`X509V3_EXT_print` can return value different from `1` if the X509
extension does not support printing to a buffer. Instead of failing with
an unrecoverable assertion - replace the relevant value in the hashmap
with a JS null value.
Fixes: https://hackerone.com/reports/746733
PR-URL: https://github.com/nodejs-private/node-private/pull/175
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
HTTP header values can have trailing OWS, but it should be stripped. It
is not semantically part of the header's value, and if treated as part
of the value, it can cause spurious inequality between expected and
actual header values.
Note that a single SPC of leading OWS is common before the field-value,
and it is already handled by the HTTP parser by stripping all leading
OWS. It is only the trailing OWS that must be stripped by the parser
user.
header-field = field-name ":" OWS field-value OWS
; https://tools.ietf.org/html/rfc7230#section-3.2
OWS = *( SP / HTAB )
; https://tools.ietf.org/html/rfc7230#section-3.2.3
Fixes: https://hackerone.com/reports/730779
PR-URL: https://github.com/nodejs-private/node-private/pull/189
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
wrk did not support sending optional headers, they were silently
ignored. This appears to be an oversight, they were supported for
autocannon.
PR-URL: https://github.com/nodejs-private/node-private/pull/189
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Alternative to https://github.com/nodejs/node/pull/31590.
It appears that the issue here is that the test falsely assumed that
closing the client (which also currently destroys the socket rather
than gracefully shutting down the connection) would still leave
enough time for the server side to receive the stream error.
Address that by explicitly waiting for the server side to receive the
stream error before closing the client and the connection with it.
Refs: https://github.com/nodejs/node/pull/31590
Refs: https://github.com/nodejs/node/issues/20750
PR-URL: https://github.com/nodejs/node/pull/31610
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This is a security release.
Vulnerabilities fixed:
* **CVE-2019-15606**:
HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
Remotely trigger an assertion on a TLS server with a malformed
certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.
PR-URL: https://github.com/nodejs-private/node-private/pull/198
This is a security release.
Vulnerabilities fixed:
* **CVE-2019-15606**:
HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
Remotely trigger an assertion on a TLS server with a malformed
certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.
PR-URL: https://github.com/nodejs-private/node-private/pull/197
This is a security release.
Vulnerabilities fixed:
* **CVE-2019-15606**:
HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
Remotely trigger an assertion on a TLS server with a malformed
certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.
PR-URL: https://github.com/nodejs-private/node-private/pull/196
Inspired by the defect report template of the V8 issue tracker
PR-URL: https://github.com/nodejs/node/pull/31611
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Weijia Wang <starkwang@126.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
The tmpDir alias was deprecated in 7.0.0
PR-URL: https://github.com/nodejs/node/pull/31169
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
API has been being incrementally deprecated since 6.0.0
PR-URL: https://github.com/nodejs/node/pull/31166
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
API was deprecated back in the 0.11 days.
PR-URL: https://github.com/nodejs/node/pull/31165
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
PR-URL: https://github.com/nodejs/node/pull/31552
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
During the `init()` async hook, the C++ object is not finished
creating yet (i.e. it is an `AsyncWrap`, but not yet a `HandleWrap`
or `MessagePort`). Accessing the `handle_` field is not valid
in that case.
However, the custom inspect function for `MessagePort`s calls
`HasRef()` on the object, which would crash when the object
is not fully constructed. Fix that by guarding the access of
the libuv handle on that condition.
PR-URL: https://github.com/nodejs/node/pull/31600
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Emitting 'close' before 'finish' on a Writable should
result in a premature close error.
PR-URL: https://github.com/nodejs/node/pull/31534
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Use Worker thread pools as an example of how `AsyncResource`
can be used to track async state across callbacks.
PR-URL: https://github.com/nodejs/node/pull/31601
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
This reduces the code lines required to run the tests by abstracting
the constructor call. It also moves tests out of a for loop that
where miss placed.
PR-URL: https://github.com/nodejs/node/pull/31423
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
The input was not validated so far and that caused unwanted side
effects. E.g., `undefined` became the string `'undefined'`. It was
expected to fail or to end up as empty string.
Now all input is validated to be either some type of array buffer
view or a string. That way it's always clear what the user intents.
PR-URL: https://github.com/nodejs/node/pull/31030
Fixes: https://github.com/nodejs/node/issues/31025
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Closing the FileHandle on garbage collection is a bad practice.
Runtime deprecate and indicate that an error will be thrown in
the future.
PR-URL: https://github.com/nodejs/node/pull/28396
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This fixes a compiler warning introduced in 9225939528.
PR-URL: https://github.com/nodejs/node/pull/31599
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
The state of .setNoDelay() is now tracked and code will prevent repeated
system calls to setsockopt() when the value has already been set to the
desired value for the socket.
Change and expand the appropriate test.
PR-URL: https://github.com/nodejs/node/pull/31543
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
The test may fail otherwise because of behaviour changes caused
by setting the environment variable.
