-
Notifications
You must be signed in to change notification settings - Fork 30.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
buffer: introduce Buffer.encode() method #4565
Conversation
Buffer constructor has too much behaviour. it is usual to convert string to Buffer in the form of new Buffer(str). If don't check type of first argument, new Buffer(number) can lead Buffer vulnerability. For example: - https://github.com/websockets/ws/releases/tag/1.0.1 - qiniu/nodejs-sdk#123 Introduce Buffer.encode() method to be explicit abort encoding.
Why not simply do |
In fact, too much guys use new Buffer() but forget to validate/convert input. |
IMHO that seems more like a userland problem. Either way, any such userland code would need to be changed, so you might as well just do |
A userland problem that is promoted by the design of Buffer. I think this is well illustrated by the fact that your solution of But that aside, doesn't this illustrate that there may indeed be a bit of an issue here? |
IMO, a function like this falls into the same discussion as a parameter to the |
@ronkorving That was merely an example. My point was this can be easily done in userland and IMHO it does not require the addition of a new Buffer method. |
It needs to be accepted that this is not a vulnerability of the Buffer API. How it will operate is well documented, and there aren't any surprises when using Buffer as documented (if there are then we do have a bug, or documentation fail). Specifically in the ws case it's even stated in the release notes that they "didn't do any checks for the type of data [they] were sending."[1] This is akin to not sanitizing an incoming query and allowing a SQL injection attack, except in the SQL case it's written off as poor programming practice from the implementer. So in any case the most we'd be doing is making the API more "developer-friendly". As for this PR, allowing the argument to be coerced doesn't follow its own documentation. If anything will be accepted then it should state Anyway, I'm open to discussion on the topic but want to make sure we really understand why this or something similar would be added. [1] https://github.com/websockets/ws/releases/tag/1.0.1 |
Yes, Make the API more "developer-friendly" is my point. |
This can be closed now that the new buffer api's have landed. |
Thanks @jasnell |
Buffer constructor has too much behaviour.
it is usual to convert string to Buffer in the form of new
Buffer(str).
If don't check type of first argument, new Buffer(number) can lead
Buffer vulnerability. For example:
Introduce Buffer.encode() method to be explicit about encoding.