├── .github └── FUNDING.yml ├── .npmignore ├── .travis.yml ├── LICENSE ├── README.md ├── index.d.ts ├── index.js ├── package.json └── test └── basic.js /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: feross 2 | tidelift: npm/safe-buffer 3 | -------------------------------------------------------------------------------- /.npmignore: -------------------------------------------------------------------------------- 1 | .github/ 2 | .travis.yml 3 | test/ 4 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: node_js 2 | node_js: 3 | - lts/* 4 | - '12' 5 | - '10' 6 | - '8' 7 | - '6' 8 | - '4' 9 | - '0.12' 10 | - '0.10' 11 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) Feross Aboukhadijeh 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # safe-buffer [![travis][travis-image]][travis-url] [![npm][npm-image]][npm-url] [![downloads][downloads-image]][downloads-url] [![javascript style guide][standard-image]][standard-url] 2 | 3 | [travis-image]: https://img.shields.io/travis/feross/safe-buffer/master.svg 4 | [travis-url]: https://travis-ci.org/feross/safe-buffer 5 | [npm-image]: https://img.shields.io/npm/v/safe-buffer.svg 6 | [npm-url]: https://npmjs.org/package/safe-buffer 7 | [downloads-image]: https://img.shields.io/npm/dm/safe-buffer.svg 8 | [downloads-url]: https://npmjs.org/package/safe-buffer 9 | [standard-image]: https://img.shields.io/badge/code_style-standard-brightgreen.svg 10 | [standard-url]: https://standardjs.com 11 | 12 | #### Safer Node.js Buffer API 13 | 14 | **Use the new Node.js Buffer APIs (`Buffer.from`, `Buffer.alloc`, 15 | `Buffer.allocUnsafe`, `Buffer.allocUnsafeSlow`) in all versions of Node.js.** 16 | 17 | **Uses the built-in implementation when available.** 18 | 19 | ## install 20 | 21 | ``` 22 | npm install safe-buffer 23 | ``` 24 | 25 | ## usage 26 | 27 | The goal of this package is to provide a safe replacement for the node.js `Buffer`. 28 | 29 | It's a drop-in replacement for `Buffer`. You can use it by adding one `require` line to 30 | the top of your node.js modules: 31 | 32 | ```js 33 | var Buffer = require('safe-buffer').Buffer 34 | 35 | // Existing buffer code will continue to work without issues: 36 | 37 | new Buffer('hey', 'utf8') 38 | new Buffer([1, 2, 3], 'utf8') 39 | new Buffer(obj) 40 | new Buffer(16) // create an uninitialized buffer (potentially unsafe) 41 | 42 | // But you can use these new explicit APIs to make clear what you want: 43 | 44 | Buffer.from('hey', 'utf8') // convert from many types to a Buffer 45 | Buffer.alloc(16) // create a zero-filled buffer (safe) 46 | Buffer.allocUnsafe(16) // create an uninitialized buffer (potentially unsafe) 47 | ``` 48 | 49 | ## api 50 | 51 | ### Class Method: Buffer.from(array) 52 | 55 | 56 | * `array` {Array} 57 | 58 | Allocates a new `Buffer` using an `array` of octets. 59 | 60 | ```js 61 | const buf = Buffer.from([0x62,0x75,0x66,0x66,0x65,0x72]); 62 | // creates a new Buffer containing ASCII bytes 63 | // ['b','u','f','f','e','r'] 64 | ``` 65 | 66 | A `TypeError` will be thrown if `array` is not an `Array`. 67 | 68 | ### Class Method: Buffer.from(arrayBuffer[, byteOffset[, length]]) 69 | 72 | 73 | * `arrayBuffer` {ArrayBuffer} The `.buffer` property of a `TypedArray` or 74 | a `new ArrayBuffer()` 75 | * `byteOffset` {Number} Default: `0` 76 | * `length` {Number} Default: `arrayBuffer.length - byteOffset` 77 | 78 | When passed a reference to the `.buffer` property of a `TypedArray` instance, 79 | the newly created `Buffer` will share the same allocated memory as the 80 | TypedArray. 81 | 82 | ```js 83 | const arr = new Uint16Array(2); 84 | arr[0] = 5000; 85 | arr[1] = 4000; 86 | 87 | const buf = Buffer.from(arr.buffer); // shares the memory with arr; 88 | 89 | console.log(buf); 90 | // Prints: 91 | 92 | // changing the TypedArray changes the Buffer also 93 | arr[1] = 6000; 94 | 95 | console.log(buf); 96 | // Prints: 97 | ``` 98 | 99 | The optional `byteOffset` and `length` arguments specify a memory range within 100 | the `arrayBuffer` that will be shared by the `Buffer`. 101 | 102 | ```js 103 | const ab = new ArrayBuffer(10); 104 | const buf = Buffer.from(ab, 0, 2); 105 | console.log(buf.length); 106 | // Prints: 2 107 | ``` 108 | 109 | A `TypeError` will be thrown if `arrayBuffer` is not an `ArrayBuffer`. 110 | 111 | ### Class Method: Buffer.from(buffer) 112 | 115 | 116 | * `buffer` {Buffer} 117 | 118 | Copies the passed `buffer` data onto a new `Buffer` instance. 119 | 120 | ```js 121 | const buf1 = Buffer.from('buffer'); 122 | const buf2 = Buffer.from(buf1); 123 | 124 | buf1[0] = 0x61; 125 | console.log(buf1.toString()); 126 | // 'auffer' 127 | console.log(buf2.toString()); 128 | // 'buffer' (copy is not changed) 129 | ``` 130 | 131 | A `TypeError` will be thrown if `buffer` is not a `Buffer`. 