You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The problem arises when a number is passed in, e.g. from user-submitted JSON-encoded data.
The API should not propagate the already-bad Buffer issue further.
On Node.js 6.x and below, this exposes uninitialized memory, which could contain sensitive data.
This can be also used to cause a DoS on any Node.js version by consuming the memory when large numbers are passed on input.
Steps To Reproduce:
console.log(require('utile').base64.encode(200)) (Node.js 6.x and lower — note uninitialized memory in output)
require('utile').base64.encode(1e8) (any Node.js verision — note memory usage and time)
Thoughts on Remediation
The source code in base64.js says that both encode¹ and decode² expect a string parameter. I see two obvious solutions.
Return null when base64.encode or base64.decode are given something other than a string.
Convert the parameter passed into base64.encode and base64.decode into a string before encoding or decoding.
To preserve backward compatibility with existing usage that might not be expecting null as a return value from encoding or decoding values that are not strings, I think we should covert the parameter to a string then perform that encode or decode operation.
Vulnerability Description
From: https://hackerone.com/reports/321701
Thoughts on Remediation
The source code in base64.js says that both encode¹ and decode² expect a string parameter. I see two obvious solutions.
To preserve backward compatibility with existing usage that might not be expecting null as a return value from encoding or decoding values that are not strings, I think we should covert the parameter to a string then perform that encode or decode operation.
¹ https://github.com/flatiron/utile/blob/master/lib/base64.js#L12
² https://github.com/flatiron/utile/blob/master/lib/base64.js#L30
The text was updated successfully, but these errors were encountered: