You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Lets-fix-Buffer-API.md
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,19 +27,19 @@ _Note that the implications of using `Buffer.allocUnsafe()` and `Buffer.allocUns
27
27
28
28
Note: none of those describes any previously unknown vulnerability in Node.js, this is how the API was designed. The problem is in the fact that it's very easy to use the current API in an unsafe way, and there were various libraries hitting that (and probably many more still are).
29
29
30
-
1.[Node.js Buffer knows everything](./Buffer-knows-everything.md), describing the possible consequences of using uninitialized `Buffer`s.
31
-
2.[Node.js issue #4660](https://github.com/nodejs/node/issues/4660) — Buffer(number) is unsafe.
32
-
3.[Node.js pull #2586](https://github.com/nodejs/node/pull/2586) — buffer: introduce zero-fill option in constructor.
33
-
4.[Node.js pull #2574](https://github.com/nodejs/node/pull/2574) — doc: minor clarification in buffer.markdown.
34
-
5.[Node.js archive pull #9104](https://github.com/nodejs/node-v0.x-archive/pull/9104) — Documentation update about Buffer initialization.
35
-
6.[`ws` release](https://github.com/websockets/ws/releases/tag/1.0.1) fixing it's vulnerability caused by inaccurate `Buffer(number)` usage.
30
+
1.[Node.js Buffer knows everything](./Buffer-knows-everything.md), describing the possible consequences of using uninitialized `Buffer`s.
31
+
2.[Node.js issue #4660](https://github.com/nodejs/node/issues/4660) — Buffer(number) is unsafe.
32
+
3.[Node.js pull #2586](https://github.com/nodejs/node/pull/2586) — buffer: introduce zero-fill option in constructor.
33
+
4.[Node.js pull #2574](https://github.com/nodejs/node/pull/2574) — doc: minor clarification in buffer.markdown.
34
+
5.[Node.js archive pull #9104](https://github.com/nodejs/node-v0.x-archive/pull/9104) — Documentation update about Buffer initialization.
35
+
6.[`ws` release](https://github.com/websockets/ws/releases/tag/1.0.1) fixing it's vulnerability caused by inaccurate `Buffer(number)` usage.
36
36
37
37
*Note: their release note contains severe mistakes, please check [this nodesecurity advisory](https://nodesecurity.io/advisories/67) instead.*
38
-
7.[Node Security Project advisory 67](https://nodesecurity.io/advisories/67) on the above-mentioned `ws` issue.
39
-
8.[Node Security Project advisory 68](https://nodesecurity.io/advisories/68) on the `bittorent-dht` inaccurate `Buffer(number)` usage.
40
-
9. Private discussions.
41
-
10.[Mongoose vulnerability](https://github.com/Automattic/mongoose/issues/3764) — assigning a number to the property that is `Buffer`-typed saves uninitialized memory block to the DB. [POC](https://gist.github.com/ChALkeR/d4a8055625221b6e65f0).
42
-
11.[Node.js pull #4514](https://github.com/nodejs/node/pull/4514) — buffer: throw if both length and enc are passed.
38
+
7.[Node Security Project advisory 67](https://nodesecurity.io/advisories/67) on the above-mentioned `ws` issue.
39
+
8.[Node Security Project advisory 68](https://nodesecurity.io/advisories/68) on the `bittorent-dht` inaccurate `Buffer(number)` usage.
40
+
9. Private discussions.
41
+
10.[Mongoose vulnerability](https://github.com/Automattic/mongoose/issues/3764) — assigning a number to the property that is `Buffer`-typed saves uninitialized memory block to the DB. [POC](https://gist.github.com/ChALkeR/d4a8055625221b6e65f0).
42
+
11.[Node.js pull #4514](https://github.com/nodejs/node/pull/4514) — buffer: throw if both length and enc are passed.
0 commit comments