build,test: test array index hash collision

joyeecheung · aduh95 · commit 6f14ee51011d · 2026-03-23T20:06:35.000+01:00
This enables v8_enable_seeded_array_index_hash and add a test for it. Fixes: https://hackerone.com/reports/3511792 Backport-PR-URL: nodejs-private/node-private#833 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: nodejs-private/node-private#809 CVE-ID: CVE-2026-21717
diff --git a/test/fixtures/array-hash-collision.js b/test/fixtures/array-hash-collision.js
@@ -0,0 +1,27 @@
+'use strict';
+
+// See https://hackerone.com/reports/3511792
+
+const payload = [];
+const val = 1234;
+const MOD = 2 ** 19;
+const CHN = 2 ** 17;
+const REP = 2 ** 17;
+
+if (process.argv[2] === 'benign') {
+  for (let i = 0; i < CHN + REP; i++) {
+    payload.push(`${val + i}`);
+  }
+} else {
+  let j = val + MOD;
+  for (let i = 1; i < CHN; i++) {
+    payload.push(`${j}`);
+    j = (j + i) % MOD;
+  }
+  for (let k = 0; k < REP; k++) {
+    payload.push(`${val}`);
+  }
+}
+
+const string = JSON.stringify({ data: payload });
+JSON.parse(string);
diff --git a/test/pummel/test-array-hash-collision.js b/test/pummel/test-array-hash-collision.js
@@ -0,0 +1,27 @@
+'use strict';
+
+// This is a regression test for https://hackerone.com/reports/3511792
+
+require('../common');
+const assert = require('assert');
+const { spawnSync } = require('child_process');
+const { performance } = require('perf_hooks');
+const fixtures = require('../common/fixtures');
+
+const fixturePath = fixtures.path('array-hash-collision.js');
+
+const t0 = performance.now();
+const benignResult = spawnSync(process.execPath, [fixturePath, 'benign']);
+const benignTime = performance.now() - t0;
+assert.strictEqual(benignResult.status, 0);
+console.log(`Benign test completed in ${benignTime.toFixed(2)}ms.`);
+
+const t1 = performance.now();
+const maliciousResult = spawnSync(process.execPath, [fixturePath, 'malicious'], {
+  timeout: Math.ceil(benignTime * 10),
+});
+const maliciousTime = performance.now() - t1;
+console.log(`Malicious test completed in ${maliciousTime.toFixed(2)}ms.`);
+
+assert.strictEqual(maliciousResult.status, 0, `Hash flooding regression detected: ` +
+  `Benign took ${benignTime}ms, malicious took more than ${maliciousTime}ms.`);
diff --git a/tools/make-v8.sh b/tools/make-v8.sh
@@ -5,6 +5,8 @@ set -xe
 BUILD_ARCH_TYPE=$1
 V8_BUILD_OPTIONS=$2
 
+EXTRA_V8_OPTS="v8_enable_static_roots=false v8_enable_seeded_array_index_hash=true v8_use_default_hasher_secret=false"
+
 cd deps/v8 || exit
 find . -type d -name .git -print0 | xargs -0 rm -rf
 ../../tools/v8/fetch_deps.py .
@@ -32,11 +34,20 @@ if [ "$ARCH" = "s390x" ] || [ "$ARCH" = "ppc64le" ]; then
     *clang*) GN_COMPILER_OPTS="is_clang=true clang_base_path=\"/usr\" clang_use_chrome_plugins=false treat_warnings_as_errors=false use_custom_libcxx=false" ;;
     *) GN_COMPILER_OPTS="treat_warnings_as_errors=false use_custom_libcxx=false" ;;
   esac
-  gn gen -v "out.gn/$BUILD_ARCH_TYPE" --args="$GN_COMPILER_OPTS is_component_build=false is_debug=false v8_target_cpu=\"$TARGET_ARCH\" target_cpu=\"$TARGET_ARCH\" v8_enable_backtrace=true $CC_WRAPPER"
-  ninja -v -C "out.gn/$BUILD_ARCH_TYPE" "${JOBS_ARG}" d8 cctest inspector-test
+  gn gen -v "out.gn/$BUILD_ARCH_TYPE" --args="$GN_COMPILER_OPTS is_component_build=false is_debug=false v8_target_cpu=\"$TARGET_ARCH\" target_cpu=\"$TARGET_ARCH\" v8_enable_backtrace=true $CC_WRAPPER $EXTRA_V8_OPTS"
+  # shellcheck disable=SC2086
+  ninja -v -C "out.gn/$BUILD_ARCH_TYPE" ${JOBS_ARG} d8 cctest inspector-test
 else
   DEPOT_TOOLS_DIR="$(cd depot_tools && pwd)"
+  export DEPOT_TOOLS_DIR
+  "$DEPOT_TOOLS_DIR/ensure_bootstrap"
+  export CHROMIUM_BUILDTOOLS_PATH="$PWD/buildtools"
   # shellcheck disable=SC2086
   PATH="$DEPOT_TOOLS_DIR":$PATH tools/dev/v8gen.py "$BUILD_ARCH_TYPE" $V8_BUILD_OPTIONS
-  PATH="$DEPOT_TOOLS_DIR":$PATH ninja -C "out.gn/$BUILD_ARCH_TYPE/" "${JOBS_ARG}" d8 cctest inspector-test
+  for opt in $EXTRA_V8_OPTS; do
+    echo "${opt%%=*} = ${opt#*=}" >> "out.gn/$BUILD_ARCH_TYPE/args.gn"
+  done
+  PATH="$DEPOT_TOOLS_DIR":$PATH gn gen -v "out.gn/$BUILD_ARCH_TYPE"
+  # shellcheck disable=SC2086
+  PATH="$DEPOT_TOOLS_DIR":$PATH ninja -C "out.gn/$BUILD_ARCH_TYPE/" ${JOBS_ARG} d8 cctest inspector-test
 fi
diff --git a/tools/v8_gypfiles/features.gypi b/tools/v8_gypfiles/features.gypi
@@ -193,6 +193,9 @@
     # Use Siphash as added protection against hash flooding attacks.
     'v8_use_siphash%': 0,
 
+    # Enable seeded array index hash.
+    'v8_enable_seeded_array_index_hash%': 1,
+
     # Use Perfetto (https://perfetto.dev) as the default TracingController. Not
     # currently implemented.
     'v8_use_perfetto%': 0,
@@ -454,6 +457,9 @@
       ['v8_use_siphash==1', {
         'defines': ['V8_USE_SIPHASH',],
       }],
+      ['v8_enable_seeded_array_index_hash==1', {
+        'defines': ['V8_ENABLE_SEEDED_ARRAY_INDEX_HASH',],
+      }],
       ['v8_enable_shared_ro_heap==1', {
         'defines': ['V8_SHARED_RO_HEAP',],
       }],