132 | 133 | ### Class Method: Buffer.from(str[, encoding]) 134 | 137 | 138 | * `str` {String} String to encode. 139 | * `encoding` {String} Encoding to use, Default: `'utf8'` 140 | 141 | Creates a new `Buffer` containing the given JavaScript string `str`. If 142 | provided, the `encoding` parameter identifies the character encoding. 143 | If not provided, `encoding` defaults to `'utf8'`. 144 | 145 | ```js 146 | const buf1 = Buffer.from('this is a tést'); 147 | console.log(buf1.toString()); 148 | // prints: this is a tést 149 | console.log(buf1.toString('ascii')); 150 | // prints: this is a tC)st 151 | 152 | const buf2 = Buffer.from('7468697320697320612074c3a97374', 'hex'); 153 | console.log(buf2.toString()); 154 | // prints: this is a tést 155 | ``` 156 | 157 | A `TypeError` will be thrown if `str` is not a string. 158 | 159 | ### Class Method: Buffer.alloc(size[, fill[, encoding]]) 160 | 163 | 164 | * `size` {Number} 165 | * `fill` {Value} Default: `undefined` 166 | * `encoding` {String} Default: `utf8` 167 | 168 | Allocates a new `Buffer` of `size` bytes. If `fill` is `undefined`, the 169 | `Buffer` will be *zero-filled*. 170 | 171 | ```js 172 | const buf = Buffer.alloc(5); 173 | console.log(buf); 174 | // 175 | ``` 176 | 177 | The `size` must be less than or equal to the value of 178 | `require('buffer').kMaxLength` (on 64-bit architectures, `kMaxLength` is 179 | `(2^31)-1`). Otherwise, a [`RangeError`][] is thrown. A zero-length Buffer will 180 | be created if a `size` less than or equal to 0 is specified. 181 | 182 | If `fill` is specified, the allocated `Buffer` will be initialized by calling 183 | `buf.fill(fill)`. See [`buf.fill()`][] for more information. 184 | 185 | ```js 186 | const buf = Buffer.alloc(5, 'a'); 187 | console.log(buf); 188 | // 189 | ``` 190 | 191 | If both `fill` and `encoding` are specified, the allocated `Buffer` will be 192 | initialized by calling `buf.fill(fill, encoding)`. For example: 193 | 194 | ```js 195 | const buf = Buffer.alloc(11, 'aGVsbG8gd29ybGQ=', 'base64'); 196 | console.log(buf); 197 | // 198 | ``` 199 | 200 | Calling `Buffer.alloc(size)` can be significantly slower than the alternative 201 | `Buffer.allocUnsafe(size)` but ensures that the newly created `Buffer` instance 202 | contents will *never contain sensitive data*. 203 | 204 | A `TypeError` will be thrown if `size` is not a number. 205 | 206 | ### Class Method: Buffer.allocUnsafe(size) 207 | 210 | 211 | * `size` {Number} 212 | 213 | Allocates a new *non-zero-filled* `Buffer` of `size` bytes. The `size` must 214 | be less than or equal to the value of `require('buffer').kMaxLength` (on 64-bit 215 | architectures, `kMaxLength` is `(2^31)-1`). Otherwise, a [`RangeError`][] is 216 | thrown. A zero-length Buffer will be created if a `size` less than or equal to 217 | 0 is specified. 218 | 219 | The underlying memory for `Buffer` instances created in this way is *not 220 | initialized*. The contents of the newly created `Buffer` are unknown and 221 | *may contain sensitive data*. Use [`buf.fill(0)`][] to initialize such 222 | `Buffer` instances to zeroes. 223 | 224 | ```js 225 | const buf = Buffer.allocUnsafe(5); 226 | console.log(buf); 227 | // 228 | // (octets will be different, every time) 229 | buf.fill(0); 230 | console.log(buf); 231 | // 232 | ``` 233 | 234 | A `TypeError` will be thrown if `size` is not a number. 235 | 236 | Note that the `Buffer` module pre-allocates an internal `Buffer` instance of 237 | size `Buffer.poolSize` that is used as a pool for the fast allocation of new 238 | `Buffer` instances created using `Buffer.allocUnsafe(size)` (and the deprecated 239 | `new Buffer(size)` constructor) only when `size` is less than or equal to 240 | `Buffer.poolSize >> 1` (floor of `Buffer.poolSize` divided by two). The default 241 | value of `Buffer.poolSize` is `8192` but can be modified. 242 | 243 | Use of this pre-allocated internal memory pool is a key difference between 244 | calling `Buffer.alloc(size, fill)` vs. `Buffer.allocUnsafe(size).fill(fill)`. 245 | Specifically, `Buffer.alloc(size, fill)` will *never* use the internal Buffer 246 | pool, while `Buffer.allocUnsafe(size).fill(fill)` *will* use the internal 247 | Buffer pool if `size` is less than or equal to half `Buffer.poolSize`. The 248 | difference is subtle but can be important when an application requires the 249 | additional performance that `Buffer.allocUnsafe(size)` provides. 250 | 251 | ### Class Method: Buffer.allocUnsafeSlow(size) 252 | 255 | 256 | * `size` {Number} 257 | 258 | Allocates a new *non-zero-filled* and non-pooled `Buffer` of `size` bytes. The 259 | `size` must be less than or equal to the value of 260 | `require('buffer').kMaxLength` (on 64-bit architectures, `kMaxLength` is 261 | `(2^31)-1`). Otherwise, a [`RangeError`][] is thrown. A zero-length Buffer will 262 | be created if a `size` less than or equal to 0 is specified. 