0
0
mirror of https://github.com/nodejs/node.git synced 2024-12-01 16:10:02 +01:00
Commit Graph

30746 Commits

Author SHA1 Message Date
Daniel Bevenius
7f8e977ee0 src,build: add --openssl-default-cipher-list
This commit adds a configuration option named
openssl-default-cipher-list which takes a colon separated string
specifying ciphers that should be used as the default ciphers instead of
the ones defined in node_constants.

The motivation for this is a use case where Fedora/RHEL would like
to be able to specify a default cipher in the format PROFILE=SYSTEM.
This would enable Fedora/RHEL to have a system wide security level for
all applications.

PR-URL: https://github.com/nodejs/node/pull/33708
Refs: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
2020-06-08 13:21:54 +02:00
Daniel Bevenius
111d1e523d tools: remove unused using declarations code_cache
This commit removes the reported unused using declarations from
cache_builder.cc

PR-URL: https://github.com/nodejs/node/pull/33697
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
2020-06-08 08:41:31 +02:00
Daniel Bevenius
0c31702405 build: add LINT_CPP_FILES to checkimports check
This commit adds the prerequisites which contains all the files to lint.
Currently the only the files in 'src' will be checked.

PR-URL: https://github.com/nodejs/node/pull/33697
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
2020-06-08 08:41:13 +02:00
Daniel Bevenius
8a4b5c63e0 src: use Check() instead of FromJust in environment
This commit replaces FromJust() calls with Check() in places where the
value that FromJust() returns is not used.

PR-URL: https://github.com/nodejs/node/pull/33706
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
2020-06-08 06:20:50 +02:00
Pranshu Srivastava
b9739b6e08 doc: fix linting in doc-style-guide.md
Disable lint checks (enable prohibited-strings remark-lint) for
doc-style-guide.md:66. This was producing lint errors in builds
on master.

PR-URL: https://github.com/nodejs/node/pull/33787
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
2020-06-08 06:13:43 +02:00
Rich Trott
a29d7c7ff7 doc: remove "currently" from repl.md
PR-URL: https://github.com/nodejs/node/pull/33756
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2020-06-07 12:36:43 -07:00
Rich Trott
e233d85686 doc: remove "currently" from events.md
PR-URL: https://github.com/nodejs/node/pull/33756
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2020-06-07 12:36:41 -07:00
Rich Trott
df30c9e6c0 doc: remove "currently" from vm.md
PR-URL: https://github.com/nodejs/node/pull/33756
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2020-06-07 12:36:39 -07:00
Rich Trott
ac6739d96d doc: remove "currently" from addons.md
PR-URL: https://github.com/nodejs/node/pull/33756
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2020-06-07 12:36:37 -07:00
Rich Trott
77b5e2da8f doc: remove "currently" from util.md
PR-URL: https://github.com/nodejs/node/pull/33756
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2020-06-07 12:36:35 -07:00
Rich Trott
eeede81c5c doc: add formatting for version numbers to doc-style-guide.md
PR-URL: https://github.com/nodejs/node/pull/33755
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2020-06-07 12:33:14 -07:00
Rich Trott
101e0a9d14 doc: change "pre Node.js v0.10" to "prior to Node.js 0.10"
The phrasing "pre Node.js v0.10" is not grammatical, as "pre" is not a
word. This also changes "Node.js v0.10" to "Node.js 0.10". We dropped
use of the "v" prefix in prose some time ago to avoid confusion as to
whether "v8" referred to the V8 JavaScript engine or Node.js 8.x.

PR-URL: https://github.com/nodejs/node/pull/33754
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2020-06-07 12:31:51 -07:00
Rich Trott
55d9833ebf doc: remove default parameter value from header
In the docs, we specify the default value of function parameters in the
list below the header. There is one exception where we use default
parameter notation. Change that instance to be like the rest of the docs
instead.

I rather like the default parameter notation, and I get why we didn't
use it to begin with. (The notation didn't exist in JavaScript at the
time.) I wouldn't mind switching to it, but that would result in big
churn. That can be a separate topic of discussion. For now, though,
let's get the docs consistent.

PR-URL: https://github.com/nodejs/node/pull/33752
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2020-06-07 11:10:45 -07:00
antsmartian
08892fc0c4 stream: fix the spellings
PR-URL: https://github.com/nodejs/node/pull/33635
Reviewed-By: Zeyu Yang <himself65@outlook.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2020-06-07 12:14:49 +02:00
Gus Caplan
d8eef83757
process: use v8 fast api calls for hrtime
Refs: https://github.com/nodejs/node/issues/33374

PR-URL: https://github.com/nodejs/node/pull/33600
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
2020-06-06 11:55:45 -05:00
Gus Caplan
e983b1cece
deps: V8: cherry-pick 0d6debcc5f08
Original commit message:

    [turbofan] Fixes for integrating the fast C API

    This commit adds a few fixes neccessary for integrating the
    fast C API into Blink:
    - added default constructor for CFunction
    - removed a bogus template specialization allowing void* params
    - extended the public Isolate class

    Bug: chromium:1052746
    Change-Id: I4f2ba84299920e2cc9d66ec1ed59302313db6c0b
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2120587
    Commit-Queue: Maya Lekova <mslekova@chromium.org>
    Reviewed-by: Toon Verwaest <verwaest@chromium.org>
    Reviewed-by: Georg Neis <neis@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#66986}

Refs: 0d6debcc5f

PR-URL: https://github.com/nodejs/node/pull/33600
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
2020-06-06 11:55:43 -05:00
Anna Henningsen
f5ed5fe068
benchmark: fix async-resource benchmark
In the benchmark, because it performs asynchronous operations before
writing its HTTP replies, the underlying socket can be closed by the
peer before the response is written. Since 28e6626ce7, that means
that attempting to `.end()` the HTTP response results in an uncaught
exception, breaking the benchmark.

Fix that by checking whether the response object has been destroyed
or not before attempting to call `.end()`.

https://github.com/nodejs/node/issues/33591

PR-URL: https://github.com/nodejs/node/pull/33642
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
2020-06-06 17:36:52 +02:00
Rich Trott
065426c90a tools: update remark-preset-lint-node from 1.15.0 to 1.15.1
PR-URL: https://github.com/nodejs/node/pull/33727
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
2020-06-06 05:47:36 -07:00
Michaël Zasso
0d08d5ae7c
url: remove gopher from special schemes
Refs: https://github.com/nodejs/node/issues/33315
Refs: d589670451
Refs: 7ae1c691c9

PR-URL: https://github.com/nodejs/node/pull/33325
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
2020-06-06 11:11:02 +02:00
Michaël Zasso
e0586d0f70
build: output dots in "Build from tarball" action
Signed-off-by: Michaël Zasso <targos@protonmail.com>

PR-URL: https://github.com/nodejs/node/pull/33696
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
2020-06-06 10:58:14 +02:00
Sagar Jadhav
3ac50e1209 test: changed function to arrow function
Convert callback functions that are anonymous
to arrow functions for better readability.

PR-URL: https://github.com/nodejs/node/pull/33711
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Zeyu Yang <himself65@outlook.com>
2020-06-05 22:50:23 -05:00
Benjamin Gruenbaum
bf33b61be0 events: support useCapture boolean
PR-URL: https://github.com/nodejs/node/pull/33618
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
2020-06-05 16:55:26 -07:00
Benjamin Gruenbaum
1969ada982 events: set target property to null
PR-URL: https://github.com/nodejs/node/pull/33615
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Zeyu Yang <himself65@outlook.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
2020-06-05 16:27:04 -07:00
Benjamin Gruenbaum
236237829b
events: deal with no argument case
PR-URL: https://github.com/nodejs/node/pull/33611
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
2020-06-05 14:41:43 -07:00
James M Snell
a8b26d72c5
lib: unflag AbortController
It's still experimental, but make the flag non-op

Signed-off-by: James M Snell <jasnell@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/33527
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
2020-06-05 12:21:49 -07:00
James M Snell
74ca960aac
lib: initial experimental AbortController implementation
AbortController impl based very closely on:
 https://github.com/mysticatea/abort-controller

Marked experimental.
Not currently used by any of the existing promise apis.

Signed-off-by: James M Snell <jasnell@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/33527
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
2020-06-05 12:21:47 -07:00
Daniel Bevenius
3e2a300710 src: use ToLocal in SafeGetenv
This commit replaces the IsEmpty call to use ToLocal instead which
allows for the following ToLocalChecked function call to be avoided.

PR-URL: https://github.com/nodejs/node/pull/33695
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
2020-06-05 05:58:49 +02:00
Daniel Bevenius
7232c2a160 src: use getauxval in node_main.cc
This commit suggests using getauxval in node_main.cc.

The motivation for this is that getauxval was introduced in glibc 2.16
and looking at BUILDING.md, in the 'Platform list' section, it looks
like we now support glibc >= 2.17 and perhaps this change would be
alright now.

PR-URL: https://github.com/nodejs/node/pull/33693
Refs: https://github.com/nodejs/node/pull/12548
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
2020-06-05 05:52:24 +02:00
Daniel Bevenius
9027f5fdbe src: remove unnecessary ToLocalChecked call
PR-URL: https://github.com/nodejs/node/pull/33683
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
2020-06-05 05:44:13 +02:00
AshCripps
641c466671 doc: fix typo in cli.md for report-dir
Add the missing backtick in `--report-dir`

refs: https://github.com/nodejs/node/pull/33587#discussion_r432816468

PR-URL: https://github.com/nodejs/node/pull/33725
Refs: https://github.com/nodejs/node/pull/33587
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Zeyu Yang <himself65@outlook.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
2020-06-04 13:32:45 -07:00
Benjamin Gruenbaum
3128915c57 event: cancelBubble is a property
Event#cancelBubble is property (and not a function). Change
Event#cancelBubble to a property and add a test.

