Unsanitized paths containing line feed characters can be used for
header injection and request splitting so reject them with an exception.
There seems to be no reasonable use case for allowing control characters
(characters <= 31) while there are several scenarios where they can be
used to exploit software bugs so reject control characters altogether.
PR-URL: https://github.com/nodejs/node/pull/8923
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: not-an-aardvark <not-an-aardvark@users.noreply.github.com>
test-buffer-creation-regression is flaky on some SmartOS hosts in CI,
timing out. Move to sequential so it does not compete with other tests
for resources. Reduce three test cases to just the one needed to
identify the regression.
PR-URL: https://github.com/nodejs/node/pull/10161
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Italo A. Casas <me@italoacasas.com>
Backport-Of: https://github.com/nodejs/node/pull/10161
PR-URL: https://github.com/nodejs/node/pull/11176
Reviewed-By: James M Snell <jasnell@gmail.com>
As per ecma-262 2015's #sec-%typedarray%-buffer-byteoffset-length,
`offset` would be an integer, not a 32 bit unsigned integer. Also,
`length` would be an integer with the maximum value of 2^53 - 1, not a
32 bit unsigned integer.
This would be a problem because, if we create a buffer from an
arraybuffer, from an offset which is greater than 2^32, it would be
actually pointing to a different location in arraybuffer. For example,
if we use 2^40 as offset, then the actual value used will be 0,
because `byteOffset >>>= 0` will convert `byteOffset` to a 32 bit
unsigned int, which is based on 2^32 modulo.
This is a redo, as the ca37fa527f broke
CI.
Refer: https://github.com/nodejs/node/pull/9814
Refer: https://github.com/nodejs/node/pull/9492
PR-URL: https://github.com/nodejs/node/pull/9815
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Backport-Of: https://github.com/nodejs/node/pull/9815
PR-URL: https://github.com/nodejs/node/pull/11176
Reviewed-By: James M Snell <jasnell@gmail.com>
Remove the new method that was introduced in the back-port of
v8/v8@306c412c ("[api] Expose FunctionCallbackInfo::NewTarget")
so that the meat of the patch can land in a patch release.
This commit can be reverted again in the next minor release.
Fixes: https://github.com/nodejs/node/issues/9288
PR-URL: https://github.com/nodejs/node/pull/9293
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Original commit message:
When instantiating a subclassed API function, the instance cache
is avoided. There is currently no direct API yet to instantiate
a Template while passing in a new.target. It probably makes sense
to extend ObjectTemplate::NewInstance to accept a new.target, in
line with Reflect.construct.
BUG=v8:3330, v8:5001
Review-Url: https://codereview.chromium.org/1972613002
Cr-Commit-Position: refs/heads/master@{#36179}
Fixes: https://github.com/nodejs/node/issues/9288
PR-URL: https://github.com/nodejs/node/pull/9293
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
The patch has been modified to maintain ABI compatibility. The original
change removes the v8::FunctionCallbackInfo<T>::is_construct_call_ field
from deps/v8/include/v8.h. The field is set directly by JIT-ted code so
the removal of those code paths has been backed out as well.
Original commit message:
[api] Expose FunctionCallbackInfo::NewTarget
This is needed by Blink to implement the Custom Elements spec.
BUG=v8:4261
LOG=y
Review-Url: https://codereview.chromium.org/1910253005
Cr-Commit-Position: refs/heads/master@{#35833}
Fixes: https://github.com/nodejs/node/issues/9288
PR-URL: https://github.com/nodejs/node/pull/9293
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Don't try to optimize known-unoptimizable functions when --always-opt
is specified on the command line, it makes Crankshaft emit wrong code.
This was fixed upstream when improved WASM support was introduced but
that specific change can't be back-ported because it depends on prior
work that doesn't exist in V8 5.1. Ergo, I decided to redo the fix
from scratch.
PR-URL: https://github.com/nodejs/node/pull/9293
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
This makes it easier to see what header has an invalid value.
PR-URL: #9195
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
The `hints` value will be a number. To specify more than one hints,
their corresponding bits have to be set. So bitwise OR should be used
instead of logical OR.
