msi: do not create AppData\Roaming\npm

This effectively reverts e431cae due to security concerns. The directory is being created with elevated privileges but its path may depend on an unprivileged user's environment variables. Creating a directory in certain sensitive locations can cause Windows to become inoperable. Creating AppData\Roaming\npm was an intentional addition in order to resolve nodejs/node-v0.x-archive#8141, which appears to have been a common issue for users of npm. However, this was implemented before 4cfe5eb, which changed the MSI installation scope to perMachine. There were concerns about creating the npm directory in that PR, albeit not related to security (see nodejs/node-v0.x-archive#25640). Refs: nodejs/node-v0.x-archive#8141 Refs: nodejs/node-v0.x-archive#8838 Refs: nodejs/node-v0.x-archive#25640 PR-URL: nodejs-private/node-private#408 Backport-PR-URL: nodejs-private/node-private#430 Reviewed-By: Rich Trott <rtrott@gmail.com> CVE-ID: CVE-2023-30585
nodejs · Jun 19, 2023 · ab26912 · ab26912
1 parent d6fae8e
commit ab26912
Showing 1 changed file with 0 additions and 12 deletions.
diff --git a/tools/msvs/msi/product.wxs b/tools/msvs/msi/product.wxs
@@ -76,7 +76,6 @@
       <ComponentRef Id="NodeRegistryEntries"/>
       <ComponentRef Id="NodeVarsScript"/>
       <ComponentRef Id="NodeStartMenu"/>
-      <ComponentRef Id="AppData" />
       <ComponentRef Id="InstallToolsBat" />
       <ComponentRef Id="SetInstallDirPermission" />
       <ComponentGroupRef Id="Product.Generated"/>
@@ -107,7 +106,6 @@
       <ComponentRef Id="NpxCmdScript"/>
       <ComponentRef Id="NpxBashScript"/>
       <ComponentRef Id="NpmConfigurationFile"/>
-      <ComponentRef Id="AppData" />
       <ComponentRef Id="SetInstallDirPermission" />
       <ComponentGroupRef Id="NpmSourceFiles"/>
     </Feature>
@@ -266,16 +264,6 @@
           </Component>
         </Directory>
       </Directory>
-
-      <Directory Id="AppDataFolder">
-        <Directory Id="AppDataDir" Name="npm">
-          <Component Id="AppData" Guid="D3B35D0E-D0F9-4D11-A773-D4608E90E1D1">
-            <CreateFolder />
-            <RemoveFolder Id="AppDataDir" On="uninstall" />
-            <RegistryValue Root="HKCU" Key="$(var.RegistryKeyPath)\Components" Type="string" Value="" />
-          </Component>
-        </Directory>
-      </Directory>
     </DirectoryRef>
 
     <DirectoryRef Id="ApplicationProgramsFolder">