This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
for details on patched vulnerabilities.
Notable changes
* **build**:
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node up to
collision attacks which could result in a Denial of Service. We have
temporarily disabled snapshots until a more robust solution is found
(Ali Ijaz Sheikh)
* **deps**:
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(),
which is used for parsing NAPTR responses, could be triggered to
read memory outside of the given input buffer if the passed in DNS
response packet was crafted in a particular way. This patch checks that
there is enough data for the required elements of an NAPTR record (2
int16, 3 bytes for string lengths) before processing a record. (David
Drysdale)
PR-URL: https://github.com/nodejs/node-private/pull/91
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
for details on patched vulnerabilities.
* **build**:
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node up to
collision attacks which could result in a Denial of Service. We have
temporarily disabled snapshots until a more robust solution is found
(Ali Ijaz Sheikh)
* **deps**:
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(),
which is used for parsing NAPTR responses, could be triggered to
read memory outside of the given input buffer if the passed in DNS
response packet was crafted in a particular way. This patch checks that
there is enough data for the required elements of an NAPTR record (2
int16, 3 bytes for string lengths) before processing a record. (David
Drysdale)
PR-URL: https://github.com/nodejs/node-private/pull/92
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
for details on patched vulnerabilities.
Notable Changes:
* build:
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node
up to collision attacks which could result in a Denial of Service.
We have temporarily disabled snapshots until a more robust solution
is found (Ali Ijaz Sheikh)
* deps:
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(),
which is used for parsing NAPTR responses, could be triggered to
read memory outside of the given input buffer if the passed in DNS
response packet was crafted in a particular way. This patch checks
that there is enough data for the required elements of an NAPTR
record (2 int16, 3 bytes for string lengths) before processing a
record. (David Drysdale)
PR-URL: https://github.com/nodejs/node-private/pull/89
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
for details on patched vulnerabilities.
Notable Changes:
* build:
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node
up to collision attacks which could result in a Denial of Service.
We have temporarily disabled snapshots until a more robust solution
is found (Ali Ijaz Sheikh)
* deps:
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(),
which is used for parsing NAPTR responses, could be triggered to
read memory outside of the given input buffer if the passed in DNS
response packet was crafted in a particular way. This patch checks
that there is enough data for the required elements of an NAPTR
record (2 int16, 3 bytes for string lengths) before processing a
record. (David Drysdale)
PR-URL: https://github.com/nodejs/node-private/pull/90
This tests that the hash seed used by V8 for hashing is random.
PR-URL: https://github.com/nodejs/node-private/pull/84
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: mhdawson - Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: indutny - Fedor Indutny <fedor.indutny@gmail.com>
Original commit message:
ares_parse_naptr_reply: check sufficient data
Check that there is enough data for the required elements
of an NAPTR record (2 int16, 3 bytes for string lengths)
before processing a record.
This patch fixes CVE-2017-1000381
The c-ares function ares_parse_naptr_reply(), which is used for
parsing NAPTR responses, could be triggered to read memory outside
of the given input buffer if the passed in DNS response packet was
crafted in a particular way.
Refs: https://c-ares.haxx.se/adv_20170620.html
Refs: https://c-ares.haxx.se/CVE-2017-1000381.patch
PR-URL: https://github.com/nodejs/node-private/pull/88
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
If allowHalfOpen is set to false, the stream will automatically end the
writable side when the readable side ends, but not the other way around.
PR-URL: https://github.com/nodejs/node/pull/14127
Fixes: https://github.com/nodejs/node/issues/4044
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
V8 options allow either '_' or '-' to be used in options as a seperator,
such as "--abort-on_uncaught-exception". Allow these case variations
when used with NODE_OPTIONS.
PR-URL: https://github.com/nodejs/node/pull/14093
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
In anticipation of stricter indentation linting, normalize indentation
of code in parentheses.
PR-URL: https://github.com/nodejs/node/pull/14125
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Linux converts the ipv6 address "::" to "::1", while windows does not.
By explicitly using "::1" in the test we allow it to succeed on windows.
PR-URL: https://github.com/nodejs/node/pull/14111
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Kunal Pathak <kunal.pathak@microsoft.com>
Reviewed-By: João Reis <reis@janeasystems.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Wrap expectsError in mustCall to make sure it's really called
as expected.
