From 0187716be561fe18d16aacd4465a79417d86d069 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Sun, 20 Dec 2020 12:59:44 +0100 Subject: [PATCH] buffer: make FastBuffer safe to construct Using an explicit constructor is necessary to avoid relying on `Array.prototype[Symbol.iterator]` and `%ArrayIteratorPrototype%.next`, which can be mutated by users. PR-URL: /~https://github.com/nodejs/node/pull/36587 Refs: /~https://github.com/nodejs/node/pull/36428 Refs: /~https://github.com/nodejs/node/pull/36532 Reviewed-By: Rich Trott Reviewed-By: Luigi Pinca --- lib/internal/buffer.js | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/internal/buffer.js b/lib/internal/buffer.js index 60f6cab093135d..3515626041bbad 100644 --- a/lib/internal/buffer.js +++ b/lib/internal/buffer.js @@ -949,7 +949,14 @@ function writeFloatBackwards(val, offset = 0) { return offset; } -class FastBuffer extends Uint8Array {} +class FastBuffer extends Uint8Array { + // Using an explicit constructor here is necessary to avoid relying on + // `Array.prototype[Symbol.iterator]`, which can be mutated by users. + // eslint-disable-next-line no-useless-constructor + constructor(bufferOrLength, byteOffset, length) { + super(bufferOrLength, byteOffset, length); + } +} function addBufferPrototypeMethods(proto) { proto.readBigUInt64LE = readBigUInt64LE;