Update: use safe Buffer allocators instead of unsafe constructor (#184)

Author: linuxwolf

.eslintrc

@@ -12,6 +12,7 @@
   ],
   "rules": {
     "mocha-no-only/mocha-no-only": ["warn"],
+    "no-buffer-constructor": ["error"],
     "no-shadow": ["off"],
     "no-underscore-dangle": ["off"],
     "strict": ["error", "global"],

lib/algorithms/aes-cbc-hmac-sha2.js

@@ -73,7 +73,7 @@ function commonCbcEncryptFN(size) {
       return helpers.subtleCrypto.encrypt(alg, key, pdata);
     });
     promise = promise.then(function(cdata) {
-      cdata = new Buffer(cdata);
+      cdata = Buffer.from(cdata);
       return cdata;
     });
 
@@ -163,7 +163,7 @@ function commonCbcDecryptFN(size) {
       return helpers.subtleCrypto.decrypt(alg, key, cdata);
     });
     promise = promise.then(function(pdata) {
-      pdata = new Buffer(pdata);
+      pdata = Buffer.from(pdata);
       return pdata;
     });
 
@@ -215,8 +215,8 @@ function cbcHmacEncryptFN(size) {
 
     var eKey = key.slice(size / 8),
         iKey = key.slice(0, size / 8),
-        iv = props.iv || new Buffer(0),
-        adata = props.aad || props.adata || new Buffer(0);
+        iv = props.iv || Buffer.alloc(0),
+        adata = props.aad || props.adata || Buffer.alloc(0);
 
     // STEP 1 -- Encrypt
     var promise = commonEncrypt(eKey, pdata, iv);
@@ -262,9 +262,9 @@ function cbcHmacDecryptFN(size) {
 
     var eKey = key.slice(size / 8),
         iKey = key.slice(0, size / 8),
-        iv = props.iv || new Buffer(0),
-        adata = props.aad || props.adata || new Buffer(0),
-        tag = props.tag || props.mac || new Buffer(0);
+        iv = props.iv || Buffer.alloc(0),
+        adata = props.aad || props.adata || Buffer.alloc(0),
+        tag = props.tag || props.mac || Buffer.alloc(0);
 
     var promise = Promise.resolve();
 
@@ -299,9 +299,9 @@ function cbcHmacDecryptFN(size) {
   };
 }
 
-var EncryptionLabel = new Buffer("Encryption", "utf8");
-var IntegrityLabel = new Buffer("Integrity", "utf8");
-var DotLabel = new Buffer(".", "utf8");
+var EncryptionLabel = Buffer.from("Encryption", "utf8");
+var IntegrityLabel = Buffer.from("Integrity", "utf8");
+var DotLabel = Buffer.from(".", "utf8");
 
 function generateCek(masterKey, alg, epu, epv) {
   var masterSize = masterKey.length * 8;
@@ -313,7 +313,7 @@ function generateCek(masterKey, alg, epu, epv) {
       helpers.int32ToBuffer(1),
       masterKey,
       helpers.int32ToBuffer(cekSize),
-      new Buffer(alg, "utf8"),
+      Buffer.from(alg, "utf8"),
       epu,
       epv,
       EncryptionLabel
@@ -342,7 +342,7 @@ function generateCik(masterKey, alg, epu, epv) {
       helpers.int32ToBuffer(1),
       masterKey,
       helpers.int32ToBuffer(cikSize),
-      new Buffer(alg, "utf8"),
+      Buffer.from(alg, "utf8"),
       epu,
       epv,
       IntegrityLabel
@@ -367,9 +367,9 @@ function concatKdfCbcHmacEncryptFN(size, alg) {
   return function(key, pdata, props) {
     var epu = props.epu || helpers.int32ToBuffer(0),
         epv = props.epv || helpers.int32ToBuffer(0),
-        iv = props.iv || new Buffer(0),
-        adata = props.aad || props.adata || new Buffer(0),
-        kdata = props.kdata || new Buffer(0);
+        iv = props.iv || Buffer.alloc(0),
+        adata = props.aad || props.adata || Buffer.alloc(0),
+        kdata = props.kdata || Buffer.alloc(0);
 
