1
0
mirror of https://github.com/titanscouting/tra-analysis.git synced 2025-07-29 13:58:50 +00:00
Files
apps
data analysis
website
functions
node_modules
.bin
@types
accepts
array-flatten
body-parser
buffer-equal-constant-time
bytes
content-disposition
content-type
cookie
cookie-signature
cors
debug
depd
destroy
ecdsa-sig-formatter
ee-first
encodeurl
escape-html
etag
express
finalhandler
firebase-functions
forwarded
fresh
http-errors
iconv-lite
inherits
ipaddr.js
jsonwebtoken
jwa
jws
lodash
lodash.includes
lodash.isboolean
lodash.isinteger
lodash.isnumber
lodash.isplainobject
lodash.isstring
lodash.once
media-typer
merge-descriptors
methods
mime
mime-db
mime-types
ms
negotiator
npm
bin
changelogs
doc
html
lib
man
node_modules
.bin
JSONStream
abbrev
agent-base
agentkeepalive
ajv
ansi-align
ansi-regex
ansi-styles
ansicolors
ansistyles
aproba
archy
are-we-there-yet
asap
asn1
assert-plus
asynckit
aws-sign2
aws4
balanced-match
bcrypt-pbkdf
bin-links
block-stream
bluebird
boxen
brace-expansion
buffer-from
builtin-modules
builtins
byline
byte-size
cacache
call-limit
camelcase
capture-stack-trace
caseless
chalk
chownr
ci-info
cidr-regex
cli-boxes
cli-columns
cli-table3
cliui
clone
cmd-shim
co
code-point-at
color-convert
color-name
colors
columnify
combined-stream
concat-map
concat-stream
config-chain
configstore
console-control-strings
copy-concurrently
core-util-is
create-error-class
cross-spawn
crypto-random-string
cyclist
dashdash
debug
debuglog
decamelize
decode-uri-component
deep-extend
defaults
delayed-stream
delegates
detect-indent
detect-newline
dezalgo
dot-prop
dotenv
duplexer3
duplexify
ecc-jsbn
editor
encoding
end-of-stream
err-code
errno
es6-promise
es6-promisify
escape-string-regexp
execa
extend
extsprintf
fast-deep-equal
fast-json-stable-stringify
figgy-pudding
find-npm-prefix
find-up
flush-write-stream
forever-agent
form-data
from2
fs-minipass
fs-vacuum
fs-write-stream-atomic
fs.realpath
fstream
gauge
genfun
gentle-fs
get-caller-file
get-stream
getpass
glob
global-dirs
got
graceful-fs
har-schema
har-validator
has-flag
has-unicode
hosted-git-info
http-cache-semantics
http-proxy-agent
http-signature
https-proxy-agent
humanize-ms
iconv-lite
iferr
ignore-walk
import-lazy
imurmurhash
inflight
inherits
ini
init-package-json
invert-kv
ip
ip-regex
is-builtin-module
is-ci
is-cidr
is-fullwidth-code-point
is-installed-globally
is-npm
is-obj
is-path-inside
is-redirect
is-retry-allowed
is-stream
is-typedarray
isarray
isexe
isstream
jsbn
json-parse-better-errors
json-schema
json-schema-traverse
json-stringify-safe
jsonparse
jsprim
latest-version
lazy-property
lcid
libcipm
libnpmhook
libnpx
locate-path
lock-verify
lockfile
lodash._baseindexof
lodash._baseuniq
lodash._bindcallback
lodash._cacheindexof
lodash._createcache
lodash._createset
lodash._getnative
lodash._root
lodash.clonedeep
lodash.restparam
lodash.union
lodash.uniq
