Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Calling require with null char as first char of the path component causes crash #13788

Closed
wants to merge 4 commits into from

Conversation

zimbabao
Copy link
Contributor

@zimbabao zimbabao commented Jun 19, 2017

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines
Affected core subsystem(s)

@nodejs-github-bot nodejs-github-bot added the module Issues and PRs related to the module subsystem. label Jun 19, 2017
@charmander
Copy link
Contributor

Why ignore the rest silently? Throw an error.

@bnoordhuis
Copy link
Member

See also #8277 and, uh, #8277 (comment).

General observation: naively splitting the string like that probably introduces an unacceptable performance regression. Would need to be checked.

zimbabao added 2 commits June 19, 2017 09:37
Null char as the first char as the path component
of first argument of require causes a node crash.
Ignoring null and all chars after that in require path.

Fixes: nodejs#13787
Null char as the first char as the path component
of first argument of require causes a node crash.
Ignoring null and all chars after that in require path.

Fixes: nodejs#13787
@zimbabao
Copy link
Contributor Author

@charmander: Yes, we can do that. Throw error on any string with null. Looks like that the behavior as per #8277

@bnoordhuis : if we throw on mere presence of null, split can be removed. But hard to remove single pass.

@mscdex
Copy link
Contributor

mscdex commented Jun 19, 2017

@zimbabao I don't think it matters whether there are multiple passes since having a null character in the string is not a common case.

@zimbabao
Copy link
Contributor Author

@mscdex : But we have to run that on all the paths, latency due to reading from disk is high as compared to this check.

@mscdex
Copy link
Contributor

mscdex commented Jun 20, 2017

@zimbabao What I meant was having a simpler indexOf() conditional check should be better than always calling split() and that only doing the latter after the former returns something other than -1 would help to minimize the impact and that passing over the string twice in such cases (when a null character is found) doesn't matter because they're not common.

Null char as the first char as the path component
of first argument of require causes a node crash.
Ignoring null and all chars after that in require path.

Fixes: nodejs#13787
lib/module.js Outdated
@@ -510,6 +510,10 @@ Module.prototype.load = function(filename) {
Module.prototype.require = function(path) {
assert(path, 'missing path');
assert(typeof path === 'string', 'path must be a string');
// Ignore part of the path after null character if it exists
if (path.indexOf('\u0000') != -1) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we just do:

if (path.includes('\u0000') {

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just ran a simple benchmark to compare the two on master and it seems indexOf() is still quite a bit faster overall.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

However, we should use double equals here: !== -1

@mscdex
Copy link
Contributor

mscdex commented Jun 20, 2017

It would be good to see some module benchmark results before and after the indexOf() addition.

Null char as the first char as the path component
of first argument of require causes a node crash.
Ignoring null and all chars after that in require path.

Fixes: nodejs#13787
@zimbabao
Copy link
Contributor Author

zimbabao commented Jul 3, 2017

@charmander : #8277 throws error if path contains null bytes, and #8292 is dependent PR. I'm not sure why its not being pursued.

@BridgeAR
Copy link
Member

This got superseded by ffed7b6

@BridgeAR BridgeAR closed this Aug 30, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
module Issues and PRs related to the module subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants