When subject and verifier are represented as strings, escape special
characters (such as '+') to guarantee unambiguity. Previously, different
distinguished names could result in the same string when encoded. In
particular, inserting a '+' in a single-value Relative Distinguished
Name (e.g., L or OU) would produce a string that is indistinguishable
from a multi-value Relative Distinguished Name. Third-party code that
correctly interprets the generated string representation as a
multi-value Relative Distinguished Name could then be vulnerable to an
injection attack, e.g., when an attacker includes a single-value RDN
with type OU and value 'HR + CN=example.com', the string representation
produced by unpatched versions of Node.js would be
'OU=HR + CN=example.com', which represents a multi-value RDN.
Node.js itself is not vulnerable to this attack because the current
implementation that parses such strings into objects does not handle '+'
at all. This oversight leads to incorrect results, but at the same time
appears to prevent injection attacks (as described above).
With this change, the JavaScript objects representing the subject and
issuer Relative Distinguished Names are constructed in C++ directly,
instead of (incorrectly) encoding them as strings and then (incorrectly)
decoding the strings in JavaScript.
This addresses CVE-2021-44533.
CVE-ID: CVE-2021-44533
PR-URL: https://github.com/nodejs-private/node-private/pull/300
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Previously, Node.js incorrectly accepted uniformResourceIdentifier (URI)
subject alternative names in checkServerIdentity regardless of the
application protocol. This was incorrect even in the most common cases.
For example, RFC 2818 specifies (and RFC 6125 confirms) that HTTP over
TLS only uses dNSName and iPAddress subject alternative names, but not
uniformResourceIdentifier subject alternative names.
Additionally, name constrained certificate authorities might not be
constrained to specific URIs, allowing them to issue certificates for
URIs that specify hosts that they would not be allowed to issue dNSName
certificates for.
Even for application protocols that make use of URI subject alternative
names (such as SIP, see RFC 5922), Node.js did not implement the
required checks correctly, for example, because checkServerIdentity
ignores the URI scheme.
As a side effect, this also fixes an edge case. When a hostname is not
an IP address and no dNSName subject alternative name exists, the
subject's Common Name should be considered even when an iPAddress
subject alternative name exists.
It remains possible for users to pass a custom checkServerIdentity
function to the TLS implementation in order to implement custom identity
verification logic.
This addresses CVE-2021-44531.
CVE-ID: CVE-2021-44531
PR-URL: https://github.com/nodejs-private/node-private/pull/300
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This change introduces JSON-compatible escaping rules for strings that
include X.509 GeneralName components (see RFC 5280). This non-standard
format avoids ambiguities and prevents injection attacks that could
previously lead to X.509 certificates being accepted even though they
were not valid for the target hostname.
These changes affect the format of subject alternative names and the
format of authority information access. The checkServerIdentity function
has been modified to safely handle the new format, eliminating the
possibility of injecting subject alternative names into the verification
logic.
Because each subject alternative name is only encoded as a JSON string
literal if necessary for security purposes, this change will only be
visible in rare cases.
This addresses CVE-2021-44532.
CVE-ID: CVE-2021-44532
PR-URL: https://github.com/nodejs-private/node-private/pull/300
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
These functions are currently not being used and their security should
be audited before any potential future use.
PR-URL: https://github.com/nodejs-private/node-private/pull/300
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Don't rewrite the README if we're not running inside a GitHub Action.
PR-URL: https://github.com/nodejs/node/pull/41422
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
PR-URL: https://github.com/nodejs/node/pull/41434
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/41444
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Qingyu Deng <i@ayase-lab.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
watchClosed() is only ever called with an anonymous function for the
action parameter. This anonymous funciton does not take any arguments.
Remove unused argument from invocation of action().
PR-URL: https://github.com/nodejs/node/pull/41403
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Notable changes:
- `uv_ip_name()` has been added.
- On Windows, `uv_fs_read()` and `uv_fs_write()` now return
`UV_EBADF` instead of `UV_EPERM` when the file descriptor
was opened with incorrect flags. This matches the behavior
on other platforms.
- Streams can be reset and attempted to read from after
EOF is read.
- The main thread now has a valid ID instead of `NULL`.
- `uv_cpu_info()` now supports `aarch64`.