263 | 264 | The underlying memory for `Buffer` instances created in this way is *not 265 | initialized*. The contents of the newly created `Buffer` are unknown and 266 | *may contain sensitive data*. Use [`buf.fill(0)`][] to initialize such 267 | `Buffer` instances to zeroes. 268 | 269 | When using `Buffer.allocUnsafe()` to allocate new `Buffer` instances, 270 | allocations under 4KB are, by default, sliced from a single pre-allocated 271 | `Buffer`. This allows applications to avoid the garbage collection overhead of 272 | creating many individually allocated Buffers. This approach improves both 273 | performance and memory usage by eliminating the need to track and cleanup as 274 | many `Persistent` objects. 275 | 276 | However, in the case where a developer may need to retain a small chunk of 277 | memory from a pool for an indeterminate amount of time, it may be appropriate 278 | to create an un-pooled Buffer instance using `Buffer.allocUnsafeSlow()` then 279 | copy out the relevant bits. 280 | 281 | ```js 282 | // need to keep around a few small chunks of memory 283 | const store = []; 284 | 285 | socket.on('readable', () => { 286 | const data = socket.read(); 287 | // allocate for retained data 288 | const sb = Buffer.allocUnsafeSlow(10); 289 | // copy the data into the new allocation 290 | data.copy(sb, 0, 0, 10); 291 | store.push(sb); 292 | }); 293 | ``` 294 | 295 | Use of `Buffer.allocUnsafeSlow()` should be used only as a last resort *after* 296 | a developer has observed undue memory retention in their applications. 297 | 298 | A `TypeError` will be thrown if `size` is not a number. 299 | 300 | ### All the Rest 301 | 302 | The rest of the `Buffer` API is exactly the same as in node.js. 303 | [See the docs](https://nodejs.org/api/buffer.html). 304 | 305 | 306 | ## Related links 307 | 308 | - [Node.js issue: Buffer(number) is unsafe](https://github.com/nodejs/node/issues/4660) 309 | - [Node.js Enhancement Proposal: Buffer.from/Buffer.alloc/Buffer.zalloc/Buffer() soft-deprecate](https://github.com/nodejs/node-eps/pull/4) 310 | 311 | ## Why is `Buffer` unsafe? 312 | 313 | Today, the node.js `Buffer` constructor is overloaded to handle many different argument 314 | types like `String`, `Array`, `Object`, `TypedArrayView` (`Uint8Array`, etc.), 315 | `ArrayBuffer`, and also `Number`. 316 | 317 | The API is optimized for convenience: you can throw any type at it, and it will try to do 318 | what you want. 319 | 320 | Because the Buffer constructor is so powerful, you often see code like this: 321 | 322 | ```js 323 | // Convert UTF-8 strings to hex 324 | function toHex (str) { 325 | return new Buffer(str).toString('hex') 326 | } 327 | ``` 328 | 329 | ***But what happens if `toHex` is called with a `Number` argument?*** 330 | 331 | ### Remote Memory Disclosure 332 | 333 | If an attacker can make your program call the `Buffer` constructor with a `Number` 334 | argument, then they can make it allocate uninitialized memory from the node.js process. 335 | This could potentially disclose TLS private keys, user data, or database passwords. 336 | 337 | When the `Buffer` constructor is passed a `Number` argument, it returns an 338 | **UNINITIALIZED** block of memory of the specified `size`. When you create a `Buffer` like 339 | this, you **MUST** overwrite the contents before returning it to the user. 340 | 341 | From the [node.js docs](https://nodejs.org/api/buffer.html#buffer_new_buffer_size): 342 | 343 | > `new Buffer(size)` 344 | > 345 | > - `size` Number 346 | > 347 | > The underlying memory for `Buffer` instances created in this way is not initialized. 348 | > **The contents of a newly created `Buffer` are unknown and could contain sensitive 349 | > data.** Use `buf.fill(0)` to initialize a Buffer to zeroes. 350 | 351 | (Emphasis our own.) 352 | 353 | Whenever the programmer intended to create an uninitialized `Buffer` you often see code 354 | like this: 355 | 356 | ```js 357 | var buf = new Buffer(16) 358 | 359 | // Immediately overwrite the uninitialized buffer with data from another buffer 360 | for (var i = 0; i < buf.length; i++) { 361 | buf[i] = otherBuf[i] 362 | } 363 | ``` 364 | 365 | 366 | ### Would this ever be a problem in real code? 367 | 368 | Yes. It's surprisingly common to forget to check the type of your variables in a 369 | dynamically-typed language like JavaScript. 370 | 371 | Usually the consequences of assuming the wrong type is that your program crashes with an 372 | uncaught exception. But the failure mode for forgetting to check the type of arguments to 373 | the `Buffer` constructor is more catastrophic. 