Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

src: avoid dereference without existence check #14591

Closed
wants to merge 1 commit into from

Conversation

TimothyGu
Copy link
Member

@TimothyGu TimothyGu commented Aug 2, 2017

Currently the URL API is only used from the JS binding, which always initializes base regardless of has_base. Therefore, there is no actual security risk right now, but there would be had we made other C++ parts of Node.js use this API.

Because of that, I was not able to add any JS tests, instead resorting to C++. However, the magic of C++ compilers makes a reliable test impossible, as the added test only sometimes fails before this PR, even though when it does fail it is a NULL pointer dereference.

Refs: #14369 (comment)

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines
Affected core subsystem(s)

url

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. dont-land-on-v4.x whatwg-url Issues and PRs related to the WHATWG URL implementation. labels Aug 2, 2017
@TimothyGu TimothyGu mentioned this pull request Aug 2, 2017
4 tasks
Currently the URL API is only used from the JS binding, which always
initializes `base` regardless of `has_base`. Therefore, there is no
actual security risk right now, but would be had we made other C++ parts
of Node.js use this API.

Refs: nodejs#14369 (comment)
@TimothyGu
Copy link
Member Author

Landed w/o a CI run... force-pushed to remove it.

CI: https://ci.nodejs.org/job/node-test-pull-request/9495/

@TimothyGu
Copy link
Member Author

CI failures are known flakies, will land this soon.

@TimothyGu
Copy link
Member Author

Landed in e96ca62.

@TimothyGu TimothyGu closed this Aug 6, 2017
@TimothyGu TimothyGu deleted the url-base branch August 6, 2017 07:13
TimothyGu added a commit that referenced this pull request Aug 6, 2017
Currently the URL API is only used from the JS binding, which always
initializes `base` regardless of `has_base`. Therefore, there is no
actual security risk right now, but would be had we made other C++ parts
of Node.js use this API.

An earlier version of this patch was created by Bradley Farias
<bradley.meck@gmail.com>.

PR-URL: #14591
Refs: #14369 (comment)
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
addaleax pushed a commit that referenced this pull request Aug 7, 2017
Currently the URL API is only used from the JS binding, which always
initializes `base` regardless of `has_base`. Therefore, there is no
actual security risk right now, but would be had we made other C++ parts
of Node.js use this API.

An earlier version of this patch was created by Bradley Farias
<bradley.meck@gmail.com>.

PR-URL: #14591
Refs: #14369 (comment)
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. whatwg-url Issues and PRs related to the WHATWG URL implementation.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants