Add a invalidArgTypeErrorCount variable to adjust the number of expected
errors if the uid and gid options cannot be properly validated.
Fixes: https://github.com/nodejs/node/issues/19371
PR-URL: https://github.com/nodejs/node/pull/19554
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
- Use `common.mustCall()` and `common.mustNotCall()`.
- Use ternary operator.
PR-URL: https://github.com/nodejs/node/pull/19640
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit renames fs_req_wrap to FSReqWrapSync to make it consistent
with most of the other classes in the code base.
PR-URL: https://github.com/nodejs/node/pull/19614
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit moves PipeConnectWrap and TCPConnectWrap into the object
destructuring assigments that already exist for pipe_wrap and tcp_wrap.
PR-URL: https://github.com/nodejs/node/pull/19611
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Weijia Wang <starkwang@126.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The third argument of `assert.throws()` is a message that is used by the
AssertionError, not the message to check in the thrown error. It appears
that there is an assert.throws() in test-http-parser that expects the
latter behavior. Rewrite the call to check the error message. Even if
this wasn't a mistake, this change results in a more robust check.
PR-URL: https://github.com/nodejs/node/pull/19626
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Use common.mustCall() where appropriate. Remove some logic that is not
required when common.mustCall() is used (incrementor/decrementor to make
sure everything is called the same number of times).
PR-URL: https://github.com/nodejs/node/pull/19625
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The old variants have been deprecated since b20af8088a4d5cccb19.
Refs: https://github.com/nodejs/node/pull/18415
PR-URL: https://github.com/nodejs/node/pull/19602
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Weijia Wang <starkwang@126.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Original commit message follows:
Before this commit `Content-Length: 4 2` was accepted as a valid
header and recorded as `parser->content_length = 42`. Now it is
a parse error that fails with error `HPE_INVALID_CONTENT_LENGTH`.
Downstream users that inspect `parser->content_length` and naively
parse the string value using `strtoul()` might get confused by the
discrepancy between the two values. Resolve that by simply not
letting it happen.
Fixes: https://github.com/nodejs-private/security/issues/178
PR-URL: https://github.com/nodejs-private/http-parser-private/pull/1
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160
Notable changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
A malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP
connections to localhost or to hosts on the local network,
potentially to an open inspector port as a debugger, therefore
gaining full code execution access. The inspector now only allows
connections that have a browser `Host` value of `localhost` or
`localhost6`.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
* cluster:
- Add support for `NODE_OPTIONS="--inspect"` (Sameer Srivastava)
https://github.com/nodejs/node/pull/19165
* crypto:
- Expose the public key of a certificate (Hannes Magnusson)
https://github.com/nodejs/node/pull/17690
* n-api:
- Add `napi_fatal_exception` to trigger an `uncaughtException` in
JavaScript (Mathias Buus)
https://github.com/nodejs/node/pull/19337
* path:
- Fix regression in `posix.normalize` (Michaël Zasso)
https://github.com/nodejs/node/pull/19520
* stream:
- Improve stream creation performance (Brian White)
https://github.com/nodejs/node/pull/19401
* Added new collaborators
- [BethGriggs](https://github.com/BethGriggs) Beth Griggs
PR-URL: https://github.com/nodejs-private/node-private/pull/111
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160
Notable changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
A malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP
connections to localhost or to hosts on the local network,
potentially to an open inspector port as a debugger, therefore
gaining full code execution access. The inspector now only allows
connections that have a browser `Host` value of `localhost` or
`localhost6`.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
PR-URL: https://github.com/nodejs-private/node-private/pull/112
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160
Notable changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
A malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP
connections to localhost or to hosts on the local network,
potentially to an open inspector port as a debugger, therefore
gaining full code execution access. The inspector now only allows
connections that have a browser `Host` value of `localhost` or
`localhost6`.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
PR-URL: https://github.com/nodejs-private/node-private/pull/113
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
Notable Changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
PR-URL: https://github.com/nodejs-private/node-private/pull/110
- node and v8 did not call into std::string previously,
so that access was shut off.
- this fixes compilation for ICU 58.2 (backlevel) but may
be expressed in other versions also.
Fixes: https://github.com/nodejs/node/issues/19151
PR-URL: https://github.com/nodejs/node/pull/19624
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
This commit renames all JavaScript source files in lib to lower
snake_case.
PR-URL: https://github.com/nodejs/node/pull/19556
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
Backport-PR-URL: https://github.com/nodejs/node/pull/19638
Fixes: https://github.com/nodejs/io.js/issues/1461
PR-URL: https://github.com/nodejs/io.js/pull/1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
PR-URL: https://github.com/nodejs/node/pull/19638
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Rod Vagg <rod@vagg.org>
This replaces all sources of openssl-1.0.2o.tar.gz into
deps/openssl/openssl
PR-URL: https://github.com/nodejs/node/pull/19638
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Rod Vagg <rod@vagg.org>
Whenever we call into an addon, whether it is for a callback, for
module init, or for async work-related reasons, we should make sure
that
* the last error is cleared,
* the scopes before the call are the same as after, and
* if an exception was thrown and captured inside the module, then it is
re-thrown after the call.
Therefore we should call into the module in a unified fashion. This
change introduces the macro NAPI_CALL_INTO_MODULE() which should be
used whenever invoking a callback provided by the module.
Fixes: https://github.com/nodejs/node/issues/19437
PR-URL: https://github.com/nodejs/node/pull/19537
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
* improve text for easier comprehension
* clarify that performance impact is *negative*
* remove superfluous "either" (should only be used when there are 2
options anyway)
* remove superfluous italics
* line wrap at 80 chars
PR-URL: https://github.com/nodejs/node/pull/19623
Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
According to NIST SP 800 38D, this is the document the link orginally
pointed to.
Fixes: https://github.com/nodejs/node/issues/17619
PR-URL: https://github.com/nodejs/node/pull/19593
Reviewed-By: Weijia Wang <starkwang@126.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Otherwise, this condition would result in an error that just reads
`cb is not a function`, and which additionally could have lost
stack trace context through a `process.nextTick()` call.
PR-URL: https://github.com/nodejs/node/pull/19510
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Bump the version due to additions to the api.
PR-URL: https://github.com/nodejs/node/pull/19497
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
This changes a sentence fragment into a full sentence and provides a few
other minor improvements.
PR-URL: https://github.com/nodejs/node/pull/19622
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
The color output was broken at some point and that was not detected
because it was not tested for properly so far. This makes sure the
colors work again and it adds a regression test as well.
PR-URL: https://github.com/nodejs/node/pull/19464
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Change v6 to 6.0.0. We abandoned v-notation for versions to avoid
confusion between v8 (version 8.0.0) and V8 (the JavaScript engine).
PR-URL: https://github.com/nodejs/node/pull/19567
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Remove the CNNIC certificates again and remove the whitelist from commit
3beb88071 ("crypto: add cert check to CNNIC Whitelist") from June 2015.
PR-URL: https://github.com/nodejs/node/pull/19322
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
