process: make process.config read-only

Refs: nodejs#6115

Author: jasnell

doc/api/process.markdown

@@ -473,22 +473,24 @@ An example of the possible output looks like:
   variables:
    {
      host_arch: 'x64',
-     node_install_npm: 'true',
+     node_install_npm: true,
      node_prefix: '',
-     node_shared_cares: 'false',
-     node_shared_http_parser: 'false',
-     node_shared_libuv: 'false',
-     node_shared_zlib: 'false',
-     node_use_dtrace: 'false',
-     node_use_openssl: 'true',
-     node_shared_openssl: 'false',
-     strict_aliasing: 'true',
+     node_shared_cares: false,
+     node_shared_http_parser: false,
+     node_shared_libuv: false,
+     node_shared_zlib: false,
+     node_use_dtrace: false,
+     node_use_openssl: true,
+     node_shared_openssl: false,
+     strict_aliasing: true,
      target_arch: 'x64',
-     v8_use_snapshot: 'true'
+     v8_use_snapshot: true
    }
 }
 ```
 
+The `process.config` object is read-only and cannot be modified or extended.
+
 ## process.connected
 
 * {Boolean} Set to false after `process.disconnect()` is called

lib/internal/process.js

@@ -60,10 +60,30 @@ function setupConfig(_source) {
       .replace(/"/g, '\\"')
       .replace(/'/g, '"');
 
-  process.config = JSON.parse(config, function(key, value) {
-    if (value === 'true') return true;
-    if (value === 'false') return false;
-    return value;
+  // Use a lazy getter and freeze the config object on parse.
+  // This makes it slower but ensures that userland cannot
+  // overwrite the config.
+  var _config;
+  Object.defineProperty(process, 'config', {
+    configurable: false,
+    enumerable: true,
+    get: function() {
+      if (!_config) {
+        _config = JSON.parse(config, (key, value) => {
+          if (value === 'true') return true;
+          if (value === 'false') return false;
+          if (typeof value === 'object')
+            Object.freeze(value);
+          return value;
+        });
+      }
+      return _config;
+    },
+    set: function set(val) {
+      const err = TypeError('process.config is read-only.');
+      Error.captureStackTrace(err, set);
+      throw err;
+    }
   });
 }
 

test/parallel/test-process-config-readonly.js

@@ -0,0 +1,14 @@
+'use strict';
+
+require('../common');
+const assert = require('assert');
+
+const config = process.config;
+
+assert(config);
+assert(config.variables);
+
+// These throw because the objects are frozen.
+assert.throws(() => process.config = {}, TypeError);
+assert.throws(() => process.config.a = 1, TypeError);
+assert.throws(() => process.config.variables.a = 1, TypeError);