Ensure buffer does not use noAssert
Note: This vulnerability only exists for versions of Node 9.xx.x and below.
Node.js’s buffer API has the following methods to interact with an buffer object, once once has been instantiated:
'readUInt8', 'readUInt16LE', 'readUInt16BE', 'readUInt32LE', 'readUInt32BE', 'readInt8', 'readInt16LE', 'readInt16BE', 'readInt32LE', 'readInt32BE', 'readFloatLE', 'readFloatBE', 'readDoubleL', 'readDoubleBE', 'writeUInt8', 'writeUInt16LE', 'writeUInt16BE', 'writeUInt32LE', 'writeUInt32BE', 'writeInt8', 'writeInt16LE', 'writeInt16BE', 'writeInt32LE', 'writeInt32BE', 'writeFloatLE', 'writeFloatBE', 'writeDoubleLE', 'writeDoubleBE'
Prior to Node v0.10, this methods accepted an additional
noAssert parameter, which when supplied as
true, would allow would allow reading (or writing) outside of the bounds of the buffer.
This can allow, among other things, an attacker to modify the execution of the program or access sensitive information of the program by reading data outside of the allocated buffer, or writing data to a memory segment that has side effects on other parts of the program.
Calling any of the outlined methods with the
noAssert parameter supplied, and set to
var buf = new Buffer(8); buf.writeDoubleBE(0xdeadbeefcafebabe, 0, true);
Being alerted of this error is an indicator that you are on a very old version of Node. In newer versions, the
Buffer libraries in particular have been updated to make up for usability and security concerns. It is recommended that you upgrade your Node version, and utilize the newest Buffer interfaces.
Changing out the entire is not often practical, so therefore simply omitting the
noAssert parameter would offer safety for this particular vulernability.