     // Pre Step 1 -- Generate Keys
     var promises = [
@@ -394,11 +394,11 @@ function concatKdfCbcHmacEncryptFN(size, alg) {
       var mdata = Buffer.concat([
         adata,
         DotLabel,
-        new Buffer(kdata),
+        Buffer.from(kdata),
         DotLabel,
-        new Buffer(util.base64url.encode(iv), "utf8"),
+        Buffer.from(util.base64url.encode(iv), "utf8"),
         DotLabel,
-        new Buffer(util.base64url.encode(cdata), "utf8")
+        Buffer.from(util.base64url.encode(cdata), "utf8")
       ]);
       return Promise.all([
         Promise.resolve(cdata),
@@ -422,10 +422,10 @@ function concatKdfCbcHmacDecryptFN(size, alg) {
   return function(key, cdata, props) {
     var epu = props.epu || helpers.int32ToBuffer(0),
         epv = props.epv || helpers.int32ToBuffer(0),
-        iv = props.iv || new Buffer(0),
-        adata = props.aad || props.adata || new Buffer(0),
-        kdata = props.kdata || new Buffer(0),
-        tag = props.tag || props.mac || new Buffer(0);
+        iv = props.iv || Buffer.alloc(0),
+        adata = props.aad || props.adata || Buffer.alloc(0),
+        kdata = props.kdata || Buffer.alloc(0),
+        tag = props.tag || props.mac || Buffer.alloc(0);
 
     // Pre Step 1 -- Generate Keys
     var promises = [
@@ -447,11 +447,11 @@ function concatKdfCbcHmacDecryptFN(size, alg) {
       var mdata = Buffer.concat([
         adata,
         DotLabel,
-        new Buffer(kdata),
+        Buffer.from(kdata),
         DotLabel,
-        new Buffer(util.base64url.encode(iv), "utf8"),
+        Buffer.from(util.base64url.encode(iv), "utf8"),
         DotLabel,
-        new Buffer(util.base64url.encode(cdata), "utf8")
+        Buffer.from(util.base64url.encode(cdata), "utf8")
       ]);
 
       try {

lib/algorithms/aes-gcm.js

@@ -21,8 +21,8 @@ function gcmEncryptFN(size) {
 
   // ### 'fallback' implementation -- uses forge
   var fallback = function(key, pdata, props) {
-    var iv = props.iv || new Buffer(0),
-        adata = props.aad || props.adata || new Buffer(0),
+    var iv = props.iv || Buffer.alloc(0),
+        adata = props.aad || props.adata || Buffer.alloc(0),
         cipher,
         cdata;
 
@@ -40,7 +40,7 @@ function gcmEncryptFN(size) {
       additionalData: adata
     });
     // ciphertext is the same length as plaintext
-    cdata = new Buffer(pdata.length);
+    cdata = Buffer.alloc(pdata.length);
 
     var promise = new Promise(function(resolve, reject) {
       var amt = CONSTANTS.CHUNK_SIZE,
@@ -82,8 +82,8 @@ function gcmEncryptFN(size) {
   // ### WebCryptoAPI implementation
   // TODO: cache CryptoKey sooner
   var webcrypto = function(key, pdata, props) {
-    var iv = props.iv || new Buffer(0),
-        adata = props.aad || props.adata || new Buffer(0);
+    var iv = props.iv || Buffer.alloc(0),
+        adata = props.aad || props.adata || Buffer.alloc(0);
 
     try {
       commonChecks(key, iv, adata);
@@ -109,10 +109,10 @@ function gcmEncryptFN(size) {
       var tagStart = result.byteLength - 16;
 
       var tag = result.slice(tagStart);
-      tag = new Buffer(tag);
+      tag = Buffer.from(tag);
 
       var cdata = result.slice(0, tagStart);
-      cdata = new Buffer(cdata);
+      cdata = Buffer.from(cdata);
 
       return {
         data: cdata,
@@ -125,8 +125,8 @@ function gcmEncryptFN(size) {
 
   // ### NodeJS implementation
   var nodejs = function(key, pdata, props) {
-    var iv = props.iv || new Buffer(0),
-        adata = props.aad || props.adata || new Buffer(0);
+    var iv = props.iv || Buffer.alloc(0),
+        adata = props.aad || props.adata || Buffer.alloc(0);
 
     try {
       commonChecks(key, iv, adata);
@@ -177,9 +177,9 @@ function gcmDecryptFN(size) {
 