- Several minor issues related to mingw32 have been fixed.
PR-URL: https://github.com/nodejs/node/pull/41398
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
The argument supplied is expected to be text, not numeric.
This wasn't causing issues with the automated job because it does not
send an argument. It uses the default.
PR-URL: https://github.com/nodejs/node/pull/41394
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Zijian Liu <lxxyxzj@gmail.com>
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Update configure.py, Makefile, and common.gypi to get the
build started on z/OS.
Co-authored-by: Gaby Baghdadi <baghdadi@ca.ibm.com>
Co-authored-by: Wayne Zhang <zsw007@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/41273
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Ujjwal Sharma <ryzokuken@disroot.org>
PR-URL: https://github.com/nodejs/node/pull/41236
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Refs: https://github.com/nodejs/node/issues/41286
This is one of the remaining high indicende failures
in the CI. Mark as flaky while it is investigated.
Signed-off-by: Michael Dawson <mdawson@devrus.com>
PR-URL: https://github.com/nodejs/node/pull/41409
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
* Remove link to ECMAScript specification because the term Abstract
Equality Comparison is no longer used there.
* Edit surprising-results material
* Other minor edits
PR-URL: https://github.com/nodejs/node/pull/41375
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Split the two example command lines for updating the `REPLACEME` tags
into separate `console` fenced code blocks. This fixes some stray
"`" characters and makes each example one-click copiable when viewing
the guide in GitHub's web UI.
PR-URL: https://github.com/nodejs/node/pull/41269
Refs: https://github.com/nodejs/node/pull/39544
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
These changes no-duplicate-require.js so that it doesn't use an
assignment in a conditional, which can be easy to misread as a
comparison rather than an assignment. It also means we change a do/while
(which we don't use much in our code) to the much more common while
construct.
PR-URL: https://github.com/nodejs/node/pull/41325
Reviewed-By: Michaël Zasso <targos@protonmail.com>
PR-URL: https://github.com/nodejs/node/pull/40532
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Make sure there is at least one required field in each issue template.
Leave the title blank to enforce that as a required field as well.
PR-URL: https://github.com/nodejs/node/pull/41378
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This line of code has been implemented in the prepareError function.
PR-URL: https://github.com/nodejs/node/pull/39239
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
We define `retval` as a tuple and then replace the tuple by "appending"
items with `+=` but that actually creates a new tuple every time.
Because it is intended to be mutable, use a list instead, then return a
tuple from the function, as it should be immutable outside the function.
PR-URL: https://github.com/nodejs/node/pull/41372
Reviewed-By: Christian Clauss <cclauss@me.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
- Add missing initiatlization of last error which
was reported by coverity.
Signed-off-by: Michael Dawson <mdawson@devrus.com>
PR-URL: https://github.com/nodejs/node/pull/41290
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Refs: https://github.com/nodejs/node/issues/41123
- This is one of the remaining high occurance flaky
tests from the reliability reports and recent
failures in the CI. Mark as flaky until issue
is resolved under referenced issue.
Signed-off-by: Michael Dawson <mdawson@devrus.com>
PR-URL: https://github.com/nodejs/node/pull/41302
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/40852
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The additional objects that were getting added and deleted from the
activeTimersMap object were slowing down the rest of the timers code,
so this change falls back to using the ref counts to count the active
timers inside process.getActiveResourcesInfo().
Fixes: https://github.com/nodejs/node/issues/41219
Signed-off-by: Darshan Sen <darshan.sen@postman.com>
PR-URL: https://github.com/nodejs/node/pull/41231
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
This is fairly expensive code that unnecessarily bloats the
contents of the inline function.
PR-URL: https://github.com/nodejs/node/pull/41331
Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
This is possible because the async stack is always expected
to match the native call stack, and saves performance overhead
that comes from the usage of `v8::Global`.
PR-URL: https://github.com/nodejs/node/pull/41331
Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Remove the lats of the unintentional error-masking in commit-queue.sh.
With this change, `tools/lint-sh.js . --from-npx` at last passes.
PR-URL: https://github.com/nodejs/node/pull/41356
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tierney Cyren <hello@bnb.im>
Reviewed-By: Zijian Liu <lxxyxzj@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