lodash.without
lowercase-keys
lru-cache
make-dir
make-fetch-happen
meant
mem
mime-db
mime-types
mimic-fn
minimatch
minimist
minipass
minizlib
mississippi
mkdirp
move-concurrently
ms
mute-stream
node-fetch-npm
node-gyp
nopt
normalize-package-data
npm-audit-report
npm-bundled
npm-cache-filename
npm-install-checks
npm-lifecycle
npm-logical-tree
npm-package-arg
npm-packlist
npm-pick-manifest
npm-profile
npm-registry-client
npm-registry-fetch
npm-run-path
npm-user-validate
npmlog
number-is-nan
oauth-sign
object-assign
once
opener
os-homedir
os-locale
os-tmpdir
osenv
p-finally
p-limit
p-locate
p-try
package-json
pacote
parallel-transform
path-exists
path-is-absolute
path-is-inside
path-key
performance-now
pify
prepend-http
process-nextick-args
promise-inflight
promise-retry
promzard
proto-list
protoduck
prr
pseudomap
psl
pump
pumpify
punycode
qrcode-terminal
qs
query-string
qw
rc
read
read-cmd-shim
read-installed
read-package-json
read-package-tree
readable-stream
readdir-scoped-modules
registry-auth-token
registry-url
request
require-directory
require-main-filename
resolve-from
retry
rimraf
run-queue
safe-buffer
safer-buffer
LICENSE
Porting-Buffer.md
Readme.md
dangerous.js
package.json
safer.js
tests.js
semver
semver-diff
set-blocking
sha
shebang-command
shebang-regex
signal-exit
slash
slide
smart-buffer
socks
socks-proxy-agent
sorted-object
sorted-union-stream
spdx-correct
spdx-exceptions
spdx-expression-parse
spdx-license-ids
sshpk
ssri
stream-each
stream-iterate
stream-shift
strict-uri-encode
string-width
string_decoder
stringify-package
strip-ansi
strip-eof
strip-json-comments
supports-color
tar
term-size
text-table
through
through2
timed-out
tiny-relative-date
tough-cookie
tunnel-agent
tweetnacl
typedarray
uid-number
umask
unique-filename
unique-slug
unique-string
unpipe
unzip-response
update-notifier
url-parse-lax
util-deprecate
util-extend
uuid
validate-npm-package-license
validate-npm-package-name
verror
wcwidth
which
which-module
wide-align
widest-line
worker-farm
wrap-ansi
wrappy
write-file-atomic
xdg-basedir
xtend
y18n
yallist
yargs
yargs-parser
scripts
.licensee.json
.mailmap
.npmignore
.travis.yml
AUTHORS
CHANGELOG.md
CONTRIBUTING.md
LICENSE
Makefile
README.md
appveyor.yml
configure
make.bat
package.json
object-assign
on-finished
parseurl
path-to-regexp
proxy-addr
qs
range-parser
raw-body
safe-buffer
safer-buffer
send
serve-static
setprototypeof
statuses
type-is
unpipe
utils-merge
vary
public
.firebaserc
.gitignore
.runtimeconfig.json
firebase.json
firestore.indexes.json
firestore.rules
package-lock.json
.gitattributes
.gitignore
README.md
tra-analysis/website/node_modules/npm/node_modules/safer-buffer
2019-01-06 13:14:45 -06:00
..
2019-01-06 13:14:45 -06:00
2019-01-06 13:14:45 -06:00
2019-01-06 13:14:45 -06:00
2019-01-06 13:14:45 -06:00
2019-01-06 13:14:45 -06:00
2019-01-06 13:14:45 -06:00
2019-01-06 13:14:45 -06:00

