PR-URL: https://github.com/nodejs/node/pull/20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Add scrypt functions to the list of exported openssl symbols.
PR-URL: https://github.com/nodejs/node/pull/20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
PR-URL: https://github.com/nodejs/node/pull/20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Use the scrypt() infrastructure to reimplement randomBytes() and
randomFill() in a simpler manner.
PR-URL: https://github.com/nodejs/node/pull/20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Use the scrypt() infrastructure to reimplement pbkdf2() in a simpler
manner.
PR-URL: https://github.com/nodejs/node/pull/20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Scrypt is a password-based key derivation function that is designed to
be expensive both computationally and memory-wise in order to make
brute-force attacks unrewarding.
OpenSSL has had support for the scrypt algorithm since v1.1.0. Add a
Node.js API modeled after `crypto.pbkdf2()` and `crypto.pbkdf2Sync()`.
Changes:
* Introduce helpers for copying buffers, collecting openssl errors, etc.
* Add new infrastructure for offloading crypto to a worker thread.
* Add a `AsyncWrap` JS class to simplify pbkdf2(), randomBytes() and
scrypt().
Fixes: https://github.com/nodejs/node/issues/8417
PR-URL: https://github.com/nodejs/node/pull/20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Factor out some common code. The `checkUint()` function will also be
used in a follow-up commit that adds scrypt support to core.
PR-URL: https://github.com/nodejs/node/pull/20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Right now, we crash the process if there are handles remaining
on the event loop when we exit (except for the main thread).
This does not provide a lot of information about causes, though;
in particular, we don’t show which handles are pending and
who own them.
This patch adds debug output to these cases to help with the
situation.
PR-URL: https://github.com/nodejs/node/pull/21238
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Use a single file, and a single interface, for inspecting
symbols in the current process for debugging.
PR-URL: https://github.com/nodejs/node/pull/21238
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
The CODEOWNERS file is not working out. It is not pinging any groups
other than TSC (and more-or-less can't), and it pings TSC mostly for all
the wrong things.
It was a valiant effort, and possible worth revisiting at a future date
when functionality is closer to what we need. But for now, let us bid it
adieu.
PR-URL: https://github.com/nodejs/node/pull/21161
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Provide more concise explanations of the deprecation levels in
COLLABORATOR_GUIDE.md.
PR-URL: https://github.com/nodejs/node/pull/21241
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Weijia Wang <starkwang@126.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
This would otherwise keep a lot of unused memory lying around,
and in particular add up to a page per chunk of memory overhead
for network reads, potentially opening a DoS vector if the resulting
`Buffer` objects are kept around indefinitely (e.g. stored in a list
and not concatenated until the socket finishes).
This fixes CVE-2018-7164.
Refs: https://github.com/nodejs-private/security/issues/186
Refs: 7c4b09b24b
PR-URL: https://github.com/nodejs-private/node-private/pull/128
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Fix an use-after-free bug in the TLS implementation.
If we return from `DoWrite()` with an early error, we should
not be storing the `WriteWrap` object and complete it
again at a later point, when it has already been freed
(because of the write error).
This issue was reported by Jordan Zebor at F5 Networks,
who also helped with investigating this bug and coming
up with a reproduction.
This fixes CVE-2018-7162.
Fixes: https://github.com/nodejs-private/security/issues/189
PR-URL: https://github.com/nodejs-private/node-private/pull/127
Reviewed-By: Evan Lucas <evanlucas@me.com>
Notable changes:
* **Fixes memory exhaustion DoS** (CVE-2018-7164): Fixes a bug introduced
in 9.7.0 that increases the memory consumed when reading from the network
into JavaScript using the net.Socket object directly as a stream.
* **http2**
* (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
http2 implementation to not crash under certain circumstances during cleanup
* (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
nghttp2 to 1.32.0
* **tls** (CVE-2018-7162): Fixes Denial of Service vulnerability by updating
the TLS implementation to not crash upon receiving
* **n-api**: Prevent use-after-free in napi_delete_async_work
PR-URL: https://github.com/nodejs-private/node-private/pull/136
Notable changes:
* **Fixes memory exhaustion DoS** (CVE-2018-7164): Fixes a bug introduced
in 9.7.0 that increases the memory consumed when reading from the network
into JavaScript using the net.Socket object directly as a stream.
* **buffer** (CVE-2018-7167): Fixes Denial of Service vulnerability where
calling Buffer.fill() could hang
* **http2**
* (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
http2 implementation to not crash under certain circumstances during cleanup
* (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
nghttp2 to 1.32.0
* **tls** (CVE-2018-7162): Fixes Denial of Service vulnerability by updating
the TLS implementation to not crash upon receiving
PR-URL: https://github.com/nodejs-private/node-private/pull/135
Notable changes:
* **buffer** (CVE-2018-7167): Fixes Denial of Service vulnerability
where calling Buffer.fill() could hang
* **http2**
* (CVE-2018-7161): Fixes Denial of Service vulnerability by
updating the http2 implementation to not crash under
certain circumstances during cleanup
* (CVE-2018-1000168): Fixes Denial of Service vulnerability
by upgrading nghttp2 to 1.32.0
PR-URL: https://github.com/nodejs-private/node-private/pull/126
This was previously incorrect.
