Type confusion bugs in process_wrap.cc.

[deian]

We found two type confusion bugs in process_wrap.cc.

First one uses ToObject unchecked: https://github.com/nodejs/node/blob/master/src/process_wrap.cc#L136
Second one uses As unchecked: https://github.com/nodejs/node/blob/master/src/process_wrap.cc#L92

The two programs below that trigger these bugs. We’re using process.binding here, but we’ve been pretty successful at escalating such things to public API.

— trigger 1:

P=process.binding('process_wrap').Process; new P().spawn();

— trigger 2:

const options = {file:'ls'};
Object.defineProperty(options, 'stdio', {
 get: () => {
   return [1];
 },
 enumerable: true
});
P=process.binding('process_wrap').Process; new P().spawn(options);

[Trott]

@nodejs/child_process isn't a thing but @bnoordhuis @cjihrig @indutny

[Trott]

@nodejs/child_process

[apapirovski]

As far as I can tell this got sufficiently resolved in #12348. Using process.binding isn't officially supported so that's up to the user to make sure they don't run into these types of issues. Either way though, this has been open for a year now with no significant movement.