Within Node.js, attempt to determine if libuv is using io_uring. If it
is, disable process.setuid() and other user identity setters.
We cannot fully prevent users from changing the process's user identity,
but this should still prevent some accidental, dangerous scenarios.
PR-URL: https://github.com/nodejs-private/node-private/pull/528
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2024-22017
This patch adds support for using
`vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER` as
`importModuleDynamically` in all APIs that take the option
except `vm.SourceTextModule`. This allows users to have a shortcut
to support dynamic import() in the compiled code without missing
the compilation cache if they don't need customization of the
loading process. We emit an experimental warning when the
`import()` is actually handled by the default loader through
this option instead of requiring `--experimental-vm-modules`.
In addition this refactors the documentation for
`importModuleDynamically` and adds a dedicated section for it
with examples.
`vm.SourceTextModule` is not supported in this patch because
it needs additional refactoring to handle `initializeImportMeta`,
which can be done in a follow-up.
PR-URL: https://github.com/nodejs/node/pull/51244
Fixes: https://github.com/nodejs/node/issues/51154
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Object.defineProperty allows to change the value for
non-writable properties if they are configurable. We
missed that case when checking if a
property is read-only.
Fixes: https://github.com/nodejs/node/issues/47799
PR-URL: https://github.com/nodejs/node/pull/51602
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Now that --experimental-fetch is true by default, define the
dependent interfaces in the built-in snapshot and only delete
them at run time when --no-experimental-fetch is set.
PR-URL: https://github.com/nodejs/node/pull/51598
Reviewed-By: Ethan Arrowood <ethan@arrowood.dev>
Reviewed-By: Matthew Aitken <maitken033380023@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Implementing the inspector session object as an async resource causes
unwanted context change when a breakpoint callback function is being
called. Modelling the inspector api without the AsyncWrap base class
ensures that the callback has access to the AsyncLocalStorage instance
that is active in the affected user function.
See `test-inspector-async-context-brk.js` for an illustration of the
use case.
PR-URL: https://github.com/nodejs/node/pull/51501
Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Recent failures seem to be only caused by insufficient space left on the
device.
PR-URL: https://github.com/nodejs/node/pull/51472
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Debadree Chatterjee <debadree333@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/51385
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
At the point of `FreeEnvironment` and onwards, no JavaScript execution
associated with the Environment should be triggered.
Avoid draining platform tasks that can trigger JavaScript execution in
`FreeEnvironment`. The holder of `node::Environment` should immediately
call `node::MultiIsolatePlatform::UnregisterIsolate` and
`v8::Isolate::Dispose` to cancel pending foreground tasks and join
concurrent tasks after the environment was freed.
`NodePlatform` can properly handle the case in `RunForegroundTask` when
an Isolate out-lives its associated `node::Environment`.
PR-URL: https://github.com/nodejs/node/pull/51290
Fixes: https://github.com/nodejs/node/issues/47748
Fixes: https://github.com/nodejs/node/issues/49344
Reviewed-By: Vinícius Lourenço Claro Cardoso <contact@viniciusl.com.br>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
This commit gives node.js the ability to also receive custom settings,
in addition to sending, them which was implemented before.
The custom settings received are limited to setting ids,
that were specified before, when creating the session eithers through
the server or the client.
PR-URL: https://github.com/nodejs/node/pull/51323
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
With V8 11.9, the maximum ArrayBuffer length can be as high as 2**53,
which is a bit too large for current hardware.
PR-URL: https://github.com/nodejs/node/pull/50115
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Replace `Array.prototype.forEach()` with `for...of` in
`parallel/test-whatwg-encoding-custom-textdecoder-utf16-surrogates.js`.
PR-URL: https://github.com/nodejs/node/pull/50608
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Replace `Array.prototype.forEach()` with `for...of` in
`test/parallel/test-fs-readv-sync.js` and
`test/parallel/test-fs-readv.js`.
PR-URL: https://github.com/nodejs/node/pull/50787
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/50790
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Unlike other fs functions that work with paths, realpath isn't
using pathModule.toNamespacedPath prior to calling libuv function. This
is causing issues on windows.
Windows long path test is also improved to cover the mentioned issue.
Fixes: https://github.com/nodejs/node/issues/51031
PR-URL: https://github.com/nodejs/node/pull/51032
Reviewed-By: LiviaMedeiros <livia@cirno.name>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Replace `forEach()` with `for...of` in
`test/parallel/test-assert-typedarray-deepequal.js`.
PR-URL: https://github.com/nodejs/node/pull/50610
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
When cloning a `ReadableStream` and `WritableStream`, both use an
internal `MessageChannel` to communicate with the original stream.
Those, however, previously were not unref'd which would lead to the
process not exiting if the stream was not fully consumed.
Fixes: https://github.com/nodejs/node/issues/44985
PR-URL: https://github.com/nodejs/node/pull/51255
Reviewed-By: Matthew Aitken <maitken033380023@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Debadree Chatterjee <debadree333@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/50794
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
