mirror of https://github.com/nodejs/node.git synced 2024-11-21 10:59:27 +00:00

History

Tobias Nießen a336444c7f tls: fix handling of x509 subject and issuer When subject and verifier are represented as strings, escape special characters (such as '+') to guarantee unambiguity. Previously, different distinguished names could result in the same string when encoded. In particular, inserting a '+' in a single-value Relative Distinguished Name (e.g., L or OU) would produce a string that is indistinguishable from a multi-value Relative Distinguished Name. Third-party code that correctly interprets the generated string representation as a multi-value Relative Distinguished Name could then be vulnerable to an injection attack, e.g., when an attacker includes a single-value RDN with type OU and value 'HR + CN=example.com', the string representation produced by unpatched versions of Node.js would be 'OU=HR + CN=example.com', which represents a multi-value RDN. Node.js itself is not vulnerable to this attack because the current implementation that parses such strings into objects does not handle '+' at all. This oversight leads to incorrect results, but at the same time appears to prevent injection attacks (as described above). With this change, the JavaScript objects representing the subject and issuer Relative Distinguished Names are constructed in C++ directly, instead of (incorrectly) encoding them as strings and then (incorrectly) decoding the strings in JavaScript. This addresses CVE-2021-44533. CVE-ID: CVE-2021-44533 PR-URL: https://github.com/nodejs-private/node-private/pull/300 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Rich Trott <rtrott@gmail.com>		2022-01-10 22:38:05 +00:00
..
abort
addons	tools,benchmark,lib,test: enable no-case-declarations lint rule	2022-01-05 07:42:19 -08:00
async-hooks	tools,benchmark,lib,test: enable no-case-declarations lint rule	2022-01-05 07:42:19 -08:00
benchmark
cctest	inspector: add missing initialization	2021-12-10 14:06:23 -05:00
common	esm: refactor esm tests out of test/message	2022-01-06 11:07:52 +00:00
doctool
embedding
es-module	esm: refactor esm tests out of test/message	2022-01-06 11:07:52 +00:00
fixtures	tls: fix handling of x509 subject and issuer	2022-01-10 22:38:05 +00:00
fuzzers
internet
js-native-api
known_issues
message	esm: refactor esm tests out of test/message	2022-01-06 11:07:52 +00:00
node-api
overlapped-checker
parallel	tls: fix handling of x509 subject and issuer	2022-01-10 22:38:05 +00:00
pseudo-tty
pummel	test: mark test-worker-take-heapsnapshot flaky	2021-12-22 12:45:15 -05:00
report
sequential	test: mark test-performance-eventloopdelay flaky	2022-01-06 01:14:28 +00:00
testpy
tick-processor
tools
v8-updates
wasi
wpt	test: mark wpt/test-user-timing test flaky	2021-12-22 11:47:54 -05:00
.eslintrc.yaml
README.md
root.status

README.md

Node.js Core Tests

This directory contains code and data used to test the Node.js implementation.

For a detailed guide on how to write tests in this directory, see the guide on writing tests.

On how to run tests in this directory, see the contributing guide.

For the tests to run on Windows, be sure to clone Node.js source code with the autocrlf git config flag set to true.

Test Directories

Directory	Runs on CI	Purpose
`abort`	Yes	Tests that use `--abort-on-uncaught-exception` and other situations where we want to test something but avoid generating a core file.
`addons`	Yes	Tests for addon functionality along with some tests that require an addon.
`async-hooks`	Yes	Tests for async_hooks functionality.
`benchmark`	Yes	Test minimal functionality of benchmarks.
`cctest`	Yes	C++ tests that are run as part of the build process.
`code-cache`	No	Tests for a Node.js binary compiled with V8 code cache.
`common`		Common modules shared among many tests. Documentation
`doctool`	Yes	Tests for the documentation generator.
`es-module`	Yes	Test ESM module loading.
`fixtures`		Test fixtures used in various tests throughout the test suite.
`internet`	No	Tests that make real outbound network connections. Tests for networking related modules may also be present in other directories, but those tests do not make outbound connections.
`js-native-api`	Yes	Tests for Node.js-agnostic n-api functionality.
`known_issues`	Yes	Tests reproducing known issues within the system. All tests inside of this directory are expected to fail. If a test doesn't fail on certain platforms, those should be skipped via `known_issues.status`.
`message`	Yes	Tests for messages that are output for various conditions (`console.log`, error messages etc.)
`node-api`	Yes	Tests for Node.js-specific n-api functionality.
`parallel`	Yes	Various tests that are able to be run in parallel.
`pseudo-tty`	Yes	Tests that require stdin/stdout/stderr to be a TTY.
`pummel`	No	Various tests for various modules / system functionality operating under load.
`sequential`	Yes	Various tests that must not run in parallel.
`testpy`		Test configuration utility used by various test suites.
`tick-processor`	No	Tests for the V8 tick processor integration. The tests are for the logic in `lib/internal/v8_prof_processor.js` and `lib/internal/v8_prof_polyfill.js`. The tests confirm that the profile processor packages the correct set of scripts from V8 and introduces the correct platform specific logic.
`v8-updates`	No	Tests for V8 performance integration.