Skip to content

buffer: throw on new Buffer

Rodrigo Muino Tomonari requested to merge github/fork/sam-github/new-buffer-throws into master

It's been deprecated a long time, time to start throwing. The throw can be reverted via a CLI option, directly or in the NODE_OPTIONS environment variable.

See: https://github.com/nodejs/security-wg/issues/505

Usage of new Buffer is not decreasing in the ecosystem. The run-time deprecation warning appears to have have done all it will do.

This is a WIP to gauge interest,the docs would need more comprehensive updating. @nodejs/security-wg @nodejs/security-wg @nodejs/package-maintenance

If this lands at all, I see it landing in 13.0.0, so it increases the pressure during that non-LTS cycle in a version that the most stable and conservative node users won't be using, this gives some time before 14.x for packages to update. Then perhaps in 15.x we can make reverting it impossible, though throwing an error without CLI intervention is going to make most packages update, I expect (if they are maintained).

I know this isn't how the revert flag is usually used, but it seems an appropriate use to me. Of course, a new CLI flag specific to this use would also be possible.

Other options:

  • Remove the check that prevents the deprecation warning is for dependencies. It made sense to only show the warning to people who wrote the code in question, but showing to everyone will increase the pressure, just as npm's warnings about vulnerabilities in sub-sub-deps causes issues to be opened and users to ask for updates (not always politely, which is unfortunate).
  • Do nothing, its fertile ground for sec researchers.
  • ... I'm not sure, perhaps there is a plan for this already?

Example with and without the revert:

core/node (master *$% u=) % NODE_OPTIONS=--security-reverts=CVE-2018-7166 ./out/Release/node -p 'const Buffer = require("buffer").Buffer; new Buffer(4)'                     
SECURITY WARNING: Reverting CVE-2018-7166: Buffer constructor exposes uninitialized memory                                                                                   
SECURITY WARNING: Reverting CVE-2018-7166: Buffer constructor exposes uninitialized memory                                                                                   
<Buffer 00 00 00 00>
(node:12796) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from()
methods instead.

core/node (new-buffer-throws $% u=) % ./out/Release/node -p 'const Buffer = require("buffer").Buffer; new Buffer(4)'                                                         
buffer.js:173
    throw new ERR_BUFFER_NEW_NOT_SUPPORTED();
    ^

Error [ERR_BUFFER_NEW_NOT_SUPPORTED]: Use of new Buffer not supported
    at new Buffer (buffer.js:173:11)
    at [eval]:1:42
    at Script.runInThisContext (vm.js:123:20)
    at Object.runInThisContext (vm.js:313:38)
    at Object.<anonymous> ([eval]-wrapper:9:26)
    at Module._compile (internal/modules/cjs/loader.js:766:30)
    at evalScript (internal/process/execution.js:81:25)
    at internal/main/eval_string.js:20:3
Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

Merge request reports