PR-URL: https://github.com/nodejs/node/pull/21180
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Minwoo Jung <minwoo@nodesource.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This functionality works but was previously untested.
PR-URL: https://github.com/nodejs/node/pull/21180
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Minwoo Jung <minwoo@nodesource.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This reverts commit c2c9c0c3d3.
It seems to be causing hangs when piping output to other processes.
PR-URL: https://github.com/nodejs/node/pull/21257
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Use a JS script to build addons rather than a shell command
embedded in the Makefile, because parallelizing is hard in sh
and easy in JS.
PR-URL: https://github.com/nodejs/node/pull/21155
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
It's hypothetically (and with certain V8 flags) possible for the session
to be garbage collected before all the streams are. In that case, trying
to remove the stream from the session will lead to a segfault due to
attempting to access no longer valid memory. Fix this by unsetting the
session on any streams still around when destroying.
PR-URL: https://github.com/nodejs/node/pull/21194
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
This commit adds a crypto check to test-http2-debug.js as it currently
will error if configured --without-ssl.
The issue here is that the while the test spawns a child process that
runs test-http2-ping.js, which does have a crypto check, it will just
print '1..0 # Skipped: missing crypto' to stdout, and nothing to stderr
which is what this test is trying to assert and hence failing.
PR-URL: https://github.com/nodejs/node/pull/21205
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
In test/parallel/test-intl.js, five calls to assert.strictEqual() use a
third, string-literal parameter, which specifies a message to display
when the assertion fails. The problem is that if the assertion fails,
the error message will show the string literal but not the values that
caused the assertion to fail.
This commit removes the third parameter from the five calls and makes
them comments above the assertions instead. The default error message
produced by assert.strictEqual() shows the values that caused the
assertion to fail, which should be somewhat more helpful.
PR-URL: https://github.com/nodejs/node/pull/21211
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
test-inspector-stress-http launches 100 simultaneous http requests. It
is unreliable in the parallel directory (as can be seen with
tools/test.py and sufficiently high -j and --repeat values). Move to
sequential.
PR-URL: https://github.com/nodejs/node/pull/21227
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Jon Moss <me@jonathanmoss.me>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
This small change makes addon test build successfully with LLVM
10.0.0 and above. This will be fixed in npm source when node-gyp
is updated to 3.6.3 or above.
PR-URL: https://github.com/nodejs/node/pull/21239
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Minwoo Jung <minwoo@nodesource.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Instead of relying on garbage collection to close the timer handle,
manage its state more explicitly.
PR-URL: https://github.com/nodejs/node/pull/21093
Fixes: https://github.com/nodejs/node/issues/18190
Refs: https://github.com/nodejs/node/pull/18307
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Compare versions using tuples instead of strings so that it is
future-proofed against versions that contain a number that is more than
one digit.
PR-URL: https://github.com/nodejs/node/pull/21183
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Extend return type of `read()` method with `any` which is a
valid return type for readable streams in object mode.
PR-URL: https://github.com/nodejs/node/pull/21178
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Stop `make distclean` from deleting files in the `deps/v8/testing/gmock`
folder, thus avoiding deleting version-controlled files important for
v8.
Fixes: https://github.com/nodejs/node/issues/21163
PR-URL: https://github.com/nodejs/node/pull/21164
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Improve the assert error message so it includes actual value in
the error message.
PR-URL: https://github.com/nodejs/node/pull/21160
Reviewed-By: Weijia Wang <starkwang@126.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Issue 1: make invalid setServers yield uniform error
Behavior:
dns.setServers throws a null pointer dereference on some inputs.
Expected behavior was the more pleasant
TypeError [ERR_INVALID_IP_ADDRESS] ...
Root cause(s?):
- Dereferencing the result of a regex match without confirming
that there was a match.
- assuming the capture of an optional group (?)
Solution:
Confirm the match, and handle a missing port cleanly.
Tests: I added tests for various unusual inputs.
Issue 2: revise quadratic regex in setServers
Problem:
The IPv6 regex was quadratic.
On long malicious input the event loop could block.
The security team did not deem it a security risk,
but said a PR was welcome.
Solution:
Revise the regex to a linear-complexity version.
Tests:
I added REDOS tests to the "oddities" section.
Fixes: https://github.com/nodejs/node/issues/20441
Fixes: https://github.com/nodejs/node/issues/20443
PR-URL: https://github.com/nodejs/node/pull/20445
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
LC_ALL=en_US breaks on some systems (notably the SmartOS 16
configuration in our CI). Use LC_ALL=C instead.
PR-URL: https://github.com/nodejs/node/pull/21222
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Using High Sierra and `xcode-select --install` without installing full
Xcode, our build tooling breaks due to faulty regular expressions.
Update the `configure` script in our project root directory to handle
multi-digit version numbers.
`tools/gyp` and `deps/npm/node_modules/node-gyp` still need to be
updated for a complete fix.
PR-URL: https://github.com/nodejs/node/pull/21173
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Tool versions can be 10 and higher. Float patch from node-gyp to
accommodate this fact of life.
PR-URL: https://github.com/nodejs/node/pull/21216
Refs: 293092c362
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
