This would otherwise keep a lot of unused memory lying around,
and in particular add up to a page per chunk of memory overhead
for network reads, potentially opening a DoS vector if the resulting
`Buffer` objects are kept around indefinitely (e.g. stored in a list
and not concatenated until the socket finishes).
This fixes CVE-2018-7164.
Refs: https://github.com/nodejs-private/security/issues/186
Refs: 7c4b09b24b
PR-URL: https://github.com/nodejs-private/node-private/pull/129
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Do not close the request if callback is not a function, and
throw ERR_INVALID_CALLBACK TypeError
Backport-PR-URL: https://github.com/nodejs/node/pull/19229
PR-URL: https://github.com/nodejs/node/pull/19061
Fixes: https://github.com/nodejs/node/issues/18855
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
- Moves the creation of `process.binding()`, `process._linkedBinding()`
`internalBinding()` and `NativeModule` into a separate file
`lib/internal/bootstrap_loaders.js`, and documents them there.
This file will be compiled and run before `bootstrap_node.js`, which
means we now bootstrap the internal module & binding system before
actually bootstrapping Node.js.
- Rename the special ID that can be used to require `NativeModule`
as `internal/bootstrap_loaders` since it is setup there. Also put
`internalBinding` in the object exported by `NativeModule.require`
instead of putting it inside the `NativeModule.wrapper`
- Use the original `getBinding()` to get the source code of native
modules instead of getting it from `process.binding('native')`
so that users cannot fake native modules by modifying the binding
object.
- Names the bootstrapping functions so their names show up
in the stack trace.
Backport-PR-URL: https://github.com/nodejs/node/pull/19374
PR-URL: https://github.com/nodejs/node/pull/19112
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
Test process.setuid with an object as an argument. An equivalent test
exists for process.seteuid.
PR-URL: https://github.com/nodejs/node/pull/19703
Fixes: https://github.com/nodejs/node/issues/19591
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Use the default assert.strictEqual() message so that unequal values are
shown in the event of an AssertionError.
PR-URL: https://github.com/nodejs/node/pull/19629
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Remove the message argument from call to assert.strictEqual so
that the AssertionError will report the value of er.code, and add
a comment with the message.
PR-URL: https://github.com/nodejs/node/pull/19659
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Fixes: https://github.com/nodejs/node/issues/19457
PR-URL: https://github.com/nodejs/node/pull/19502
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Use `common.mustCall()` to make sure connection callback runs exactly
once.
Use `connect` event instead of `setTimeout` to avoid test failing if
timer runs before client is connected.
Remove `cluster.worker.disconnect()` after `assert.fail()`. It is
unreachable code that is unnecessary.
PR-URL: https://github.com/nodejs/node/pull/19700
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Node instance may not know the real host and port user sees when
debug frontend connects through the SSH tunnel. This change fixes
'/json/list' response by using the value client provided in the host
header.
PR-URL: https://github.com/nodejs/node/pull/19664
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
This change removes "new" as a description for `Buffer` construction
methods. They are arguably not "new" anymore and they certainly won't be
"new" anymore at some point.
PR-URL: https://github.com/nodejs/node/pull/19687
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Nikolai Vavilov <vvnicholas@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
If there is an AssertionError, the string literal is printed and not the
value of `r`. For debugging purposes, it is good to know if `r` is false
or null or something else.
PR-URL: https://github.com/nodejs/node/pull/19707
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
In test-http-expect-continue, verify that the request listener is not
called.
PR-URL: https://github.com/nodejs/node/pull/19669
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
This commit updates test-fs-read-stream to use fs.createReadStream
instead of using fs.ReadStream. All other places in this test use
the former.
PR-URL: https://github.com/nodejs/node/pull/19636
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Weijia Wang <starkwang@126.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Use the `assert.strictEqual()` default message instead of a static
message to include the actual and expected value.
PR-URL: https://github.com/nodejs/node/pull/19660
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
- Use `common.mustCall()` and `common.mustNotCall()`.
- Use ternary operator.
PR-URL: https://github.com/nodejs/node/pull/19640
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The third argument of `assert.throws()` is a message that is used by the
AssertionError, not the message to check in the thrown error. It appears
that there is an assert.throws() in test-http-parser that expects the
latter behavior. Rewrite the call to check the error message. Even if
this wasn't a mistake, this change results in a more robust check.
PR-URL: https://github.com/nodejs/node/pull/19626
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Use common.mustCall() where appropriate. Remove some logic that is not
required when common.mustCall() is used (incrementor/decrementor to make
sure everything is called the same number of times).
PR-URL: https://github.com/nodejs/node/pull/19625
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Whenever we call into an addon, whether it is for a callback, for
module init, or for async work-related reasons, we should make sure
that
* the last error is cleared,
* the scopes before the call are the same as after, and
* if an exception was thrown and captured inside the module, then it is
re-thrown after the call.
Therefore we should call into the module in a unified fashion. This
change introduces the macro NAPI_CALL_INTO_MODULE() which should be
used whenever invoking a callback provided by the module.
Fixes: https://github.com/nodejs/node/issues/19437
PR-URL: https://github.com/nodejs/node/pull/19537
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
According to NIST SP 800 38D, this is the document the link orginally
pointed to.
Fixes: https://github.com/nodejs/node/issues/17619
PR-URL: https://github.com/nodejs/node/pull/19593
Reviewed-By: Weijia Wang <starkwang@126.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Bump the version due to additions to the api.
PR-URL: https://github.com/nodejs/node/pull/19497
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: https://github.com/nodejs/node/pull/19461
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
... in addition to the event names they currently use.
Currently, various internal streams have different events that
indicate that the underlying resource has successfully been
established. This commit adds ready event for fs and net
sockets to standardize on emitting ready for all of these streams.
PR-URL: https://github.com/nodejs/node/pull/19408
Fixes: https://github.com/nodejs/node/issues/19304
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Correctly check for the presence of the inspector module before adding
it to the builtin libs list.
PR-URL: https://github.com/nodejs/node/pull/19505
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
If getTTYfd returns 0, and stdin is not writable (like on Windows),
trying to create WriteStream will fail. This commit fixes that by
skipping fd 0.
PR-URL: https://github.com/nodejs/node/pull/18478
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Display the constant name instead of a stream error code
in the error message, because the numerical codes give absolutely
no clue about what happened when an error is emitted.
Backport-PR-URL: https://github.com/nodejs/node/pull/19579
PR-URL: https://github.com/nodejs/node/pull/18966
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Minwoo Jung <minwoo@nodesource.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Remove the CNNIC certificates again and remove the whitelist from commit
3beb88071 ("crypto: add cert check to CNNIC Whitelist") from June 2015.
Backport-PR-URL: https://github.com/nodejs/node/pull/19634
PR-URL: https://github.com/nodejs/node/pull/19322
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Removing third argument in calls to assert.strictEqual() so that the
values of the first two arguments are shown instead as this is more
useful for debugging.
Refs: https://nodejs.org/api/assert.html#assert_assert_strictequal_actual_expected_message
PR-URL: https://github.com/nodejs/node/pull/19536
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Default error message contains the actual and expected values,
which is more informative than the custom error message to be deleted.
PR-URL: https://github.com/nodejs/node/pull/19526
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/19276
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
