search

sdkman / sdkman-cli

The SDKMAN! Command Line Interface
https://sdkman.io
Apache License 2.0
6.06k stars 629 forks source link

Bug: Installing GraalVM via sdkman overrides node installation if GraalVM $PATH is before nodejs $PATH #822

Open nhh opened 3 years ago

nhh commented 3 years ago

Bug report This may be a security issue because that behavior acts the same on every other distributed sdkman package. And several executables can be implicitely distributed and executed. (my guess)

When installing a sdkman package like sdk install java 20.2.0.r11-grl the $GRAALVM_HOME/bin will be added to the systems $PATH configuration. GraalVM also distributes in their /bin folder a graaljs version of nodejs. $GRAALVM_HOME/bin/node

So when the $GRAALVM_HOME path is before your usual nodejs installation path, the system will execute the implicitly distributed graaljs version instead of nodejs version

There is also this configuration in my .zshrc, which is suggested during installation.

export SDKMAN_DIR="/home/nhh/.sdkman"
[[ -s "/home/nhh/.sdkman/bin/sdkman-init.sh" ]] && source "/home/nhh/.sdkman/bin/sdkman-init.sh"

I propose that sdkman should only prepend executables related to the installed package, like "java" instead of everything what is available in the path. (I dont know if sdkman prepends every executable, or if this is just how $PATH works)

To reproduce

  1. run `sdk install java 20.2.0.r11-grl``
  2. Update your $PATH configration and put your $GRAALVM_HOME/bin on the first place
  3. Run node --version

Please refer to the initial discussion with the GraalVM team: https://github.com/graalvm/graaljs/issues/370

System info

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.1 LTS"
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.1 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
GNU bash, version 5.0.17(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

SDKMAN 5.9.1+575

helpermethod commented 3 years ago

Hi,

not exactly a solution to your problem, but Mandrel, which is a downstream distribution of the GraalVM Community Edition, does not contain a node binary.

You can install it with 

sdk install java 20.2.0.0-mandrel
morki commented 3 years ago

The same problem here, I always have to delete those files (node, npm, npx) because GraalJS is not build with ICU and fails to install some packages with npm.