-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
buffer: zero-fill buffer allocated with invalid content #17428
Conversation
Zero-fill when `Buffer.alloc()` receives invalid fill data. A solution like nodejs#17427 which switches to throwing makes sense, but is likely a breaking change. This suggestion leaves the behaviour of `buffer.fill()` untouched, since any change to it would be a breaking change, and lets `Buffer.alloc()` check whether any filling took place or not. Refs: nodejs#17427 Refs: nodejs#17423
@nodejs/buffer @nodejs/security The cat is kind of out of the bag with the public issue & the other PR being opened, but I do think this potentially has security implications and we should apply it (or some other solution that we agree on) to all release lines in the near future. Edit: Okay, funnily enough, Node 4 + 6 already do throw an error in these situations, so this only remains for 8 and 9. CI: https://ci.nodejs.org/job/node-test-commit/14528/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with this for older/current release lines. I still think moving forward that throwing in fill()
is the correct thing to do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
doc/api/buffer.md
Outdated
@@ -1254,6 +1259,19 @@ Example: Fill a `Buffer` with a two-byte character | |||
console.log(Buffer.allocUnsafe(3).fill('\u0222')); | |||
``` | |||
|
|||
If `value` is contains invalid characters, it is truncated; if no valid |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: extra 'is' before contains
doc/api/buffer.md
Outdated
changes: | ||
- version: REPLACEME | ||
pr-url: https://github.com/nodejs/node/pull/17428 | ||
description: Specifying an invalid string for `fill` now yields a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a thought but given yield
is a JS keyword with a specific meaning and not necessarily a super familiar word for non-native speakers, is there another word we could use? Maybe results in
, creates
or returns
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can say the same about returns
;) I’m happy with anything, results in
sounds fine to me.
// Prints: <Buffer aa aa aa aa aa> | ||
console.log(buf.fill('aazz', 'hex')); | ||
// Prints: <Buffer aa aa aa aa aa> | ||
console.log(buf.fill('zz', 'hex')); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: missing // Prints:
?
Edit: nvm.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems the comments cover the next line, not the previous.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I misread, sorry.
@@ -266,7 +266,9 @@ Buffer.alloc = function alloc(size, fill, encoding) { | |||
// be interpreted as a start offset. | |||
if (typeof encoding !== 'string') | |||
encoding = undefined; | |||
return createUnsafeBuffer(size).fill(fill, encoding); | |||
const ret = createUnsafeBuffer(size); | |||
if (fill_(ret, fill, encoding)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: if (fill_(ret, fill, encoding) > 0) {
? To avoid an unnecessary ToBoolean.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@targos yup, will fix while landing
PR-URL: #17428 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
Zero-fill when `Buffer.alloc()` receives invalid fill data. A solution like #17427 which switches to throwing makes sense, but is likely a breaking change. This suggestion leaves the behaviour of `buffer.fill()` untouched, since any change to it would be a breaking change, and lets `Buffer.alloc()` check whether any filling took place or not. PR-URL: #17428 Refs: #17427 Refs: #17423 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
PR-URL: nodejs#17428 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ for details on patched vulnerabilities. Fixes for the following CVEs are included in this release: * CVE-2017-15896 * CVE-2017-15897 * CVE-2017-3738 (from the openssl project) Notable Changes: * buffer: * buffer allocated with an invalid content will now be zero filled (Anna Henningsen) #17428 * deps: * openssl updated to 1.0.2n (Shigeki Ohtsu) #17526 PR-URL: #17532
This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ for details on patched vulnerabilities. Fixes for the following CVEs are included in this release: * CVE-2017-15896 * CVE-2017-15897 * CVE-2017-3738 (from the openssl project) Notable Changes: * buffer: * buffer allocated with an invalid content will now be zero filled (Anna Henningsen) #17428 * deps: * openssl updated to 1.0.2n (Shigeki Ohtsu) #17526 PR-URL: #17532
This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ for details on patched vulnerabilities. Fixes for the following CVEs are included in this release: * CVE-2017-15896 * CVE-2017-15897 * CVE-2017-3738 (from the openssl project) Notable Changes: * buffer: * buffer allocated with an invalid content will now be zero filled (Anna Henningsen) #17428 * deps: * openssl updated to 1.0.2n (Shigeki Ohtsu) #17526 PR-URL: #17532
@cjihrig Sorry, I was just finishing this up when I saw your PR – I think your suggestion makes sense, but I think we should make
Buffer.alloc()
never return uninitialized data on any release line.Zero-fill when
Buffer.alloc()
receives invalid fill data.A solution like #17427 which switches
to throwing makes sense, but is likely a breaking change.
This suggestion leaves the behaviour of
buffer.fill()
untouched,since any change to it would be a breaking change, and lets
Buffer.alloc()
check whether any filling took place or not.Refs: #17427
Refs: #17423
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passesAffected core subsystem(s)
buffer