This fixes a potential Buffer(num) call when the user passes a number
as the 'auth' property.
This now throws instead of allocating an unitialized memory Buffer and
sending that in the Authorization header.
Fixes: https://github.com/nodejs/security/issues/111
PR-URL: https://github.com/nodejs/node-private/pull/83
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
This partually reverts commit 4cdb0e89d8.
A nullptr check in TSLWrap::IsAlive() and the added test were left.
PR-URL: https://github.com/nodejs/node/pull/11947
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
TLSWrap object keeps a pointer reference to the underlying
TCPWrap object. This TCPWrap object could be closed and deleted
by the event-loop which leaves us with a dangling pointer.
So the TLSWrap object needs to track the "close" event on the
TCPWrap object.
PR-URL: https://github.com/nodejs/node/pull/11776
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Code was calculating $PREFIX/lib/node relative to process.execPath, but
on Windows process.execPath is $PREFIX\node.exe whereas everywhere else
process.execPath is $PREFIX/bin/node (where $PREFIX is the root of the
installed Node.js).
PR-URL: https://github.com/nodejs/node/pull/9283
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: João Reis <reis@janeasystems.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Removes branch that would make TLSSocket emit '_tlsError' event if
error occured on handshake and control was not released, as it was
never happening. Added test for tls.Server to ensure it still emits
'tlsClientError' as expected.
Note that 'tlsClientError' does not exist in the v4.x branch so this
back-port emits 'clientError' instead. See also pull request #4557.
Fixes: https://github.com/nodejs/node/issues/8803
PR-URL: https://github.com/nodejs/node/pull/8805
Refs: https://github.com/nodejs/node/pull/4557
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
`request.abort()` did not destroy the socket if it was called
before a socket was assigned to the request and the request
did not use an `Agent` or a Unix Domain Socket was used.
Fixes: https://github.com/nodejs/node/issues/10812
PR-URL: https://github.com/nodejs/node/pull/10818
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
This commit adds a guard against an out of bounds access of
arguments, and replaces another use of arguments with a named
function parameter.
Refs: https://github.com/nodejs/node/issues/10323
Because any call to util.inspect() with an object results in
inspectPromise() being called, Debug was being initialized even when
it's not needed. Instead, the initialization is placed after the
isPromise check.
PR-URL: https://github.com/nodejs/node/pull/8452
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
As per ESLint documentation,
http://eslint.org/docs/user-guide/configuring#configuration-file-formats
the file format .eslintrc is deprecated. This patch just renames the
files to .yaml and the structure is already in yaml format.
PR-URL: https://github.com/nodejs/node/pull/7699
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Prince John Wesley <princejohnwesley@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/10895
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michal Zasso <targos@protonmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The freelist_max_len member of SSL* (and the freelist itself) has been
removed in OpenSSL 1.1.0. Thus this change will be necessary at some
point but, for now, it makes it a little easier to build with 1.1.0
without breaking anything for previous versions of OpenSSL.
PR-URL: https://github.com/nodejs/node/pull/10859
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Remove the dependency on the arguments.length.
PR-URL: https://github.com/nodejs/node/pull/4740
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
When emitting a 'connection' event on a httpServer, the function
connectionListener is called. Then, a new parser is created, and
'consume' method is called on the socket's externalStream. However,
if this stream was already consumed and unconsumed, the process
crashes with a cpp assert from the 'Consume' method in stream_base.h.
This commit makes sure that no SIGABRT will be raised and the process
will stay alive (after emitting the socket).
PR-URL: https://github.com/nodejs/node/pull/11015
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit replaces an empty if-else-if with a single if
condition.
PR-URL: https://github.com/nodejs/node/pull/11427
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
* Prefer === to == where possible
* Remove condition that will always be false
* Prefer for-loop statements to forEach where possible for perfomance reasons
PR-URL: https://github.com/nodejs/node/pull/11366
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
`TLSSocket` should not have a hard dependency on `tls.Server`, since it
may be running without it in cases like `STARTTLS`.
Fix: #10704
PR-URL: https://github.com/nodejs/node/pull/10706
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
* Remove comment referring to the CommonJS Unit Testing 1.0 spec. This
module is no longer intended to comply with that spec.
* Remove puzzling "THIS IS NOT TESTED NOR LIKELY TO WORK OUTSIDE V8!"
comment. No doubt, it made sense at one time.
* Favor `===` over `==` in two places.