374 | 375 | Here's an example of a vulnerable service that takes a JSON payload and converts it to 376 | hex: 377 | 378 | ```js 379 | // Take a JSON payload {str: "some string"} and convert it to hex 380 | var server = http.createServer(function (req, res) { 381 | var data = '' 382 | req.setEncoding('utf8') 383 | req.on('data', function (chunk) { 384 | data += chunk 385 | }) 386 | req.on('end', function () { 387 | var body = JSON.parse(data) 388 | res.end(new Buffer(body.str).toString('hex')) 389 | }) 390 | }) 391 | 392 | server.listen(8080) 393 | ``` 394 | 395 | In this example, an http client just has to send: 396 | 397 | ```json 398 | { 399 | "str": 1000 400 | } 401 | ``` 402 | 403 | and it will get back 1,000 bytes of uninitialized memory from the server. 404 | 405 | This is a very serious bug. It's similar in severity to the 406 | [the Heartbleed bug](http://heartbleed.com/) that allowed disclosure of OpenSSL process 407 | memory by remote attackers. 408 | 409 | 410 | ### Which real-world packages were vulnerable? 411 | 412 | #### [`bittorrent-dht`](https://www.npmjs.com/package/bittorrent-dht) 413 | 414 | [Mathias Buus](https://github.com/mafintosh) and I 415 | ([Feross Aboukhadijeh](http://feross.org/)) found this issue in one of our own packages, 416 | [`bittorrent-dht`](https://www.npmjs.com/package/bittorrent-dht). The bug would allow 417 | anyone on the internet to send a series of messages to a user of `bittorrent-dht` and get 418 | them to reveal 20 bytes at a time of uninitialized memory from the node.js process. 419 | 420 | Here's 421 | [the commit](https://github.com/feross/bittorrent-dht/commit/6c7da04025d5633699800a99ec3fbadf70ad35b8) 422 | that fixed it. We released a new fixed version, created a 423 | [Node Security Project disclosure](https://nodesecurity.io/advisories/68), and deprecated all 424 | vulnerable versions on npm so users will get a warning to upgrade to a newer version. 425 | 426 | #### [`ws`](https://www.npmjs.com/package/ws) 427 | 428 | That got us wondering if there were other vulnerable packages. Sure enough, within a short 429 | period of time, we found the same issue in [`ws`](https://www.npmjs.com/package/ws), the 430 | most popular WebSocket implementation in node.js. 431 | 432 | If certain APIs were called with `Number` parameters instead of `String` or `Buffer` as 433 | expected, then uninitialized server memory would be disclosed to the remote peer. 434 | 435 | These were the vulnerable methods: 436 | 437 | ```js 438 | socket.send(number) 439 | socket.ping(number) 440 | socket.pong(number) 441 | ``` 442 | 443 | Here's a vulnerable socket server with some echo functionality: 444 | 445 | ```js 446 | server.on('connection', function (socket) { 447 | socket.on('message', function (message) { 448 | message = JSON.parse(message) 449 | if (message.type === 'echo') { 450 | socket.send(message.data) // send back the user's message 451 | } 452 | }) 453 | }) 454 | ``` 455 | 456 | `socket.send(number)` called on the server, will disclose server memory. 457 | 458 | Here's [the release](https://github.com/websockets/ws/releases/tag/1.0.1) where the issue 459 | was fixed, with a more detailed explanation. Props to 460 | [Arnout Kazemier](https://github.com/3rd-Eden) for the quick fix. Here's the 461 | [Node Security Project disclosure](https://nodesecurity.io/advisories/67). 462 | 463 | 464 | ### What's the solution? 465 | 466 | It's important that node.js offers a fast way to get memory otherwise performance-critical 467 | applications would needlessly get a lot slower. 468 | 469 | But we need a better way to *signal our intent* as programmers. **When we want 470 | uninitialized memory, we should request it explicitly.** 471 | 472 | Sensitive functionality should not be packed into a developer-friendly API that loosely 473 | accepts many different types. This type of API encourages the lazy practice of passing 474 | variables in without checking the type very carefully. 475 | 476 | #### A new API: `Buffer.allocUnsafe(number)` 477 | 478 | The functionality of creating buffers with uninitialized memory should be part of another 479 | API. We propose `Buffer.allocUnsafe(number)`. This way, it's not part of an API that 480 | frequently gets user input of all sorts of different types passed into it. 481 | 482 | ```js 483 | var buf = Buffer.allocUnsafe(16) // careful, uninitialized memory! 484 | 485 | // Immediately overwrite the uninitialized buffer with data from another buffer 486 | for (var i = 0; i < buf.length; i++) { 487 | buf[i] = otherBuf[i] 488 | } 489 | ``` 490 | 491 | 492 | ### How do we fix node.js core? 493 | 494 | We sent [a PR to node.js core](https://github.com/nodejs/node/pull/4514) (merged as 495 | `semver-major`) which defends against one case: 496 | 497 | ```js 498 | var str = 16 499 | new Buffer(str, 'utf8') 500 | ``` 501 | 502 | In this situation, it's implied that the programmer intended the first argument to be a 503 | string, since they passed an encoding as a second argument. Today, node.js will allocate 504 | uninitialized memory in the case of `new Buffer(number, encoding)`, which is probably not 505 | what the programmer intended. 