http: use Buffer.from to avoid Buffer(num) call

This fixes a potential Buffer(num) call when the user passes a number as the 'auth' property. This now throws instead of allocating an unitialized memory Buffer and sending that in the Authorization header. Fixes: https://github.com/nodejs/security/issues/111 PR-URL: https://github.com/nodejs/node-private/pull/83 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
8 years ago · d6969a717f
2 changed files with 14 additions and 1 deletions
--- a/lib/_http_client.js
+++ b/lib/_http_client.js
@ -102,7 +102,7 @@ function ClientRequest(options, cb) {
  if (options.auth && !this.getHeader('Authorization')) {
    //basic auth
    this.setHeader('Authorization', 'Basic ' +
-                   new Buffer(options.auth).toString('base64'));
+                   Buffer.from(options.auth).toString('base64'));
  }

  if (method === 'GET' ||
--- a/test/parallel/test-http-auth-number.js
+++ b/test/parallel/test-http-auth-number.js
@ -0,0 +1,13 @@
+'use strict';
+
+require('../common');
+const http = require('http');
+const url = require('url');
+const assert = require('assert');
+
+const opts = url.parse('http://127.0.0.1:8180');
+opts.auth = 100;
+
+assert.throws(() => {
+  http.get(opts);
+}, /^TypeError: "value" argument must not be a number$/);