PR-URL: https://github.com/nodejs/node/pull/11511
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
* Change === to == in one place
* Add explanation about another non-strict if-statement
PR-URL: https://github.com/nodejs/node/pull/11513
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Remove the numbers from the comments to make it clear that
assert does not follow the
[CJS spec](http://wiki.commonjs.org/wiki/Unit_Testing/1.0).
Additionally, clean up the existing comments for consistent
formatting/language and ease of reading.
PR-URL: https://github.com/nodejs/node/pull/10579
Fixes: https://github.com/nodejs/node/issues/9063
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
We were transporting the heap statistics as uint32 values to JS land but
those wrap around for values > 4 GB. Use 64 bits floats instead, those
should last us a while.
Fixes: https://github.com/nodejs/node/issues/10185
PR-URL: https://github.com/nodejs/node/pull/10186
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Unsanitized paths containing line feed characters can be used for
header injection and request splitting so reject them with an exception.
There seems to be no reasonable use case for allowing control characters
(characters <= 31) while there are several scenarios where they can be
used to exploit software bugs so reject control characters altogether.
PR-URL: https://github.com/nodejs/node/pull/8923
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: not-an-aardvark <not-an-aardvark@users.noreply.github.com>
We have a tacit rule that for multiline statements, the operator should
be placed before the linebreak. This commit commit fixes the few
violations of this rule in the code base.
This allows us to enable the corresponding ESLint rule.
PR-URL: https://github.com/nodejs/node/pull/10178
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Teddy Katz <teddy.katz@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
cherry-pick c26b9af1e2 from v6-staging.
`convertNPNProtocols` and `convertALPNProtocols' uses the `protocols`
buffer object as it is, and if it is modified outside of core, it
might have an impact. This patch makes a copy of the buffer object,
before using it.
PR-URL: https://github.com/nodejs/node/pull/8055
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
cherry-pick 802a2e79e1 from v6-staging.
ALPN is added to tls according to RFC7301, which supersedes NPN.
When the server receives both NPN and ALPN extensions from the client,
ALPN takes precedence over NPN and the server does not send NPN
extension to the client. alpnProtocol in TLSSocket always returns
false when no selected protocol exists by ALPN.
In https server, http/1.1 token is always set when no
options.ALPNProtocols exists.
PR-URL: https://github.com/nodejs/node/pull/2564
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This uses libuv's mkdtemp function to provide a way to create a
temporary folder, using a prefix as the path. The prefix is appended
six random characters. The callback function will receive the name
of the folder that was created.
Usage example:
fs.mkdtemp('/tmp/foo-', function(err, folder) {
console.log(folder);
// Prints: /tmp/foo-Tedi42
});
The fs.mkdtempSync version is also provided. Usage example:
console.log(fs.mkdtemp('/tmp/foo-'));
// Prints: tmp/foo-Tedi42
This pull request also includes the relevant documentation changes
and tests.
PR-URL: https://github.com/nodejs/node/pull/5333
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
This commit adds a shell option, to spawn() and spawnSync(). This
option allows child processes to be spawned with or without a
shell. The option also allows a custom shell to be defined, for
compatibility with exec()'s shell option.
Fixes: https://github.com/nodejs/node/issues/1009
PR-URL: https://github.com/nodejs/node/pull/4598
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Provide means to inspect information about the separate heap spaces
via a callable API. This is helpful to analyze memory issues.
Fixes: https://github.com/nodejs/node/issues/2079
PR-URL: https://github.com/nodejs/node/pull/4463
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
In most cases, named functions match the variable or property to which
they are being assigned. That also seems to be the practice in a series
of PRs currently being evaluated that name currently-anonymous
functions.
This change applies that rule to instances in the code base that don't
comply with that practice.
This will be enforceable with a lint rule once we upgrade to ESLint
3.8.0.
PR-URL: https://github.com/nodejs/node/pull/9113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
* `==` -> `===`
* use white space in array to improve readability
PR-URL: https://github.com/nodejs/node/pull/9860
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
The typed array's underlying ArrayBuffer is used in `Buffer.from`.
Let's respect it's .byteOffset or .byteLength (i.e. position within the
parent ArrayBuffer).
Fixes: https://github.com/nodejs/node/issues/8001
PR-URL: https://github.com/nodejs/node/pull/8002
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Prince John Wesley <princejohnwesley@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
The createInternalRepl() module accepts an options object as an
argument. However, if one is provided, it overrides all of the
default options. This commit applies the options object to the
defaults, only changing the values that are explicitly set.
PR-URL: https://github.com/nodejs/node/pull/7826
Reviewed-By: James M Snell <jasnell@gmail.com>
The `.` character does not need to be escaped when it appears inside a
regular expression character class. This removes instances of
unnecessary escapes of the `.` character.