506 | 507 | But this is only a partial solution, since if the programmer does `new Buffer(variable)` 508 | (without an `encoding` parameter) there's no way to know what they intended. If `variable` 509 | is sometimes a number, then uninitialized memory will sometimes be returned. 510 | 511 | ### What's the real long-term fix? 512 | 513 | We could deprecate and remove `new Buffer(number)` and use `Buffer.allocUnsafe(number)` when 514 | we need uninitialized memory. But that would break 1000s of packages. 515 | 516 | ~~We believe the best solution is to:~~ 517 | 518 | ~~1. Change `new Buffer(number)` to return safe, zeroed-out memory~~ 519 | 520 | ~~2. Create a new API for creating uninitialized Buffers. We propose: `Buffer.allocUnsafe(number)`~~ 521 | 522 | #### Update 523 | 524 | We now support adding three new APIs: 525 | 526 | - `Buffer.from(value)` - convert from any type to a buffer 527 | - `Buffer.alloc(size)` - create a zero-filled buffer 528 | - `Buffer.allocUnsafe(size)` - create an uninitialized buffer with given size 529 | 530 | This solves the core problem that affected `ws` and `bittorrent-dht` which is 531 | `Buffer(variable)` getting tricked into taking a number argument. 532 | 533 | This way, existing code continues working and the impact on the npm ecosystem will be 534 | minimal. Over time, npm maintainers can migrate performance-critical code to use 535 | `Buffer.allocUnsafe(number)` instead of `new Buffer(number)`. 536 | 537 | 538 | ### Conclusion 539 | 540 | We think there's a serious design issue with the `Buffer` API as it exists today. It 541 | promotes insecure software by putting high-risk functionality into a convenient API 542 | with friendly "developer ergonomics". 543 | 544 | This wasn't merely a theoretical exercise because we found the issue in some of the 545 | most popular npm packages. 546 | 547 | Fortunately, there's an easy fix that can be applied today. Use `safe-buffer` in place of 548 | `buffer`. 549 | 550 | ```js 551 | var Buffer = require('safe-buffer').Buffer 552 | ``` 553 | 554 | Eventually, we hope that node.js core can switch to this new, safer behavior. We believe 555 | the impact on the ecosystem would be minimal since it's not a breaking change. 556 | Well-maintained, popular packages would be updated to use `Buffer.alloc` quickly, while 557 | older, insecure packages would magically become safe from this attack vector. 558 | 559 | 560 | ## links 561 | 562 | - [Node.js PR: buffer: throw if both length and enc are passed](https://github.com/nodejs/node/pull/4514) 563 | - [Node Security Project disclosure for `ws`](https://nodesecurity.io/advisories/67) 564 | - [Node Security Project disclosure for`bittorrent-dht`](https://nodesecurity.io/advisories/68) 565 | 566 | 567 | ## credit 568 | 569 | The original issues in `bittorrent-dht` 570 | ([disclosure](https://nodesecurity.io/advisories/68)) and 571 | `ws` ([disclosure](https://nodesecurity.io/advisories/67)) were discovered by 572 | [Mathias Buus](https://github.com/mafintosh) and 573 | [Feross Aboukhadijeh](http://feross.org/). 574 | 575 | Thanks to [Adam Baldwin](https://github.com/evilpacket) for helping disclose these issues 576 | and for his work running the [Node Security Project](https://nodesecurity.io/). 577 | 578 | Thanks to [John Hiesey](https://github.com/jhiesey) for proofreading this README and 579 | auditing the code. 580 | 581 | 582 | ## license 583 | 584 | MIT. Copyright (C) [Feross Aboukhadijeh](http://feross.org) 585 | -------------------------------------------------------------------------------- /index.d.ts: -------------------------------------------------------------------------------- 1 | declare module "safe-buffer" { 2 | export class Buffer { 3 | length: number 4 | write(string: string, offset?: number, length?: number, encoding?: string): number; 5 | toString(encoding?: string, start?: number, end?: number): string; 6 | toJSON(): { type: 'Buffer', data: any[] }; 7 | equals(otherBuffer: Buffer): boolean; 8 | compare(otherBuffer: Buffer, targetStart?: number, targetEnd?: number, sourceStart?: number, sourceEnd?: number): number; 9 | copy(targetBuffer: Buffer, targetStart?: number, sourceStart?: number, sourceEnd?: number): number; 10 | slice(start?: number, end?: number): Buffer; 11 | writeUIntLE(value: number, offset: number, byteLength: number, noAssert?: boolean): number; 12 | writeUIntBE(value: number, offset: number, byteLength: number, noAssert?: boolean): number; 13 | writeIntLE(value: number, offset: number, byteLength: number, noAssert?: boolean): number; 14 | writeIntBE(value: number, offset: number, byteLength: number, noAssert?: boolean): number; 15 | readUIntLE(offset: number, byteLength: number, noAssert?: boolean): number; 16 | readUIntBE(offset: number, byteLength: number, noAssert?: boolean): number; 17 | readIntLE(offset: number, byteLength: number, noAssert?: boolean): number; 18 | readIntBE(offset: number, byteLength: number, noAssert?: boolean): number; 19 | readUInt8(offset: number, noAssert?: boolean): number; 20 | readUInt16LE(offset: number, noAssert?: boolean): number; 21 | readUInt16BE(offset: number, noAssert?: boolean): number; 22 | readUInt32LE(offset: number, noAssert?: boolean): number; 23 | readUInt32BE(offset: number, noAssert?: boolean): number; 24 | readInt8(offset: number, noAssert?: boolean): number; 25 | readInt16LE(offset: number, noAssert?: boolean): number; 26 | readInt16BE(offset: number, noAssert?: boolean): number; 27 | readInt32LE(offset: number, noAssert?: boolean): number; 28 | readInt32BE(offset: number, noAssert?: boolean): number; 29 | readFloatLE(offset: number, noAssert?: boolean): number; 30 | readFloatBE(offset: number, noAssert?: boolean): number; 31 | readDoubleLE(offset: number, noAssert?: boolean): number; 32 | readDoubleBE(offset: number, noAssert?: boolean): number; 33 | swap16(): Buffer; 34 | swap32(): Buffer; 35 | swap64(): Buffer; 36 | writeUInt8(value: number, offset: number, noAssert?: boolean): number; 37 | writeUInt16LE(value: number, offset: number, noAssert?: boolean): number; 38 | writeUInt16BE(value: number, offset: number, noAssert?: boolean): number; 39 | writeUInt32LE(value: number, offset: number, noAssert?: boolean): number; 40 | writeUInt32BE(value: number, offset: number, noAssert?: boolean): number; 41 | writeInt8(value: number, offset: number, noAssert?: boolean): number; 42 | writeInt16LE(value: number, offset: number, noAssert?: boolean): number; 43 | writeInt16BE(value: number, offset: number, noAssert?: boolean): number; 44 | writeInt32LE(value: number, offset: number, noAssert?: boolean): number; 45 | writeInt32BE(value: number, offset: number, noAssert?: boolean): number; 46 | writeFloatLE(value: number, offset: number, noAssert?: boolean): number; 47 | writeFloatBE(value: number, offset: number, noAssert?: boolean): number; 48 | writeDoubleLE(value: number, offset: number, noAssert?: boolean): number; 49 | writeDoubleBE(value: number, offset: number, noAssert?: boolean): number; 50 | fill(value: any, offset?: number, end?: number): this; 51 | indexOf(value: string | number | Buffer, byteOffset?: number, encoding?: string): number; 52 | lastIndexOf(value: string | number | Buffer, byteOffset?: number, encoding?: string): number; 53 | includes(value: string | number | Buffer, byteOffset?: number, encoding?: string): boolean; 54 | 55 | /** 56 | * Allocates a new buffer containing the given {str}. 57 | * 58 | * @param str String to store in buffer. 59 | * @param encoding encoding to use, optional. Default is 'utf8' 60 | */ 61 | constructor (str: string, encoding?: string); 62 | /** 63 | * Allocates a new buffer of {size} octets. 64 | * 65 | * @param size count of octets to allocate. 66 | */ 67 | constructor (size: number); 68 | /** 69 | * Allocates a new buffer containing the given {array} of octets. 70 | * 71 | * @param array The octets to store. 72 | */ 73 | constructor (array: Uint8Array); 74 | /** 75 | * Produces a Buffer backed by the same allocated memory as 76 | * the given {ArrayBuffer}. 77 | * 78 | * 79 | * @param arrayBuffer The ArrayBuffer with which to share memory. 80 | */ 81 | constructor (arrayBuffer: ArrayBuffer); 82 | /** 83 | * Allocates a new buffer containing the given {array} of octets. 84 | * 85 | * @param array The octets to store. 86 | */ 87 | constructor (array: any[]); 88 | /** 89 | * Copies the passed {buffer} data onto a new {Buffer} instance. 90 | * 91 | * @param buffer The buffer to copy. 92 | */ 93 | constructor (buffer: Buffer); 94 | prototype: Buffer; 95 | /** 96 | * Allocates a new Buffer using an {array} of octets. 97 | * 98 | * @param array 99 | */ 100 | static from(array: any[]): Buffer; 101 | /** 102 | * When passed a reference to the .buffer property of a TypedArray instance, 103 | * the newly created Buffer will share the same allocated memory as the TypedArray. 104 | * The optional {byteOffset} and {length} arguments specify a memory range 105 | * within the {arrayBuffer} that will be shared by the Buffer. 106 | * 107 | * @param arrayBuffer The .buffer property of a TypedArray or a new ArrayBuffer() 108 | * @param byteOffset 109 | * @param length 110 | */ 111 | static from(arrayBuffer: ArrayBuffer, byteOffset?: number, length?: number): Buffer; 112 | /** 113 | * Copies the passed {buffer} data onto a new Buffer instance. 114 | * 115 | * @param buffer 116 | */ 117 | static from(buffer: Buffer): Buffer; 118 | /** 119 | * Creates a new Buffer containing the given JavaScript string {str}. 120 | * If provided, the {encoding} parameter identifies the character encoding. 