PR-URL: https://github.com/nodejs/node/pull/11037
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
`killSignal` option accepts the signal name or signal number as well.
PR-URL: https://github.com/nodejs/node/pull/10424
Reviewed-By: Julian Duque <julianduquej@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
https://github.com/nodejs/node/pull/11086 had introduced a regression
that broke command line options processing for tools/test.py.
Basically, it made tools/test.py discard the command line argument that
would be passed after `--abort-on-timeout`. For instance, when running:
```
$ python tools/test.py --abort-on-timeout path/to/some-test
```
all tests would be run because the last command line argument
(`/path/to/some-test`) would be discarded.
This change fixes this regression.
Refs: https://github.com/nodejs/node/pull/11086
PR-URL: https://github.com/nodejs/node/pull/11153
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Currently, when a process times out, it is terminated by sending it the
SIGTERM signal. Sending SIGBART instead allows the operating system to
generate a core file that can be investigated later using post-mortem
debuggers such as llnode or mdb_v8.
This can be very useful when investigating flaky tests that time out,
since in that case the failure is difficult to reproduce, and being able
to look at a core file makes a big difference.
With these changes, passing the --abort-on-timeout command line option
to tools/test.py now sends SIGABRT to processes timing out on all
platforms but Windows.
PR-URL: https://github.com/nodejs/node/pull/11086
Ref: https://github.com/nodejs/node/issues/11026
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Corrected parameter for running tests on Windows. Without the corrected
parameters, Windows users encounter an error about failing to sign the
build, "Failed to sign exe", which can be discouraging to new Windows
community members.
PR-URL: https://github.com/nodejs/node/pull/10686
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Bartosz Sosnowski <bartosz@janeasystems.com>
As it is, each line in the deprecation heading which are wrapped at 80
characters in the *.md files, are shown in different lines. For example
> Stability: 0 - Deprecated: Use
> `Buffer.from(arrayBuffer[, byteOffset [, length]])`
> instead.
is shown in three different lines. This patch replaces the newlines
with space characters, so that the output will be in single line.
PR-URL: https://github.com/nodejs/node/pull/11074
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Somehow things got out of sync.
PR-URL: https://github.com/nodejs/node/pull/11090
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Orignial commit message:
Abort in delete operators that shouldn't be called.
Section 3.2 of the C++ standard states that destructor
definitions implicitly "use" operator delete functions.
Therefore, these operator delete functions must be
defined even if they are never called by user code
explicitly.
http://www.open-std.org/JTC1/SC22/WG21/docs/
cwg_defects.html#261
gcc allows them to remain as empty definitions. However,
not all compilers allow this. (e.g. xlc on zOS). This pull
request creates definitions which if ever called, result
in an abort.
R=danno@chromium.org,jochen@chromium.org
BUG=
LOG=N
Review-Url: https://codereview.chromium.org/2588433002
Cr-Commit-Position: refs/heads/master@{#41981}
PR-URL: https://github.com/nodejs/node/pull/10546
Reviewed-By: James M Snell <jasnell@gmail.com>
In closed environments, self-signed or privately signed certificates are
commonly used, and rejected by Node.js since their root CAs are not
well-known. Allow extending the set of well-known compiled-in CAs via
environment, so they can be set as a matter of policy.
PR-URL: https://github.com/nodejs/node/pull/9139
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
__dirname is path.dirname(__filename), but its docs, specifically the
attempt to describe javascript scope in terms of "running" and
"executing" had drifted apart. Rework to describe one as a variation of
the other, move the example, and just describe the names in terms of the
module, and it's local variables rather than the ill defined execution
concepts.
Fix: https://github.com/nodejs/node/issues/5525
PR-URL: https://github.com/nodejs/node/pull/10527
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
This checks to see that clearBuffer appropriately decrements the
correct values in _writableState when clearBuffer is invoked in
end.
Fixes: https://github.com/nodejs/node/issues/8687
PR-URL: https://github.com/nodejs/node/pull/9922
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Italo A. Casas <me@italoacasas.com>
- Remove assignment of this to variable.