   // ### fallback implementation -- uses forge
   var fallback = function(key, cdata, props) {
-    var adata = props.aad || props.adata || new Buffer(0),
-        iv = props.iv || new Buffer(0),
-        tag = props.tag || props.mac || new Buffer(0),
+    var adata = props.aad || props.adata || Buffer.alloc(0),
+        iv = props.iv || Buffer.alloc(0),
+        tag = props.tag || props.mac || Buffer.alloc(0),
         cipher,
         pdata;
 
@@ -198,7 +198,7 @@ function gcmDecryptFN(size) {
       tag: tag
     });
     // plaintext is the same length as ciphertext
-    pdata = new Buffer(cdata.length);
+    pdata = Buffer.alloc(cdata.length);
 
     var promise = new Promise(function(resolve, reject) {
       var amt = CONSTANTS.CHUNK_SIZE,
@@ -241,9 +241,9 @@ function gcmDecryptFN(size) {
   // ### WebCryptoAPI implementation
   // TODO: cache CryptoKey sooner
   var webcrypto = function(key, cdata, props) {
-    var adata = props.aad || props.adata || new Buffer(0),
-        iv = props.iv || new Buffer(0),
-        tag = props.tag || props.mac || new Buffer(0);
+    var adata = props.aad || props.adata || Buffer.alloc(0),
+        iv = props.iv || Buffer.alloc(0),
+        tag = props.tag || props.mac || Buffer.alloc(0);
 
     // validate inputs
     try {
@@ -270,17 +270,17 @@ function gcmDecryptFN(size) {
       return helpers.subtleCrypto.decrypt(alg, key, cdata);
     });
     promise = promise.then(function(pdata) {
-      pdata = new Buffer(pdata);
+      pdata = Buffer.from(pdata);
       return pdata;
     });
 
     return promise;
   };
 
   var nodejs = function(key, cdata, props) {
-    var adata = props.aad || props.adata || new Buffer(0),
-        iv = props.iv || new Buffer(0),
-        tag = props.tag || props.mac || new Buffer(0);
+    var adata = props.aad || props.adata || Buffer.alloc(0),
+        iv = props.iv || Buffer.alloc(0),
+        tag = props.tag || props.mac || Buffer.alloc(0);
 
     // validate inputs
     try {

lib/algorithms/aes-kw.js

@@ -9,12 +9,12 @@ var helpers = require("./helpers.js"),
     forge = require("../deps/forge.js"),
     DataBuffer = require("../util/databuffer.js");
 
-var A0 = new Buffer("a6a6a6a6a6a6a6a6", "hex");
+var A0 = Buffer.from("a6a6a6a6a6a6a6a6", "hex");
 
 // ### helpers
 function xor(a, b) {
   var len = Math.max(a.length, b.length);
-  var result = new Buffer(len);
+  var result = Buffer.alloc(len);
   for (var idx = 0; len > idx; idx++) {
     result[idx] = (a[idx] || 0) ^ (b[idx] || 0);
   }
@@ -32,7 +32,7 @@ function split(input, size) {
 function longToBigEndian(input) {
   var hi = Math.floor(input / 4294967296),
       lo = input % 4294967296;
-  var output = new Buffer(8);
+  var output = Buffer.alloc(8);
   output[0] = 0xff & (hi >>> 24);
   output[1] = 0xff & (hi >>> 16);
   output[2] = 0xff & (hi >>> 8);
@@ -114,7 +114,7 @@ function kwEncryptFN(size) {
                                           alg);
     });
     promise = promise.then(function(result) {
-      result = new Buffer(result);
+      result = Buffer.from(result);
 
       return {
         data: result
@@ -194,7 +194,7 @@ function kwDecryptFN(size) {
       return helpers.subtleCrypto.exportKey("raw", result);
     });
     promise = promise.then(function(result) {
-      result = new Buffer(result);
+      result = Buffer.from(result);
       return result;
     });
     return promise;

lib/algorithms/concat.js

@@ -38,7 +38,7 @@ function concatDeriveFn(name) {
         return Buffer.concat(okm).slice(0, keyLen);
       }
 
