The kDisableNodeOptionsEnv option can be work around by using NODE_REPL_EXTERNAL_MODULE env

[zcbenz]

Node has an kDisableNodeOptionsEnv embedder flag that disables NODE_OPTIONS env to avoid injecting external code into apps, however it can be bypassed by using the NODE_REPL_EXTERNAL_MODULE env as reported by electron/electron#40770.

I understand kDisableNodeOptionsEnv only means to disable NODE_OPTIONS env, but if we don't also disable NODE_REPL_EXTERNAL_MODULE the protection would become meaningless.

I think we have 2 options to fix this:

1. Disable NODE_REPL_EXTERNAL_MODULE env when kDisableNodeOptionsEnv is used.
2. Deprecate kDisableNodeOptionsEnv and add a new flag that disables all possible ways to inject code.

I wonder which one would be preferred by Node team. /cc @addaleax @joyeecheung @bnoordhuis

[avivkeller]

@nodejs/security-wg

[avivkeller]

Dotenv isn't the correct label (no dotenv file), buts AFAIK the closest to env variables

[RafaelGSS]

@zcbenz While the first option is trivial I assume it will be a breaking change for all users that rely on the current behavior. I believe a new flag should be a safer approach. Honestly, I'm fine with both options.

cc: @nodejs/tsc