+    return;
+  }
+
+  HMODULE wldp_module = LoadLibraryExA(
+      "wldp.dll",
+      nullptr,
+      LOAD_LIBRARY_SEARCH_SYSTEM32);
+
+  if (wldp_module == nullptr) {
+    return env->ThrowError("Unable to load wldp.dll");
+  }
+
+  WldpCanExecuteFile =
+    (pfnWldpCanExecuteFile)GetProcAddress(
+      wldp_module,
+      "WldpCanExecuteFile");
+
+  WldpGetApplicationSettingBoolean =
+    (pfnWldpGetApplicationSettingBoolean)GetProcAddress(
+      wldp_module,
+      "WldpGetApplicationSettingBoolean");
+
+  WldpQuerySecurityPolicy =
+    (pfnWldpQuerySecurityPolicy)GetProcAddress(
+      wldp_module,
+      "WldpQuerySecurityPolicy");
+  
+  isWldpInitialized = true;
+}
+
+static void IsFileTrustedBySystemCodeIntegrityPolicy(
+  const FunctionCallbackInfo<Value>& args) {
+  CHECK_EQ(args.Length(), 1);
+  CHECK(args[0]->IsString());
+
+  Environment* env = Environment::GetCurrent(args);
+  if (!isWldpInitialized) {
+    InitWldp(env);
+  }
+
+  BufferValue path(env->isolate(), args[0]);
+  if (*path == nullptr) {
+    return env->ThrowError("path cannot be empty");
+  }
+
+  HANDLE hFile = CreateFileA(
+    *path,
+    GENERIC_READ,
+    FILE_SHARE_READ,
+    nullptr,
+    OPEN_EXISTING,
+    FILE_ATTRIBUTE_NORMAL,
+    nullptr);
+
+  if (hFile == INVALID_HANDLE_VALUE || hFile == nullptr) {
+    return env->ThrowError("Unable to open file");
+  }
+
+  const GUID wldp_host_other = WLDP_HOST_OTHER;
+  WLDP_EXECUTION_POLICY result;
+  HRESULT hr = WldpCanExecuteFile(
+    wldp_host_other,
+    WLDP_EXECUTION_EVALUATION_OPTION_NONE,
+    hFile,
+    NODEJS,
+    &result);
+  CloseHandle(hFile);
+
+  if (FAILED(hr)) {
+    return env->ThrowError("WldpCanExecuteFile failed");
+  }
+
+  bool isFileTrusted = (result == WLDP_EXECUTION_POLICY_ALLOWED);
+  args.GetReturnValue().Set(isFileTrusted);
+}
+
+static void IsSystemEnforcingCodeIntegrity(
+  const FunctionCallbackInfo<Value>& args) {
+  CHECK_EQ(args.Length(), 0);
+
+  Environment* env = Environment::GetCurrent(args);
+
+  if (!isWldpInitialized) {
+    InitWldp(env);
+  }
+
+  if (WldpGetApplicationSettingBoolean != nullptr)
+  {
+    BOOL ret;
+    HRESULT hr = WldpGetApplicationSettingBoolean(
+      NODEJS,
+      ENFORCE_CODE_INTEGRITY_SETTING_NAME,
+      &ret);
+
+    if (SUCCEEDED(hr)) {
+      args.GetReturnValue().Set(
+        Boolean::New(env->isolate(), ret));
+      return;
+    } else if (hr != E_NOTFOUND) {  
+      // If the setting is not found, continue through to attempt WldpQuerySecurityPolicy,
+      // as the setting may be defined in the old settings format
+      args.GetReturnValue().Set(Boolean::New(env->isolate(), false));
+      return;
+    }
+  } 
+  
+  // WldpGetApplicationSettingBoolean is the preferred way for applications to
+  // query security policy values. However, this method only exists on Windows
+  // versions going back to circa Win10 2023H2. In order to support systems
+  // older than that (down to Win10RS2), we can use the deprecated
+  // WldpQuerySecurityPolicy
+  if (WldpQuerySecurityPolicy != nullptr) {
+    DECLARE_CONST_UNICODE_STRING(providerName, L"Node.js");
+    DECLARE_CONST_UNICODE_STRING(keyName, L"Settings");
+    DECLARE_CONST_UNICODE_STRING(valueName, L"EnforceCodeIntegrity");
+    WLDP_SECURE_SETTING_VALUE_TYPE valueType =
+      WLDP_SECURE_SETTING_VALUE_TYPE_BOOLEAN;
+    ULONG valueSize = sizeof(int);
+    int ret = 0;
+    HRESULT hr = WldpQuerySecurityPolicy(
+              &providerName,
+              &keyName,
+              &valueName,
+              &valueType,
+              &ret,
+              &valueSize);
+    if (FAILED(hr)) {
+      args.GetReturnValue().Set(Boolean::New(env->isolate(), false));
+      return;
+    }
+
+    args.GetReturnValue().Set(
+        Boolean::New(env->isolate(), static_cast<bool>(ret)));
+  }
+}
+#endif // _WIN32
+
+#ifndef _WIN32
+static void IsFileTrustedBySystemCodeIntegrityPolicy(
+  const FunctionCallbackInfo<Value>& args) {
+    args.GetReturnValue().Set(true);
+}
+
+static void IsSystemEnforcingCodeIntegrity(
+  const FunctionCallbackInfo<Value>& args) {
+    args.GetReturnValue().Set(false);
+}
+#endif // ifndef _WIN32
+
+void Initialize(Local<Object> target,
+                Local<Value> unused,
+                Local<Context> context,
+                void* priv) {
+  SetMethod(
+    context,
+    target,
+    "isFileTrustedBySystemCodeIntegrityPolicy",
+    IsFileTrustedBySystemCodeIntegrityPolicy);
+
+  SetMethod(
+    context,
+    target,
+    "isSystemEnforcingCodeIntegrity",
+    IsSystemEnforcingCodeIntegrity);
+}
+
+void RegisterExternalReferences(ExternalReferenceRegistry* registry) {
+  //BindingData::RegisterExternalReferences(registry);
+
+  registry->Register(IsFileTrustedBySystemCodeIntegrityPolicy);
+  registry->Register(IsSystemEnforcingCodeIntegrity);
+}
+
+}  // namespace codeintegrity
+}  // namespace node
+NODE_BINDING_CONTEXT_AWARE_INTERNAL(code_integrity,
+                                    node::codeintegrity::Initialize)
+NODE_BINDING_EXTERNAL_REFERENCE(code_integrity,
+                            node::codeintegrity::RegisterExternalReferences)