121 | * If not provided, {encoding} defaults to 'utf8'. 122 | * 123 | * @param str 124 | */ 125 | static from(str: string, encoding?: string): Buffer; 126 | /** 127 | * Returns true if {obj} is a Buffer 128 | * 129 | * @param obj object to test. 130 | */ 131 | static isBuffer(obj: any): obj is Buffer; 132 | /** 133 | * Returns true if {encoding} is a valid encoding argument. 134 | * Valid string encodings in Node 0.12: 'ascii'|'utf8'|'utf16le'|'ucs2'(alias of 'utf16le')|'base64'|'binary'(deprecated)|'hex' 135 | * 136 | * @param encoding string to test. 137 | */ 138 | static isEncoding(encoding: string): boolean; 139 | /** 140 | * Gives the actual byte length of a string. encoding defaults to 'utf8'. 141 | * This is not the same as String.prototype.length since that returns the number of characters in a string. 142 | * 143 | * @param string string to test. 144 | * @param encoding encoding used to evaluate (defaults to 'utf8') 145 | */ 146 | static byteLength(string: string, encoding?: string): number; 147 | /** 148 | * Returns a buffer which is the result of concatenating all the buffers in the list together. 149 | * 150 | * If the list has no items, or if the totalLength is 0, then it returns a zero-length buffer. 151 | * If the list has exactly one item, then the first item of the list is returned. 152 | * If the list has more than one item, then a new Buffer is created. 153 | * 154 | * @param list An array of Buffer objects to concatenate 155 | * @param totalLength Total length of the buffers when concatenated. 156 | * If totalLength is not provided, it is read from the buffers in the list. However, this adds an additional loop to the function, so it is faster to provide the length explicitly. 157 | */ 158 | static concat(list: Buffer[], totalLength?: number): Buffer; 159 | /** 160 | * The same as buf1.compare(buf2). 161 | */ 162 | static compare(buf1: Buffer, buf2: Buffer): number; 163 | /** 164 | * Allocates a new buffer of {size} octets. 165 | * 166 | * @param size count of octets to allocate. 167 | * @param fill if specified, buffer will be initialized by calling buf.fill(fill). 168 | * If parameter is omitted, buffer will be filled with zeros. 169 | * @param encoding encoding used for call to buf.fill while initalizing 170 | */ 171 | static alloc(size: number, fill?: string | Buffer | number, encoding?: string): Buffer; 172 | /** 173 | * Allocates a new buffer of {size} octets, leaving memory not initialized, so the contents 174 | * of the newly created Buffer are unknown and may contain sensitive data. 175 | * 176 | * @param size count of octets to allocate 177 | */ 178 | static allocUnsafe(size: number): Buffer; 179 | /** 180 | * Allocates a new non-pooled buffer of {size} octets, leaving memory not initialized, so the contents 181 | * of the newly created Buffer are unknown and may contain sensitive data. 182 | * 183 | * @param size count of octets to allocate 184 | */ 185 | static allocUnsafeSlow(size: number): Buffer; 186 | } 187 | } -------------------------------------------------------------------------------- /index.js: -------------------------------------------------------------------------------- 1 | /*! safe-buffer. MIT License. Feross Aboukhadijeh */ 2 | /* eslint-disable node/no-deprecated-api, no-var */ 3 | var buffer = require('buffer') 4 | var Buffer = buffer.Buffer 5 | 6 | // alternative to using Object.keys for old browsers 7 | function copyProps (src, dst) { 8 | for (var key in src) { 9 | dst[key] = src[key] 10 | } 11 | } 12 | if (Buffer.from && Buffer.alloc && Buffer.allocUnsafe && Buffer.allocUnsafeSlow) { 13 | module.exports = buffer 14 | } else { 15 | // Copy properties from require('buffer') 16 | copyProps(buffer, exports) 17 | exports.Buffer = SafeBuffer 18 | } 19 | 20 | function SafeBuffer (arg, encodingOrOffset, length) { 21 | return Buffer(arg, encodingOrOffset, length) 22 | } 23 | 24 | SafeBuffer.prototype = Object.create(Buffer.prototype) 25 | 26 | // Copy static methods from Buffer 27 | copyProps(Buffer, SafeBuffer) 28 | 29 | SafeBuffer.from = function (arg, encodingOrOffset, length) { 30 | if (typeof arg === 'number') { 31 | throw new TypeError('Argument must not be a number') 32 | } 33 | return Buffer(arg, encodingOrOffset, length) 34 | } 35 | 36 | SafeBuffer.alloc = function (size, fill, encoding) { 37 | if (typeof size !== 'number') { 38 | throw new TypeError('Argument must be a number') 39 | } 40 | var buf = Buffer(size) 41 | if (fill !== undefined) { 42 | if (typeof encoding === 'string') { 43 | buf.fill(fill, encoding) 44 | } else { 45 | buf.fill(fill) 46 | } 47 | } else { 48 | buf.fill(0) 49 | } 50 | return buf 51 | } 52 | 53 | SafeBuffer.allocUnsafe = function (size) { 54 | if (typeof size !