-      var T = new Buffer(4 + key.length + otherInfo.length);
+      var T = Buffer.alloc(4 + key.length + otherInfo.length);
       T.writeUInt32BE(idx, 0);
       key.copy(T, 4);
       otherInfo.copy(T, 4 + key.length);

lib/algorithms/ec-util.js

@@ -65,7 +65,7 @@ function convertToObj(key, isPublic) {
   return result;
 }
 
-var UNCOMPRESSED = new Buffer([0x04]);
+var UNCOMPRESSED = Buffer.from([0x04]);
 function convertToBuffer(key, isPublic) {
   key = convertToObj(key, isPublic);
   var result = isPublic ?

lib/algorithms/ecdh.js

@@ -128,7 +128,7 @@ function ecdhDeriveFn() {
       return helpers.subtleCrypto.deriveBits(algParams, privKey, keyLen * 8);
     });
     p = p.then(function(result) {
-      result = new Buffer(result);
+      result = Buffer.from(result);
       return result;
     });
     return p;
@@ -262,7 +262,7 @@ function doEcdhesCommonDerive(privKey, pubKey, props) {
       apu = util.asBuffer(props.apu || "", "base64url"),
       apv = util.asBuffer(props.apv || "", "base64url");
   var otherInfo = Buffer.concat([
-    prependLen(new Buffer(algId, "utf8")),
+    prependLen(Buffer.from(algId, "utf8")),
     prependLen(apu),
     prependLen(apv),
     helpers.int32ToBuffer(keyLen)

lib/algorithms/ecdsa.js

@@ -71,7 +71,7 @@ function ecdsaSignFN(hash) {
       return helpers.subtleCrypto.sign(alg, key, pdata);
     });
     promise = promise.then(function(result) {
-      result = new Buffer(result);
+      result = Buffer.from(result);
       return {
         data: pdata,
         mac: result

lib/algorithms/helpers.js

@@ -12,7 +12,7 @@ if (typeof Promise === "undefined") {
 
 // ###
 exports.int32ToBuffer = function(v, b) {
-  b = b || new Buffer(4);
+  b = b || Buffer.alloc(4);
   b[0] = (v >>> 24) & 0xff;
   b[1] = (v >>> 16) & 0xff;
   b[2] = (v >>> 8) & 0xff;
@@ -22,7 +22,7 @@ exports.int32ToBuffer = function(v, b) {
 
 var MAX_INT32 = Math.pow(2, 32);
 exports.int64ToBuffer = function(v, b) {
-  b = b || new Buffer(8);
+  b = b || Buffer.alloc(8);
   var hi = Math.floor(v / MAX_INT32),
       lo = v % MAX_INT32;
   hi = exports.int32ToBuffer(hi);

lib/algorithms/hkdf.js

@@ -26,10 +26,9 @@ function hkdfDeriveFn(name) {
     props = props || {};
     var salt = props.salt;
     if (!salt || 0 === salt.length) {
-      salt = new Buffer(hashLen);
-      salt.fill(0);
+      salt = Buffer.alloc(hashLen);
     }
-    var info = props.info || new Buffer(0);
+    var info = props.info || Buffer.alloc(0);
     var keyLen = props.length || hashLen;
 
     var promise;
@@ -44,9 +43,9 @@ function hkdfDeriveFn(name) {
       }
 
       if (!T) {
-        T = new Buffer(0);
+        T = Buffer.alloc(0);
       }
-      T = Buffer.concat([T, info, new Buffer([idx])]);
+      T = Buffer.concat([T, info, Buffer.from([idx])]);
       T = op(key, T);
       T = T.then(function(result) {
         T = result.mac;

lib/algorithms/hmac.js

@@ -61,7 +61,7 @@ function hmacSignFN(name) {
       return helpers.subtleCrypto.sign(alg, key, pdata);
     });
     promise = promise.then(function(result) {
-      var sig = new Buffer(result);
+      var sig = Buffer.from(result);
       return {
         data: pdata,
         mac: sig
@@ -142,7 +142,7 @@ function hmacVerifyFN(name) {
         return helpers.subtleCrypto.sign(alg, key, pdata);
       });
       promise = promise.then(function(result) {
-        var sig = new Buffer(result);
+        var sig = Buffer.from(result);
         return compare(props.length, mac, sig);
       });
     } else {