You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
hash.copy() at the TS layer (line 118-123) checks kFinalized first (line 120), then calls new Hash(this[kHandle], options) (line 122)
The Hash constructor when receiving a HashHandle calls algorithm.copy(xofLen) (line 102)
The test bypasses the TS layer's digest() (which sets kFinalized = true) by calling handle.digest() directly on the C++ handle
Then hash.copy() goes through TS which checks kFinalized (still false), passes through, and calls this[kHandle].copy() which hits the C++ clone() method
So the C++ clone() method is the right place for this defense-in-depth check. The old behavior was to silently copy the digest result, creating a new HashContext with the finalized state — which is wrong behavior (Node.js throws).
Now let me check the error type. The PR uses DOMOperationError which is consistent with the other JSG_FAIL_REQUIRE in the same file. Let me check what other "finalized" errors use:
Looking at digest.c++:185 and digest.c++:363, the other finalized checks already use DOMOperationError. Meanwhile, the Node.js layer in crypto.c++ uses plain Error. The DOMOperationError is used for the HashContext/HmacContext methods (which are lower-level crypto primitives), while the Error type is used in the higher-level Node.js crypto module. This is consistent.
Let me also verify that the test checks for the right error pattern. The test asserts message: /already been finalized/ which matches the C++ error "Hash context has already been finalized.".
This is a clean, well-scoped change. The fix is correct -- Node.js throws when copying after digest, and the old behavior of silently cloning the digest was incorrect. The test properly validates the new behavior by reaching into the internal handle to trigger the C++ path.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Matching node.js behavior