safer-buffer travis npm javascript style guide Security Responsible Disclosure

Modern Buffer API polyfill without footguns, working on Node.js from 0.8 to current.

How to use?

First, port all Buffer() and new Buffer() calls to Buffer.alloc() and Buffer.from() API.

Then, to achieve compatibility with outdated Node.js versions (<4.5.0 and 5.x <5.9.0), use const Buffer = require('safer-buffer').Buffer in all files where you make calls to the new Buffer API. Use var instead of const if you need that for your Node.js version range support.

Also, see the porting Buffer guide.

Do I need it?

Hopefully, not — dropping support for outdated Node.js versions should be fine nowdays, and that is the recommended path forward. You do need to port to the Buffer.alloc() and Buffer.from() though.

See the porting guide for a better description.

Why not safe-buffer?

In short: while safe-buffer serves as a polyfill for the new API, it allows old API usage and itself contains footguns.

safe-buffer could be used safely to get the new API while still keeping support for older Node.js versions (like this module), but while analyzing ecosystem usage of the old Buffer API I found out that safe-buffer is itself causing problems in some cases.

For example, consider the following snippet:

$ cat example.unsafe.js
console.log(Buffer(20))
$ ./node-v6.13.0-linux-x64/bin/node example.unsafe.js
<Buffer 0a 00 00 00 00 00 00 00 28 13 de 02 00 00 00 00 05 00 00 00>
$ standard example.unsafe.js
standard: Use JavaScript Standard Style (https://standardjs.com)
  /home/chalker/repo/safer-buffer/example.unsafe.js:2:13: 'Buffer()' was deprecated since v6. Use 'Buffer.alloc()' or 'Buffer.from()' (use 'https://www.npmjs.com/package/safe-buffer' for '<4.5.0') instead.

This is allocates and writes to console an uninitialized chunk of memory. standard linter (among others) catch that and warn people to avoid using unsafe API.

Let's now throw in safe-buffer!

$ cat example.safe-buffer.js
const Buffer = require('safe-buffer').Buffer
console.log(Buffer(20))
$ standard example.safe-buffer.js
$ ./node-v6.13.0-linux-x64/bin/node example.safe-buffer.js
<Buffer 08 00 00 00 00 00 00 00 28 58 01 82 fe 7f 00 00 00 00 00 00>

See the problem? Adding in safe-buffer magically removes the lint warning, but the behavior remains identiсal to what we had before, and when launched on Node.js 6.x LTS — this dumps out chunks of uninitialized memory. And this code will still emit runtime warnings on Node.js 10.x and above.

That was done by design. I first considered changing safe-buffer, prohibiting old API usage or emitting warnings on it, but that significantly diverges from safe-buffer design. After some discussion, it was decided to move my approach into a separate package, and this is that separate package.

This footgun is not imaginary — I observed top-downloaded packages doing that kind of thing, «fixing» the lint warning by blindly including safe-buffer without any actual changes.

Also in some cases, even if the API was migrated to use of safe Buffer API — a random pull request can bring unsafe Buffer API usage back to the codebase by adding new calls — and that could go unnoticed even if you have a linter prohibiting that (becase of the reason stated above), and even pass CI. I also observed that being done in popular packages.

Some examples:

I filed a PR at mysticatea/eslint-plugin-node#110 to partially fix that (for cases when that lint rule is used), but it is a semver-major change for linter rules and presets, so it would take significant time for that to reach actual setups. It also hasn't been released yet (2018-03-20).

Also, safer-buffer discourages the usage of .allocUnsafe(), which is often done by a mistake. It still supports it with an explicit concern barier, by placing it under require('safer-buffer/dangereous').

But isn't throwing bad?

Not really. It's an error that could be noticed and fixed early, instead of causing havoc later like unguarded new Buffer() calls that end up receiving user input can do.

This package affects only the files where var Buffer = require('safer-buffer').Buffer was done, so it is really simple to keep track of things and make sure that you don't mix old API usage with that. Also, CI should hint anything that you might have missed.

New commits, if tested, won't land new usage of unsafe Buffer API this way. Node.js 10.x also deals with that by printing a runtime depecation warning.

Would it affect third-party modules?

No, unless you explicitly do an awful thing like monkey-patching or overriding the built-in Buffer. Don't do that.

But I don't want throwing…

That is also fine!

Also, it could be better in some cases when you don't comprehensive enough test coverage.

In that case — just don't override Buffer and use var SaferBuffer = require('safer-buffer').Buffer instead.

That way, everything using Buffer natively would still work, but there would be two drawbacks:

  • Buffer.from/Buffer.alloc won't be polyfilled — use SaferBuffer.from and SaferBuffer.alloc instead.
  • You are still open to accidentally using the insecure deprecated API — use a linter to catch that.

Note that using a linter to catch accidential Buffer constructor usage in this case is strongly recommended. Buffer is not overriden in this usecase, so linters won't get confused.

«Without footguns»?

Well, it is still possible to do some things with Buffer API, e.g. accessing .buffer property on older versions and duping things from there. You shouldn't do that in your code, probabably.

The intention is to remove the most significant footguns that affect lots of packages in the ecosystem, and to do it in the proper way.

Also, this package doesn't protect against security issues affecting some Node.js versions, so for usage in your own production code, it is still recommended to update to a Node.js version supported by upstream.