PR-URL: https://github.com/nodejs/node/pull/33613
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
2020-06-04 10:36:41 -07:00
Nick Schonning
6e8709df5b doc: remove shell dollar signs without output
Related to https://github.com/nodejs/remark-preset-lint-node/pull/94

PR-URL: https://github.com/nodejs/node/pull/33692
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
2020-06-04 05:43:22 -07:00
Rich Trott
25d48a63c0 doc: add lint disabling comment for collaborator list
Disable linting for prohibited strings in the collaborator list so that
sam-github does not have to be sam-GitHub.

Refs: https://github.com/nodejs/remark-preset-lint-node/pull/96
Signed-off-by: Rich Trott <rtrott@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/33719
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
2020-06-04 05:14:52 -07:00
Richard Lau
a1e5fd2cdf
build: fix compiling addons with older versions of Node.js
`common.gypi` is used by `node-gyp` to compile addons. Default values
must be provided for variables that may not exist on older versions of
Node.js so that older versions of Node.js can be used to compile addons
for later versions of Node.js.

Add default values for `v8_enable_pointer_compression` and
`v8_enable_31bit_smis_on_64bit_arch`.

PR-URL: https://github.com/nodejs/node/pull/33688
Refs: https://github.com/nodejs/node/pull/30463
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Signed-off-by: Richard Lau <riclau@uk.ibm.com>
2020-06-04 04:53:27 -04:00
Benjamin Gruenbaum
3a7a5d7e62 events: deal with Symbol() passed to event constructor
PR-URL: https://github.com/nodejs/node/pull/33612
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
2020-06-03 14:19:25 -07:00
himself65
673f49ac94 src: simplify format in node_file.cc
PR-URL: https://github.com/nodejs/node/pull/33660
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
2020-06-03 20:28:27 +08:00
cjihrig
680fb8fc62
doc: fix deprecation "End-of-Life" capitalization
Update the "End-of-Life" casing in the deprecation documentation
for consistency. Similar to #26251.

PR-URL: https://github.com/nodejs/node/pull/33691
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
2020-06-02 17:19:42 -04:00
cjihrig
16eaacfd2b
doc: use consistent Default: in events
The API docs have been migrating to **Default:** when providing
default values. This commit updates the events documentation page
for consistency.

PR-URL: https://github.com/nodejs/node/pull/33678
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
2020-06-02 17:16:52 -04:00
cjihrig
d5340526fd
doc: remove "it is important"
In the spirit of #30108, remove the use of "it is important" in
the new EventTarget docs.

PR-URL: https://github.com/nodejs/node/pull/33678
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
2020-06-02 17:16:42 -04:00
Beth Griggs
f46ca0fd29
2020-06-02, Version 10.21.0 'Dubnium' (LTS)
This is a security release.

Vulnerabilities fixed:

- CVE-2020-8174: napi_get_value_string_*() allows various kinds of
                 memory corruption (High).
- CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append (High).
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).

PR-URL: https://github.com/nodejs-private/node-private/pull/211
2020-06-02 20:35:52 +02:00
Michaël Zasso
12bcee8628
2020-06-02, Version 12.18.0 'Erbium' (LTS)
This is a security release.

Notable changes:

Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: `napi_get_value_string_*()` allows various kinds of memory corruption (High).

PR-URL: https://github.com/nodejs-private/node-private/pull/213
2020-06-02 20:35:52 +02:00
Michaël Zasso
64e33dc952
2020-06-02, Version 14.4.0 (Current)
This is a security release.

Notable changes:

Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: `napi_get_value_string_*()` allows various kinds of memory corruption (High).

PR-URL: https://github.com/nodejs-private/node-private/pull/212
2020-06-02 20:35:52 +02:00
Fedor Indutny
2e1b41a708
tls: emit session after verifying certificate
Prior to this patch `session` event was emitted after `secure` event on
TLSSocket, but before `secureConnect` event. This is problematic for
`https.Agent` because it must cache session only after verifying the
remote peer's certificate.

Connecting to a server that presents an invalid certificate resulted
in the session being cached after the handshake with the server and
evicted right after a certifiate validation error and socket's
destruction. A request initiated during this narrow window would pick
the faulty session, send it to the malicious server and skip the
verification of the server's certificate.

Fixes: https://hackerone.com/reports/811502
CVE-ID: CVE-2020-8172
PR-URL: https://github.com/nodejs-private/node-private/pull/200
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
2020-06-02 20:35:51 +02:00
James M Snell
3948830ce6
http2: implement support for max settings entries
Adds the maxSettings option to limit the number of settings
entries allowed per SETTINGS frame. Default 32

Fixes: https://hackerone.com/reports/446662
CVE-ID: CVE-2020-11080
PR-URL: https://github.com/nodejs-private/node-private/pull/204
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
2020-06-02 20:35:51 +02:00
James M Snell
d3beb50da3
deps: update nghttp2 to 1.41.0
Fixes: https://hackerone.com/reports/446662
CVE-ID: CVE-2020-11080
PR-URL: https://github.com/nodejs-private/node-private/pull/204
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
2020-06-02 20:35:51 +02:00
Tobias Nießen
656260b4b6
napi: fix memory corruption vulnerability
Fixes: https://hackerone.com/reports/784186
CVE-ID: CVE-2020-8174
PR-URL: https://github.com/nodejs-private/node-private/pull/195
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gabriel Schulhof <gabriel.schulhof@intel.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
2020-06-02 20:35:51 +02:00
Joyee Cheung
0cb194ec6a
deps: V8: backport 22014de00115
Original commit message:

    Reland "[snapshot] rehash JSMap and JSSet during deserialization"

    This is a reland of 8374feed55a5b3010f2e9593560a2d84f9f6725f.

    Fixed rehashing of global proxy keys by creating its identity hash
    early, before the deserialization of the context snapshot.

    Original change's description:
    > [snapshot] rehash JSMap and JSSet during deserialization
    >
    > To rehash JSMap and JSSet, we simply replace the backing store
    > with a new one created with the new hash.
    >
    > Bug: v8:9187
    > Change-Id: I90c25b18b33b7bc2b6ffe1b89fe17aa5f978b517
    > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2143983
    > Commit-Queue: Joyee Cheung <joyee@igalia.com>
    > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
    > Reviewed-by: Camillo Bruni <cbruni@chromium.org>
    > Cr-Commit-Position: refs/heads/master@{#67663}

    Bug: v8:9187, v8:10523
    Change-Id: I7a0319b1d10ff07644de902fec43e7c2b1dd8da9
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2212085
    Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Reviewed-by: Camillo Bruni <cbruni@chromium.org>
    Reviewed-by: Jakob Gruber <jgruber@chromium.org>
    Commit-Queue: Joyee Cheung <joyee@igalia.com>
    Cr-Commit-Position: refs/heads/master@{#67999}

Refs: 22014de001

PR-URL: https://github.com/nodejs/node/pull/33300
Refs: ea0719b8ed
Refs: bb9f0c2b2f
Refs: https://github.com/nodejs/node/issues/17058
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
2020-06-02 23:00:46 +08:00
Joyee Cheung
c5a0b888f6
deps: V8: backport bb9f0c2b2fe9
Original commit message:

    [snapshot] Improve snapshot docs and error printing

    - Minor improvements to the documentation for snapshotting.
    - Add newlines to printed errors where necessary.

    Change-Id: I822e7e850adb67eae73b51c23cf34e40ba3106f0
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2144954
    Reviewed-by: Toon Verwaest <verwaest@chromium.org>
    Commit-Queue: Toon Verwaest <verwaest@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#67111}

Refs: bb9f0c2b2f

PR-URL: https://github.com/nodejs/node/pull/33300
Refs: ea0719b8ed
Refs: 22014de001
Refs: https://github.com/nodejs/node/issues/17058
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
2020-06-02 23:00:44 +08:00
Joyee Cheung
251c1b1788
deps: V8: backport ea0719b8ed08
Original commit message:

    [snapshot] Do not defer ArrayBuffers during snapshotting

    ArrayBuffer instances are serialized by first re-assigning a index
    to the backing store field, then serializing the object, and then
    storing the actual backing store address again (and the same for the
    ArrayBufferExtension). If serialization of the object itself is deferred,
    the real backing store address is written into the snapshot, which cannot be
    processed when deserializing, leading to a crash.

    This fixes this by not deferring ArrayBuffer serialization and adding a DCHECK
    for the crash that previously occurred.

    Change-Id: Id9bea8268061bd0770cde7bfeb6695248978f994
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2144123
    Commit-Queue: Jakob Gruber <jgruber@chromium.org>
    Reviewed-by: Dan Elphick <delphick@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#67114}

Refs: ea0719b8ed

PR-URL: https://github.com/nodejs/node/pull/33300
Refs: bb9f0c2b2f
Refs: 22014de001
Refs: https://github.com/nodejs/node/issues/17058
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
2020-06-02 23:00:42 +08:00
Sebastien Ahkrin
178efdf5a2
lib: add Int16Array primordials
PR-URL: https://github.com/nodejs/node/pull/31205
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
2020-06-02 15:38:59 +02:00