Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DeprecationWarning: Buffer() is deprecated due to security and usability issues #5644

Closed
bsomeshwer opened this issue Sep 12, 2024 · 2 comments
Closed

DeprecationWarning: Buffer() is deprecated due to security and usability issues #5644

bsomeshwer opened this issue Sep 12, 2024 · 2 comments
Labels
bug needs-triage

Comments

@bsomeshwer
Copy link

Describe the bug

DeprecationWarning: Buffer() is deprecated due to security and usability issues

There is a file at the below path:
ace-builds-1.36.2\ace-builds-1.36.2\src\worker-css.js at line number 6507 there is a usage of "Buffer" as below:
child = new Buffer(parent.length);

Hence, this is using the deprecated method.

Expected Behavior

DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.

Current Behavior

DeprecationWarning: Buffer() is deprecated due to security and usability issues

There is a file at the below path:
ace-builds-1.36.2\ace-builds-1.36.2\src\worker-css.js at line number 6507 there is a usage of "Buffer" as below:
child = new Buffer(parent.length);

Hence, this is using the deprecated method.

Reproduction Steps

DeprecationWarning: Buffer() is deprecated due to security and usability issues

There is a file at the below path:
ace-builds-1.36.2\ace-builds-1.36.2\src\worker-css.js at line number 6507 there is a usage of "Buffer" as below:
child = new Buffer(parent.length);

Hence, this is using the deprecated method.

Possible Solution

DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.

Additional Information/Context

No response

Ace Version / Browser / OS / Keyboard layout

latest version
@marinsokol5
Copy link
Contributor

Hey,
thanks for the heads-up!

We don't currently recommend anyone to use ace-workers found at https://github.com/ajaxorg/ace/tree/master/lib/ace/mode, they are frozen deprecated packages offering out-of-date and limited language support. They probably shouldn't had been part of the main Ace package from the start.
We did remedy this by not shipping them to ace-code and keeping them out of the src folder though.
We plan on having new guidelines that will communicate this properly as soon as possible.

On this particular vulnerability, it's seems it was kept to support older Node versions anyway.
See comment at https://github.com/ajaxorg/ace/blob/master/lib/ace/mode/css/csslint.js#L7549-L7558

That being said, the Buffer() is a potential risk because it doesn't initialize the newly allocated memory, so it might leak previous content, but this particular case it's created with parent.length and then parent content is poured into it right away (through parent.copy(child);), there is no time for it to leak anything and while the usage of the API can be unsafe in general, I don't see it being misused here.

@bsomeshwer
Copy link
Author

bsomeshwer commented Sep 12, 2024
edited
Loading

@marinsokol5 , Thank you for the information!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marinsokol5 @bsomeshwer