Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the WS_NO_{BUFFER_UTIL, UTF_8_VALIDATE} variables #2056

Merged
merged 1 commit into from
Jun 9, 2022
Merged

Add the WS_NO_{BUFFER_UTIL, UTF_8_VALIDATE} variables #2056

merged 1 commit into from
Jun 9, 2022

Conversation

lpinca
Copy link
Member

@lpinca lpinca commented Jun 8, 2022
edited
Loading

When set to non empty values, the WS_NO_BUFFER_UTIL and
WS_NO_UTF_8_VALIDATE environment variables, prevent the optional
bufferutil and utf-8-validate dependencies from being required,
respectively.

These might be useful to enhance security in systems where a user can
put a package in the package search path of an application of another
user, due to how the Node.js resolver algorithm works.

@lpinca
Copy link
Member Author

lpinca commented Jun 8, 2022

cc: @arhart

@arhart
Copy link

arhart commented Jun 8, 2022

@lpinca The code looks good, and I've confirmed that setting WS_NO_BUFFER_UTIL and/or WS_NO_UTF_8_VALIDATE to non-empty strings prevent the calls to require(), as expected.

I liked this sentence from the commit message:

These might be useful to enhance security in systems where a user can
put a package in the package search path of an application of another
user, due to how the Node.js resolver algorithm work.

Could you add something like that to the README.md as well? Perhaps like this:

To not even try to require and use these modules, use the
[`WS_NO_BUFFER_UTIL`](./doc/ws.md#ws_no_buffer_util) and
[`WS_NO_UTF_8_VALIDATE`](./doc/ws.md#ws_no_utf_8_validate) environment
variables. These might be useful to enhance security in systems where a user can
put a package in the package search path of an application of another
user, due to how the Node.js resolver algorithm work.

@lpinca
Copy link
Member Author

lpinca commented Jun 8, 2022

Done.

@arhart
Copy link

arhart commented Jun 8, 2022

Thanks, LGTM

@lpinca lpinca mentioned this pull request Jun 9, 2022
Closed
1 task
@lpinca
[feature] Add the WS_NO_{BUFFER_UTIL, UTF_8_VALIDATE} variables
3500073 
When set to non empty values, the `WS_NO_BUFFER_UTIL` and
`WS_NO_UTF_8_VALIDATE` environment variables, prevent the optional
`bufferutil` and `utf-8-validate` dependencies  from being required,
respectively.

These might be useful to enhance security in systems where a user can
put a package in the package search path of an application of another
user, due to how the Node.js resolver algorithm works.
@lpinca lpinca merged commit becf237 into master Jun 9, 2022
@lpinca lpinca deleted the add/enviroment-variables branch June 9, 2022 17:00
@kirill-ivanovvv kirill-ivanovvv mentioned this pull request Jul 30, 2024
Closed
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lpinca @arhart