PR-URL: https://github.com/nodejs/node/pull/14088
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
The lazy loading is not needed as the errors themself lazy
load assert. Therefore the circle is working as intended
even without this lazy loading.
Improve Array, object, ArrayBuffer, Set and Map performance
in all deepEqual checks by removing unecessary code paths and
by moving expensive checks further back.
Improve throws and doesNotThrow performance by removing dead
code and simplifying the overall logic.
PR-URL: https://github.com/nodejs/node/pull/13973
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
* tryStatSync should not return any value
If the function threw, it would never reach that code path.
* only use try catch if necessary
lchmodSync does not need the second try catch in most cases.
PR-URL: https://github.com/nodejs/node/pull/14055
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Refactors cpplint slightly to allow multiple runs of it. This allows
downstream projects to run cpplint on their dependencies.
PR-URL: https://github.com/nodejs/node/pull/14116
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Kunal Pathak <kunal.pathak@microsoft.com>
Reviewed-By: João Reis <reis@janeasystems.com>
If the first parameter of `request.end` `data` is specified, it should
be equivalent to calling `request.write(data, encoding)` (not
`response.write(data, encoding)`) followed by `request.end(callback)`.
This mistake was introduced in commit
14b3aab7d289a568e4a9efa6cd07a6ced370e318:
date: 28 November 2015 at 7:30:32 AM GMT+8
author: jpersson <jonathan.persson@creuna.se>
committer: James M Snell <jasnell@gmail.com>
summary: doc: add links and backticks around names
PR-URL: https://github.com/nodejs/node/pull/14126
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: David Cai <davidcai1993@yahoo.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Instead of generating string concatenation, generate a template literal.
This is mostly useful as a pre-emptive measure for avoiding problems
when (if?) we enable the prefer-template lint rule in the test
directory.
PR-URL: https://github.com/nodejs/node/pull/14094
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
In anticipation of stricter linting for indentation, remove instances of
extra indentation that will be flagged by the new rules.
PR-URL: https://github.com/nodejs/node/pull/14090
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This can be useful for tracing map creation.
PR-URL: https://github.com/nodejs/node/pull/14018
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Refael Ackermann <refack@gmail.com>
46d7cb88c7 introduced an error in a
comment in `.eslintrc.yaml`. The second option needs to be an integer
specifying the number of spaces per level of indentation.
PR-URL: https://github.com/nodejs/node/pull/14108
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Alexey Orlenko <eaglexrlnk@gmail.com>
In anticipation of stricter linting for indentation issues, modify
ternary operators in lib that do not conform with the expected ESLint
settings.
PR-URL: https://github.com/nodejs/node/pull/14078
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Currently the following warning is issued when buildning:
Building addon
/work/nodejs/node/test/addons-napi/test_general/
CC(target) Debug/obj.target/test_general/test_general.o
../test_general.c:116:14: warning: variable 'result' is used
uninitialized whenever 'if' condition is false
[-Wsometimes-uninitialized]
} else if (argument_type == napi_null) {
^~~~~~~~~~~~~~~~~~~~~~~~~~
../test_general.c:119:10: note: uninitialized use occurs here
return result;
^~~~~~
../test_general.c:116:10: note: remove the 'if' if its condition is
always true
} else if (argument_type == napi_null) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../test_general.c:101:20: note: initialize the variable 'result' to
silence this warning
napi_value result;
^
= NULL
This commit simply initializes result to NULL to avoid this warning.
PR-URL: https://github.com/nodejs/node/pull/14104
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
If the buffer or array is too large to completion, make a dummy smallest
substitute object for it and emit a warning.
PR-URL: https://github.com/nodejs/node/pull/13817
Fixes: https://github.com/nodejs/node/issues/3136
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Alexey Orlenko <eaglexrlnk@gmail.com>
In preparation for stricter indentation linting, remove the
align-multiline-assignment custom rule, as it may conflict with the
ESLint stricter indentation linting.
PR-URL: https://github.com/nodejs/node/pull/14079
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Using asyncId as the default triggerAsyncId is wrong. The triggerAsyncId
can actually never be the asyncId.
PR-URL: https://github.com/nodejs/node/pull/14050
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Timers and nextTick have special emitBefore and emitAfter functions for
historic reasons. These function are not needed any more, thus the
public emitBefore and emitAfter function can be used.
PR-URL: https://github.com/nodejs/node/pull/14050
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Its important for post-mortem diagnostics and should be more prominently
documented.