- Add common.mustCall() as needed.
- Move from var to const.
PR-URL: https://github.com/nodejs/node/pull/10547
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This commit removes assignments of this to a variable in the
tests.
PR-URL: https://github.com/nodejs/node/pull/10548
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
* use const instead of var
* use common.mustCall to control functions execution
* use assert.strictEqual instead of assert.equal
* use arrow functions
PR-URL: https://github.com/nodejs/node/pull/10503
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Italo A. Casas <me@italoacasas.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Prince John Wesley <princejohnwesley@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
child_process.exec*() and child_process.spawn*() (if options.shell is
true) allow trivial arbitrary command execution if code passes
unsanitised user input to it. Add warnings in the docs to make that
clear.
PR-URL: https://github.com/nodejs/node/pull/10466
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
* use const instead of var
* use common.mustCall to control functions execution
* use assert.strictEqual instead of assert.equal
* use arrow functions
PR-URL: https://github.com/nodejs/node/pull/10479
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Italo A. Casas <me@italoacasas.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Collaborators have elevated privileges. The CTC now requires
Collaborator accounts to have two-factor authentication. This changes
wording in the onboarding documentation to make it clear that two-factor
authentication is required and not merely recommended.
PR-URL: https://github.com/nodejs/node/pull/10529
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
* replace `process.on('exit', ...)` checks with `common.mustCall()`
* assert.equal() -> assert.strictEqual()
* provide duration of 1ms to timer without a duration
* remove unused function argument
PR-URL: https://github.com/nodejs/node/pull/10483
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Italo A. Casas <me@italoacasas.com>
PR-URL: https://github.com/nodejs/node/pull/10478
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Italo A. Casas <me@italoacasas.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
To ease the use of the AIX binaries, add
/opt/freeware/lib/pthread{/ppc64} into the search path encoded into the
library, so that any version the user has installed from the common
download locations will work out of the box without having to explicitly
set LIBPATH in their environment.
PR-URL: https://github.com/nodejs/node/pull/10128
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
- Change var to const
- Remove dependency crypto
PR-URL: https://github.com/nodejs/node/pull/10033
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/10245
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Current comment described what to do with it when the ABI changes, but
implied that Node.js would load modules with newer ABI numbers, which it
will not.
PR-URL: https://github.com/nodejs/node/pull/10414
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Italo A. Casas <me@italoacasas.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
* use const instead of var
* use assert.strictEqual instead assert.equal
PR-URL https://github.com/nodejs/node/pull/10428
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Remove `setTimeout()` in test and instead rely on `common.mustCall()` on
a `timeout` event handler.
The test was flaky on CI. The flakiness was replicable by running the
test under load. This version, in contrast, is robust under load.
Took the opportunity to do some `var` -> `const` while refactoring.
PR-URL: https://github.com/nodejs/node/pull/10404
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Italo A. Casas <me@italoacasas.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
* use let and const instead of var
* use assert.strictEqual instead assert.equal
PR-URL: https://github.com/nodejs/node/pull/10396
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Italo A. Casas <me@italoacasas.com>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Change a single word in documentation with a more precise one.
Native is a module compiled in machine "native" code.
A module normally written in a compiled language, not in JavaScript.
Core modules form Node's built-in "core" functionalities.
You don't need to install them. They are included in every Node installation
and documented in https://nodejs.org/api/ .
PR-URL: https://github.com/nodejs/node/pull/10324
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Italo A. Casas <me@italoacasas.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, autocompletion of scoped packages was not supported by the
repl due to not including the `@` character in the regular expression.
PR-URL: https://github.com/nodejs/node/pull/10296
Reviewed-By: Prince John Wesley <princejohnwesley@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Adds flags that marks WinCtrlCHandlerRoutine as disabled instead of
removing it. Trying to remove the controller from the controller
handle itself leads to deadlock.
PR-URL: https://github.com/nodejs/node/pull/10248
Reviewed-By: Anna Henningsen <anna@addaleax.net>