== 'number') { 55 | throw new TypeError('Argument must be a number') 56 | } 57 | return Buffer(size) 58 | } 59 | 60 | SafeBuffer.allocUnsafeSlow = function (size) { 61 | if (typeof size !== 'number') { 62 | throw new TypeError('Argument must be a number') 63 | } 64 | return buffer.SlowBuffer(size) 65 | } 66 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "safe-buffer", 3 | "description": "Safer Node.js Buffer API", 4 | "version": "5.2.1", 5 | "author": { 6 | "name": "Feross Aboukhadijeh", 7 | "email": "feross@feross.org", 8 | "url": "https://feross.org" 9 | }, 10 | "bugs": { 11 | "url": "https://github.com/feross/safe-buffer/issues" 12 | }, 13 | "devDependencies": { 14 | "standard": "*", 15 | "tape": "^5.0.1" 16 | }, 17 | "homepage": "https://github.com/feross/safe-buffer", 18 | "keywords": [ 19 | "buffer", 20 | "buffer allocate", 21 | "node security", 22 | "safe", 23 | "safe-buffer", 24 | "security", 25 | "uninitialized" 26 | ], 27 | "license": "MIT", 28 | "main": "index.js", 29 | "types": "index.d.ts", 30 | "repository": { 31 | "type": "git", 32 | "url": "git://github.com/feross/safe-buffer.git" 33 | }, 34 | "scripts": { 35 | "test": "standard && tape test/*.js" 36 | }, 37 | "funding": [ 38 | { 39 | "type": "github", 40 | "url": "https://github.com/sponsors/feross" 41 | }, 42 | { 43 | "type": "patreon", 44 | "url": "https://www.patreon.com/feross" 45 | }, 46 | { 47 | "type": "consulting", 48 | "url": "https://feross.org/support" 49 | } 50 | ] 51 | } 52 | -------------------------------------------------------------------------------- /test/basic.js: -------------------------------------------------------------------------------- 1 | /* eslint-disable node/no-deprecated-api, no-var */ 2 | 3 | var test = require('tape') 4 | var SafeBuffer = require('../').Buffer 5 | 6 | test('new SafeBuffer(value) works just like Buffer', function (t) { 7 | t.deepEqual(new SafeBuffer('hey'), new Buffer('hey')) 8 | t.deepEqual(new SafeBuffer('hey', 'utf8'), new Buffer('hey', 'utf8')) 9 | t.deepEqual(new SafeBuffer('686579', 'hex'), new Buffer('686579', 'hex')) 10 | t.deepEqual(new SafeBuffer([1, 2, 3]), new Buffer([1, 2, 3])) 11 | t.deepEqual(new SafeBuffer(new Uint8Array([1, 2, 3])), new Buffer(new Uint8Array([1, 2, 3]))) 12 | 13 | t.equal(typeof SafeBuffer.isBuffer, 'function') 14 | t.equal(SafeBuffer.isBuffer(new SafeBuffer('hey')), true) 15 | t.equal(Buffer.isBuffer(new SafeBuffer('hey')), true) 16 | t.notOk(SafeBuffer.isBuffer({})) 17 | 18 | t.end() 19 | }) 20 | 21 | test('SafeBuffer.from(value) converts to a Buffer', function (t) { 22 | t.deepEqual(SafeBuffer.from('hey'), new Buffer('hey')) 23 | t.deepEqual(SafeBuffer.from('hey', 'utf8'), new Buffer('hey', 'utf8')) 24 | t.deepEqual(SafeBuffer.from('686579', 'hex'), new Buffer('686579', 'hex')) 25 | t.deepEqual(SafeBuffer.from([1, 2, 3]), new Buffer([1, 2, 3])) 26 | t.deepEqual(SafeBuffer.from(new Uint8Array([1, 2, 3])), new Buffer(new Uint8Array([1, 2, 3]))) 27 | 28 | t.end() 29 | }) 30 | 31 | test('SafeBuffer.alloc(number) returns zeroed-out memory', function (t) { 32 | for (var i = 0; i < 10; i++) { 33 | var expected1 = new Buffer(1000) 34 | expected1.fill(0) 35 | t.deepEqual(SafeBuffer.alloc(1000), expected1) 36 | 37 | var expected2 = new Buffer(1000 * 1000) 38 | expected2.fill(0) 39 | t.deepEqual(SafeBuffer.alloc(1000 * 1000), expected2) 40 | } 41 | t.end() 42 | }) 43 | 44 | test('SafeBuffer.allocUnsafe(number)', function (t) { 45 | var buf = SafeBuffer.allocUnsafe(100) // unitialized memory 46 | t.equal(buf.length, 100) 47 | t.equal(SafeBuffer.isBuffer(buf), true) 48 | t.equal(Buffer.isBuffer(buf), true) 49 | t.end() 50 | }) 51 | 52 | test('SafeBuffer.from() throws with number types', function (t) { 53 | t.plan(5) 54 | t.throws(function () { 55 | SafeBuffer.from(0) 56 | }) 57 | t.throws(function () { 58 | SafeBuffer.from(-1) 59 | }) 60 | t.throws(function () { 61 | SafeBuffer.from(NaN) 62 | }) 63 | t.throws(function () { 64 | SafeBuffer.from(Infinity) 65 | }) 66 | t.throws(function () { 67 | SafeBuffer.from(99) 68 | }) 69 | }) 70 | 71 | test('SafeBuffer.allocUnsafe() throws with non-number types', function (t) { 72 | t.plan(4) 73 | t.throws(function () { 74 | SafeBuffer.allocUnsafe('hey') 75 | }) 76 | t.throws(function () { 77 | SafeBuffer.allocUnsafe('hey', 'utf8') 78 | }) 79 | t.throws(function () { 80 | SafeBuffer.allocUnsafe([1, 2, 3]) 81 | }) 82 | t.throws(function () { 83 | SafeBuffer.allocUnsafe({}) 84 | }) 85 | }) 86 | 87 | test('SafeBuffer.alloc() throws with non-number types', function (t) { 88 | t.plan(4) 89 | t.throws(function () { 90 | SafeBuffer.alloc('hey') 91 | }) 92 | t.throws(function () { 93 | SafeBuffer.alloc('hey', 'utf8') 94 | }) 95 | t.throws(function () { 96 | SafeBuffer.alloc([1, 2, 3]) 97 | }) 98 | t.throws(function () { 99 | SafeBuffer.alloc({}) 100 | }) 101 | }) 102 | --------------------------------------------------------------------------------