dangerous-function-buffer-noassert¶
Ensure buffer does not use noAssert
Note: This vulnerability only exists for versions of Node 9.xx.x and below.
Node.js
’s buffer API has the following methods to interact with an buffer object, once once has been instantiated:
'readUInt8', 'readUInt16LE', 'readUInt16BE', 'readUInt32LE', 'readUInt32BE', 'readInt8',
'readInt16LE', 'readInt16BE', 'readInt32LE', 'readInt32BE', 'readFloatLE', 'readFloatBE', 'readDoubleL', 'readDoubleBE', 'writeUInt8', 'writeUInt16LE', 'writeUInt16BE', 'writeUInt32LE', 'writeUInt32BE', 'writeInt8', 'writeInt16LE', 'writeInt16BE', 'writeInt32LE', 'writeInt32BE', 'writeFloatLE', 'writeFloatBE', 'writeDoubleLE', 'writeDoubleBE'
Prior to Node v0.10, this methods accepted an additional noAssert
parameter, which when supplied as true
, would allow would allow reading (or writing) outside of the bounds of the buffer.
This can allow, among other things, an attacker to modify the execution of the program or access sensitive information of the program by reading data outside of the allocated buffer, or writing data to a memory segment that has side effects on other parts of the program.
Examples¶
Insecure Example
Calling any of the outlined methods with the noAssert
parameter supplied, and set to true
.
var buf = new Buffer(8);
buf.writeDoubleBE(0xdeadbeefcafebabe, 0, true);
Secure Example
Being alerted of this error is an indicator that you are on a very old version of Node. In newer versions, the Buffer
libraries in particular have been updated to make up for usability and security concerns. It is recommended that you upgrade your Node version, and utilize the newest Buffer interfaces.
Changing out the entire is not often practical, so therefore simply omitting the noAssert
parameter would offer safety for this particular vulernability.