This also removes a few unnecessary escapes of the `(` and `)`
characters within character classes too.
PR-URL: https://github.com/nodejs/node/pull/9449
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Minwoo Jung <jmwsoft@gmail.com>
Reviewed-By: James Snell <jasnell@gmail.com>
* remove unnecessary backslash (`\`) escaping in regular expressions
* favor `===` over `==`
* multiline arrays indentation consistent with other indentation
PR-URL: https://github.com/nodejs/node/pull/9374
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
`/bin/sh -c` trick wasn't working for several reasons:
* `/bin/sh -c "..."` expects the first argument after `"..."` to be a
`$0`, not a `$1`. Previously `-n` wasn't passed to `nm` because of
this, and many symbols were ordered improperly
* `c++filt` was applied not only to the names of the functions but to
their `nm` prefixes like `t` and `a` (`t xxx` turns into
`unsigned char xxx`).
Instead of applying `c++filt` wide and using `sh -c`, execute `nm` as
requested by `deps/v8/tools/tickprocessor.js` and apply `c++filt` to all
matching entries manually.
Included test demonstrates where previous approach failed: all builtins
were merged into `v8::internal::Builtins::~Builtins`, because they were
prefixed by `t` in `nm` output.
PR-URL: https://github.com/nodejs/node/pull/8480
Reviewed-By: Matthew Loring <mattloring@google.com>
When removing a `once` listener, the listener being passed to
the `removeListener` callback is the wrapper. This unwraps the
listener so that `removeListener` is passed the actual listener.
PR-URL: https://github.com/nodejs/node/pull/6394
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit changes string manipulation in favor of template
literals in the `util` module.
PR-URL: https://github.com/nodejs/node/pull/9120
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/8609
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
`--debug=1.2.3.4:5678` and `--debug=example.com:5678` are now accepted,
likewise the `--debug-brk` and `--debug-port` switch. The latter is
now something of a misnomer but it's undocumented and for internal use
only so it shouldn't matter too much.
`--inspect=1.2.3.4:5678` and `--inspect=example.com:5678` are also
accepted but don't use the host name yet; they still bind to the
default address.
Fixes: https://github.com/nodejs/node/issues/3306
PR-URL: https://github.com/nodejs/node/pull/3316
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/8863
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
If calling `https.request()` with `options.headers.host` defined
and `options.servername` undefined, `https.Agent.createSocket` mutates
connection `options` after `https.Agent.addRequest` has created empty
socket pool array with mismatching connection name. This results in two
socket pool arrays being created and only the last one gets eventually
deleted by `removeSocket` - causing a memory leak.
This commit fixes the leak by making sure that `addRequest` does the
same modifications to `options` object as the `createSocket`.
`createSocket` is intentionally left unmodified to prevent userland
regressions.
Test case included.
PR-URL: https://github.com/nodejs/node/pull/8647
Fixes: https://github.com/nodejs/node/issues/6687
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jackson Tian <shvyo1987@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Writing data to TLSWrap instance during handshake will result in it
being queued in `write_item_queue_`. This queue won't get cleared up
until the end of the handshake.
Technically, it gets cleared on `~TLSWrap` invocation, however this
won't ever happen because every `WriteWrap` holds a reference to the
`TLSWrap` through JS object, meaning that they are doomed to be alive
for eternity.
To breach this dreadful contract a knight shall embark from the
`close` function to kill the dragon of memory leak with his magic
spear of `destroySSL`.
`destroySSL` cleans up `write_item_queue_` and frees `SSL` structure,
both are good for memory usage.
PR-URL: https://github.com/nodejs/node/pull/9586
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Сковорода Никита Андреевич
Trevor Norris
jBarz
Richard Lau
Mariusz 'koder' Chwalba
Luigi Pinca
Vse Mozhet Byt
Bryan English
Sakthipriyan Vairamani
Brian White
Adam Langley
Jackson Tian
Umair Ishaq
Roee Kasher
Rich Trott
cjihrig
Arseniy Maximov
Fedor Indutny
Dmitry Tsvettsikh
Kai Cataldo
Ben Noordhuis
Michaël Zasso
Lance Ball
Shigeki Ohtsu
Florian MARGAINE
Ben Ripkens
Jeremiah Senkpiel
Feross Aboukhadijeh
DavidCai
Alejandro Oviedo Garcia
Adri Van Houdt
Matteo Collina
Wyatt Preul
Ilkka Myller
Italo A. Casas