PR-URL: https://github.com/nodejs/node/pull/13931
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Julien Gilli <jgilli@nodejs.org>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
V8 caches and does not subsequently release `ObjectTemplate` instances.
Thus, we need to store the `ObjectTemplate` from which we derive object
instances we use for `napi_wrap()` and function/accessor context in a
persistent in the `napi_env`.
https://github.com/nodejs/node-addon-api/pull/70#discussion_r124998408
PR-URL: https://github.com/nodejs/node/pull/13999
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.co>
Reviewed-By: Hitesh Kanwathirtha <digitalinfinity@gmail.com>
Currently this test fail when configured --without-inspector or
--without-ssl as it is expected to fail but the skipIfInspectorDisabled
check will exit as if the test was sucessful.
This commit checks if inspector support is available and fails the test
allowing the test to be skipped.
PR-URL: https://github.com/nodejs/node/pull/14074
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
* Fix AsyncHooksGetTriggerAsyncId such it corresponds to
async_hooks.triggerAsyncId and not async_hooks.initTriggerId.
* Use an async_context struct instead of two async_uid values.
This change was necessary since the fixing
AsyncHooksGetTriggerAsyncId otherwise makes it impossible to
get the correct default trigger id. It also prevents an invalid
triggerAsyncId in MakeCallback.
* Rename async_uid to async_id for consistency
* Rename get_uid to get_async_id
* Add get_trigger_async_id to AsyncResource class
PR-URL: https://github.com/nodejs/node/pull/14040
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
We had some, but not complete coverage indirectly through
other tests. Add test to validate it specifically and
covers cases that were not being covered.
PR-URL: https://github.com/nodejs/node/pull/13990
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Allow --abort-on-uncaught-exception in NODE_OPTIONS, its useful to
enable for post-mortem debugging.
PR-URL: https://github.com/nodejs/node/pull/13932
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Documentation, error message, and code now use the same argument name.
PR-URL: https://github.com/nodejs/node/pull/14031
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Not an actual bug, as far as I can tell, the compiler is simply not
smart enough to figure out that the offending code path isn't reached
with an uninitialized value.
PR-URL: https://github.com/nodejs/node/pull/14053
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Fixes the following deprecation warning:
../src/node_api.cc:2020:30: warning: 'bool
v8::Object::SetPrototype(v8::Local<v8::Value>)' is deprecated: Use
maybe version [-Wdeprecated-declarations]
wrapper->SetPrototype(proto);
../src/node_api.cc:2021:28: warning: 'bool
v8::Object::SetPrototype(v8::Local<v8::Value>)' is deprecated: Use
maybe version [-Wdeprecated-declarations]
obj->SetPrototype(wrapper);
PR-URL: https://github.com/nodejs/node/pull/14053
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
In the case where triggerAsyncId is null it should default to the
current executionAsyncId. This worked but as a side-effect the resource
object was changed too.
This fix also makes the null check more strict. EmitInitS is not a
documented API, thus there is no reason to be flexible in its input.
Ref: https://github.com/nodejs/node/issues/13548#issuecomment-310985270
PR-URL: https://github.com/nodejs/node/pull/14026
Reviewed-By: Refael Ackermann <refack@gmail.com>
If the .listen() hasn't been called on the server, there is no handle
object. In this case use null as the triggerAsyncId.
Fixes: https://github.com/nodejs/node/issues/13548
PR-URL: https://github.com/nodejs/node/pull/13938
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Andreas Madsen <amwebdk@gmail.com>
Currently most of the event tests only test a single event type,
which might let those benchmark take fast-paths (in V8) that aren't
taken in realistic use cases, and thus the benchmarks are not good
proxies of real world uses.
PR-URL: https://github.com/nodejs/node/pull/14052
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Evan Lucas
Myles Borins
Ali Ijaz Sheikh
David Drysdale
Rich Trott
Sam Roberts
Jimmy Thomson
Dean Coakley
Ruben Bridgewater
Refael Ackermann
Kyle Farnung
Moogen Tian
XadillaX
starkwang
Jan Krems
Daniel Bevenius
Andreas Madsen
cjihrig
Gabriel Schulhof
Timothy Gu
Michael Dawson
Eduardo Leggiero
Ben Noordhuis
Matt Sergeant
Benedikt Meurer