Socket
Socket
Sign inDemoInstall

safe-buffer

Package Overview
Dependencies
Maintainers
2
Versions
11
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

safe-buffer - npm Package Compare versions

Comparing version 1.0.0 to 2.0.0

22

index.js

@@ -12,3 +12,2 @@ module.exports = SafeBuffer

// Copy static methods and properties from Buffer
Object.keys(Buffer).forEach(function (prop) {

@@ -18,8 +17,23 @@ SafeBuffer[prop] = Buffer[prop]

SafeBuffer.alloc = function (len) {
if (typeof len !== 'number') {
SafeBuffer.from = function (value, encoding) {
if (typeof value === 'number') {
throw new TypeError('Argument must not be a number')
}
return new Buffer(value, encoding)
}
SafeBuffer.alloc = function (size) {
if (typeof size !== 'number') {
throw new TypeError('Argument must be a number')
}
return new Buffer(len)
return new Buffer(size)
}
SafeBuffer.zalloc = function (size) {
if (typeof size !== 'number') {
throw new TypeError('Argument must be a number')
}
var buffer = new Buffer(size)
buffer.fill(0)
return buffer
}

2

package.json
{
"name": "safe-buffer",
"description": "Safer Node.js Buffer API",
"version": "1.0.0",
"version": "2.0.0",
"author": {

@@ -6,0 +6,0 @@ "name": "Feross Aboukhadijeh",

57

README.md

@@ -37,7 +37,39 @@ # safe-buffer [![travis][travis-image]][travis-url] [![npm][npm-image]][npm-url] [![downloads][downloads-image]][npm-url]