Fixes: https://github.com/nodejs/node/issues/31585
PR-URL: https://github.com/nodejs/node/pull/31594
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Changed Fill() to use ParseArrayIndex() when getting start and end
of buffers instead of Uint32Value, supporting buffers of greater
than 2**32
Fixes: https://github.com/nodejs/node/issues/31514
Co-Authored-By: Rich Trott <rtrott@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/31591
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This removes 'to Number' casting in multiple benchmarks (which is
handled by the benchmark runner) and cleans up some var usage in changed
benchmarks.
PR-URL: https://github.com/nodejs/node/pull/31581
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
It had an unused `Agent` option (no such option exists), and some code
that common.must(Not)Call makes redundant.
PR-URL: https://github.com/nodejs/node/pull/31584
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Removed field env from cryptojob class, replaced with
function env() inherited from ThreadPoolWork
PR-URL: https://github.com/nodejs/node/pull/31554
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
The FWrite function on Windows assumed that MultiByteToWideChar
automatically null-terminates the resulting string, but it will only do
so if the size of the source was passed as -1 or null character was
explicitly counted in the size. The FWrite uses std::string and its
`.size()` method which doesn't count the null character even though the
`.data()` method adds it to the resulting string.
https://docs.microsoft.com/en-us/windows/win32/api/stringapiset/nf-stringapiset-multibytetowidechar#remarks
> MultiByteToWideChar does not null-terminate an output string if the
input string length is explicitly specified without a terminating null
character. To null-terminate an output string for this function, the
application should pass in -1 or explicitly count the terminating null
character for the input string.
PR-URL: https://github.com/nodejs/node/pull/31580
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
The test starts child processes. A recent change is suspected of causing
flaky crashes on one of the alpine buildbots but we can't know for sure
because the test hides the child's stderr.
Refs: https://github.com/nodejs/node/pull/31547#issuecomment-581076515
PR-URL: https://github.com/nodejs/node/pull/31612
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
abe6a2e3d1 introduced a test that verifies that ArrayBuffer
allocations are tracked. However, V8 supports concurrent freeing
of such allocations on background threads, meaning that the results
may be subject to race conditions sometimes.
Disabling concurrent freeing makes the test pass consistently.
Refs: https://github.com/nodejs/node/pull/31550
PR-URL: https://github.com/nodejs/node/pull/31602
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
`__executable_start` is provided by GNU's and LLVM's default linker
scripts, obviating the need to plug in a custom linker script.
The problem with our bespoke linker script is that it works with ld.bfd
but not ld.gold and cannot easily be ported because the latter linker
doesn't understand the `INSERT BEFORE` directive.
The /proc/self/maps scanner is updated to account for the fact that
there are a number of sections between `&__executable_start` and
the start of the .text section.
Fortunately, those sections are all mapped into the same memory segment
so we only need to look at the next line to find the start of our text
segment.
Fixes: https://github.com/nodejs/node/issues/31520
PR-URL: https://github.com/nodejs/node/pull/31547
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/31575
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Change the description of socket.setNoDelay() to make it clear
that sockets have Nagle's algorithm enabled by default.
Better document the tradeoff of having the algorithm enabled.
Explain the behavior of the function based on the passed arguments.
PR-URL: https://github.com/nodejs/node/pull/31541
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This commit adds the supported --use-largepages values to
the --help menu.
PR-URL: https://github.com/nodejs/node/pull/31537
Fixes: https://github.com/nodejs/node/issues/31533
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Add a raw `MessagePort` benchmark that does not ping back and forth
between different threads, unlike the `echo.js` benchmark, as there
are some performance differences between single-threaded and multi-
threaded operation, and a single-threaded Environment can be somewhat
easier to work with when profiling.
PR-URL: https://github.com/nodejs/node/pull/31568
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/31556
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Since there're still many "Debug" and "Release" folders in "deps" and
"tools", to make it more strict and totally ignore the generated obj
files, ignore all the files/folders under them.
Refs: https://github.com/nodejs/node/pull/27210
PR-URL: https://github.com/nodejs/node/pull/31565
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
At least `createHeapSnapshotStream()` and `triggerHeapSnapshot()`
do have side effects, and more importantly, they should not be
run transparently. Without this, typing e.g. `v8.getHeapSnapshot()`
into the REPL will result in a crash or infinite loop while the REPL
evaluates the expression for a preview.
PR-URL: https://github.com/nodejs/node/pull/31570
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This option is used here:
70c32a6d19/lib/internal/http2/core.js (L3010)
PR-URL: https://github.com/nodejs/node/pull/31560
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
worker is stable in the master branch. The flag is no longer required.
PR-URL: https://github.com/nodejs/node/pull/31563
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
mkdir('/foo/bar', { recursive: true }) and mkdirSync will now return
the path of the first folder created. This matches more closely
mkdirp's behavior, and is useful for setting folder permissions.
PR-URL: https://github.com/nodejs/node/pull/31530
Refs: https://github.com/nodejs/node/issues/31481
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
