crypto: protect against string collisions

ChALkeR · ChALkeR · commit 9492d73c1d7a · 2025-10-24T21:37:04.000+04:00
diff --git a/doc/api/errors.md b/doc/api/errors.md
@@ -2929,6 +2929,13 @@ instance.setEncoding('utf8');
 An attempt was made to call [`stream.write()`][] after `stream.end()` has been
 called.
 
+<a id="ERR_STRING_NOT_WELL_FORMED"></a>
+
+### `ERR_STRING_NOT_WELL_FORMED`
+
+Input string was not well-formed Unicode and could not be converted to bytes
+without collisions.
+
 <a id="ERR_STRING_TOO_LONG"></a>
 
 ### `ERR_STRING_TOO_LONG`
diff --git a/lib/internal/crypto/hash.js b/lib/internal/crypto/hash.js
@@ -53,6 +53,7 @@ const {
 const {
   validateEncoding,
   validateString,
+  validateStringWellFormed,
   validateObject,
   validateUint32,
 } = require('internal/validators');
@@ -136,6 +137,7 @@ Hash.prototype.update = function update(data, encoding) {
 
   if (typeof data === 'string') {
     validateEncoding(data, encoding);
+    validateStringWellFormed(data);
   } else if (!isArrayBufferView(data)) {
     throw new ERR_INVALID_ARG_TYPE(
       'data', ['string', 'Buffer', 'TypedArray', 'DataView'], data);
@@ -231,7 +233,9 @@ async function asyncDigest(algorithm, data) {
 
 function hash(algorithm, input, options) {
   validateString(algorithm, 'algorithm');
-  if (typeof input !== 'string' && !isArrayBufferView(input)) {
+  if (typeof input === 'string') {
+    validateStringWellFormed(input);
+  } else if (!isArrayBufferView(input)) {
     throw new ERR_INVALID_ARG_TYPE('input', ['Buffer', 'TypedArray', 'DataView', 'string'], input);
   }
   let outputEncoding;
diff --git a/lib/internal/crypto/sig.js b/lib/internal/crypto/sig.js
@@ -18,6 +18,7 @@ const {
   validateFunction,
   validateEncoding,
   validateString,
+  validateStringWellFormed,
 } = require('internal/validators');
 
 const {
@@ -71,6 +72,7 @@ Sign.prototype._write = function _write(chunk, encoding, callback) {
 Sign.prototype.update = function update(data, encoding) {
   if (typeof data === 'string') {
     validateEncoding(data, encoding);
+    validateStringWellFormed(data);
   } else if (!isArrayBufferView(data)) {
     throw new ERR_INVALID_ARG_TYPE(
       'data', ['string', 'Buffer', 'TypedArray', 'DataView'], data);
diff --git a/lib/internal/crypto/util.js b/lib/internal/crypto/util.js
@@ -67,6 +67,7 @@ const {
   validateArray,
   validateNumber,
   validateString,
+  validateStringWellFormed,
 } = require('internal/validators');
 
 const { Buffer } = require('buffer');
@@ -99,6 +100,7 @@ const kKeyObject = Symbol('kKeyObject');
 // to break them unnecessarily.
 function toBuf(val, encoding) {
   if (typeof val === 'string') {
+    validateStringWellFormed(val);
     if (encoding === 'buffer')
       encoding = 'utf8';
     return Buffer.from(val, encoding);
@@ -147,6 +149,7 @@ const getArrayBufferOrView = hideStackFrames((buffer, name, encoding) => {
   if (isAnyArrayBuffer(buffer))
     return buffer;
   if (typeof buffer === 'string') {
+    validateStringWellFormed(buffer);
     if (encoding === 'buffer')
       encoding = 'utf8';
     return Buffer.from(buffer, encoding);
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
@@ -1776,6 +1776,7 @@ E('ERR_STREAM_UNSHIFT_AFTER_END_EVENT',
   'stream.unshift() after end event', Error);
 E('ERR_STREAM_WRAP', 'Stream has StringDecoder set or is in objectMode', Error);
 E('ERR_STREAM_WRITE_AFTER_END', 'write after end', Error);
+E('ERR_STRING_NOT_WELL_FORMED', 'Invalid non-well formed string input', Error);
 E('ERR_SYNTHETIC', 'JavaScript Callstack', Error);
 E('ERR_SYSTEM_ERROR', 'A system error occurred', SystemError, HideStackFramesError);
 E('ERR_TEST_FAILURE', function(error, failureType) {
diff --git a/lib/internal/validators.js b/lib/internal/validators.js
@@ -16,6 +16,7 @@ const {
   ObjectPrototypeHasOwnProperty,
   RegExpPrototypeExec,
   String,
+  StringPrototypeIsWellFormed,
   StringPrototypeToUpperCase,
   StringPrototypeTrim,
 } = primordials;
@@ -27,6 +28,7 @@ const {
     ERR_INVALID_THIS: { HideStackFramesError: ERR_INVALID_THIS },
     ERR_OUT_OF_RANGE: { HideStackFramesError: ERR_OUT_OF_RANGE },
     ERR_SOCKET_BAD_PORT: { HideStackFramesError: ERR_SOCKET_BAD_PORT },
+    ERR_STRING_NOT_WELL_FORMED: { HideStackFramesError: ERR_STRING_NOT_WELL_FORMED },
     ERR_UNKNOWN_SIGNAL: { HideStackFramesError: ERR_UNKNOWN_SIGNAL },
   },
   hideStackFrames,
@@ -164,6 +166,14 @@ const validateString = hideStackFrames((value, name) => {
     throw new ERR_INVALID_ARG_TYPE(name, 'string', value);
 });
 
+/**
+ * @param {string} data
+ */
+const validateStringWellFormed = hideStackFrames((value) => {
+  if (typeof value === 'string' && StringPrototypeIsWellFormed(value)) return;
+  throw new ERR_STRING_NOT_WELL_FORMED();
+});
+
 /**
  * @callback validateNumber
  * @param {*} value
@@ -643,6 +653,7 @@ module.exports = {
   validatePort,
   validateSignalName,
   validateString,
+  validateStringWellFormed,
   validateUint32,
   validateUndefined,
   validateUnion,
diff --git a/test/parallel/test-crypto-strings.mjs b/test/parallel/test-crypto-strings.mjs
@@ -76,7 +76,7 @@ const signing = [
   { type: 'ed25519', hashes: [null] },
 ];
 
-const expectedError = Error; // TODO
+const expectedError = /ERR_STRING_NOT_WELL_FORMED/;
 
 async function testOneArg(f) {
   assert(f.length === 1 || f.length === 2);
diff --git a/typings/primordials.d.ts b/typings/primordials.d.ts
@@ -409,6 +409,7 @@ declare namespace primordials {
   export const StringPrototypeFontcolor: UncurryThis<typeof String.prototype.fontcolor>
   export const StringPrototypeFontsize: UncurryThis<typeof String.prototype.fontsize>
   export const StringPrototypeFixed: UncurryThis<typeof String.prototype.fixed>
+  export const StringPrototypeIsWellFormed: UncurryThis<typeof String.prototype.isWellFormed>
   export const StringPrototypeIncludes: UncurryThis<typeof String.prototype.includes>
   export const StringPrototypeIndexOf: UncurryThis<typeof String.prototype.indexOf>
   export const StringPrototypeItalics: UncurryThis<typeof String.prototype.italics>