// Create uninitialized buffers explicitly, when required for performance:
// Going forward, use an explicit API to make clear what you want.
Buffer.alloc(16) // potentially unsafe
Buffer.from('hey', 'utf8') // convert from many types to a Buffer
Buffer.zalloc(16) // create a zero-filled buffer (safe)
Buffer.alloc(16) // create an uninitialized buffer (potentially unsafe)
```
## api
### `Buffer.from(value, [encoding])`
Creates a new Buffer containing the given `value`. `value` can be an `Array`, `Buffer`,
`ArrayBuffer`, `string`, or `TypedArrayView` (`Uint8Array`, etc.). If `value` is a string,
an `encoding` parameter can also be provided to identify the string character encoding.
### `Buffer.zalloc(size)`
Allocate a zero-filled buffer with the given `size`. This is safe and recommended to use.
### `Buffer.alloc(size)`
Allocate an uninitialized buffer with the given `size`. This is potentially unsafe. The
underlying memory for `Buffer` instances created in this way is not initialized. The
contents are unknown and could contain sensitive data. The buffer must be overwritten
before it's used.
### more methods
The rest of the `Buffer` API is exactly the same as in node.js.
[See the docs](https://nodejs.org/api/buffer.html).
## Related links
- [Node.js issue: Buffer(number) is unsafe](https://github.com/nodejs/node/issues/4660)
- [Node.js Enhancement Proposal: Buffer.from/Buffer.alloc/Buffer.zalloc/Buffer() soft-deprecate](https://github.com/nodejs/node-eps/pull/4)
## Why is `Buffer` unsafe?

@@ -146,3 +178,3 @@

[Mathius Buus](https://github.com/mafintosh) and I
[Mathias Buus](https://github.com/mafintosh) and I
([Feross Aboukhadijeh](http://feross.org/)) found this issue in one of our own packages,

@@ -209,3 +241,3 @@ [`bittorrent-dht`](https://www.npmjs.com/package/bittorrent-dht). The bug would allow

#### `Buffer.alloc(number)`
#### A new API: `Buffer.alloc(number)`

@@ -252,6 +284,19 @@ The functionality of creating buffers with uninitialized memory should be part of another

1. Change `new Buffer(number)` to return safe, zeroed-out memory
~~1. Change `new Buffer(number)` to return safe, zeroed-out memory~~
2. Create a new API for creating uninitialized Buffers. We propose: `Buffer.alloc(number)`
~~2. Create a new API for creating uninitialized Buffers. We propose: `Buffer.alloc(number)`~~
### Update
Upon further consideration, we think that returning zeroed out memory is a separate issue.
The core issue is: unsafe buffer allocation should be in a different API.
We now support adding two APIs:
- `Buffer.from(value)` - convert from any type to a buffer
- `Buffer.alloc(size)` - create an uninitialized buffer with given size
This solves the core problem that affected `ws` and `bittorrent-dht` which is
`Buffer(variable)` getting tricked into taking a number argument.
This way, existing code continues working and the impact on the npm ecosystem will be

@@ -258,0 +303,0 @@ minimal. Over time, npm maintainers can migrate performance-critical code to use

62

test.js
var test = require('tape')
var SafeBuffer = require('./').Buffer
test('safe usage continues to work as before', function (t) {
test('new SafeBuffer(value) works just like Buffer', function (t) {
t.deepEqual(new SafeBuffer('hey'), new Buffer('hey'))
t.deepEqual(new SafeBuffer('hey', 'utf8'), new Buffer('hey', 'utf8'))
t.deepEqual(new SafeBuffer('686579', 'hex'), new Buffer('686579', 'hex'))
t.deepEqual(new SafeBuffer([1, 2, 3]), new Buffer([1, 2, 3]))
t.deepEqual(new SafeBuffer(new Uint8Array([1, 2, 3])), new Buffer(new Uint8Array([1, 2, 3])))
t.equal(typeof SafeBuffer.isBuffer, 'function')
t.equal(SafeBuffer.isBuffer(new SafeBuffer('hey')), true)
t.equal(Buffer.isBuffer(new SafeBuffer('hey')), true)
t.notOk(Buffer.isBuffer({}))
t.notOk(SafeBuffer.isBuffer({}))
t.end()
})
test('new Buffer(number) always returns zeroed out memory', function (t) {
test('SafeBuffer.from(value) converts to a Buffer', function (t) {
t.deepEqual(SafeBuffer.from('hey'), new Buffer('hey'))
t.deepEqual(SafeBuffer.from('hey', 'utf8'), new Buffer('hey', 'utf8'))
t.deepEqual(SafeBuffer.from('686579', 'hex'), new Buffer('686579', 'hex'))
t.deepEqual(SafeBuffer.from([1, 2, 3]), new Buffer([1, 2, 3]))
t.deepEqual(SafeBuffer.from(new Uint8Array([1, 2, 3])), new Buffer(new Uint8Array([1, 2, 3])))
t.end()
})
test('new SafeBuffer(number) returns zeroed-out memory', function (t) {
for (var i = 0; i < 10; i++) {
t.deepEqual(new SafeBuffer(1000), new Buffer(1000).fill(0))
t.deepEqual(new SafeBuffer(1000 * 1000), new Buffer(1000 * 1000).fill(0))
var expected1 = new Buffer(1000)
expected1.fill(0)
t.deepEqual(new SafeBuffer(1000), expected1)
var expected2 = new Buffer(1000 * 1000)
expected2.fill(0)
t.deepEqual(new SafeBuffer(1000 * 1000), expected2)
}

@@ -23,3 +42,16 @@ t.end()

test('Buffer.alloc(number)', function (t) {
test('SafeBuffer.zalloc(number) returns zeroed-out memory', function (t) {
for (var i = 0; i < 10; i++) {
var expected1 = new Buffer(1000)
expected1.fill(0)
t.deepEqual(SafeBuffer.zalloc(1000), expected1)
var expected2 = new Buffer(1000 * 1000)
expected2.fill(0)
t.deepEqual(SafeBuffer.zalloc(1000 * 1000), expected2)
}
t.end()
})
test('SafeBuffer.alloc(number)', function (t) {
var buf = SafeBuffer.alloc(100) // unitialized memory

@@ -32,3 +64,3 @@ t.equal(buf.length, 100)

test('Buffer.alloc() throws with other types', function (t) {
test('SafeBuffer.alloc() throws with non-number types', function (t) {
t.plan(4)

@@ -48,1 +80,17 @@ t.throws(function () {

})
test('SafeBuffer.zalloc() throws with non-number types', function (t) {
t.plan(4)
t.throws(function () {
SafeBuffer.zalloc('hey')
})
t.throws(function () {
SafeBuffer.zalloc('hey', 'utf8')
})
t.throws(function () {
SafeBuffer.zalloc([1, 2, 3])
})
t.throws(function () {
SafeBuffer.zalloc({})
})
})
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc