http: use Buffer.from to avoid Buffer(num) call

ChALkeR · MylesBorins · commit d6969a717f73 · 2017-07-10T10:59:41.000+01:00
This fixes a potential Buffer(num) call when the user passes a number as the 'auth' property. This now throws instead of allocating an unitialized memory Buffer and sending that in the Authorization header. Fixes: https://github.com/nodejs/security/issues/111 PR-URL: https://github.com/nodejs/node-private/pull/83 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
diff --git a/lib/_http_client.js b/lib/_http_client.js
@@ -102,7 +102,7 @@ function ClientRequest(options, cb) {
   if (options.auth && !this.getHeader('Authorization')) {
     //basic auth
     this.setHeader('Authorization', 'Basic ' +
-                   new Buffer(options.auth).toString('base64'));
+                   Buffer.from(options.auth).toString('base64'));
   }
 
   if (method === 'GET' ||
diff --git a/test/parallel/test-http-auth-number.js b/test/parallel/test-http-auth-number.js
@@ -0,0 +1,13 @@
+'use strict';
+
+require('../common');
+const http = require('http');
+const url = require('url');
+const assert = require('assert');
+
+const opts = url.parse('http://127.0.0.1:8180');
+opts.auth = 100;
+
+assert.throws(() => {
+  http.get(opts);
+}, /^TypeError: "value" argument must not be a number$/);

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ function ClientRequest(options, cb) {`
`102`	`102`	`if (options.auth && !this.getHeader('Authorization')) {`
`103`	`103`	`//basic auth`
`104`	`104`	`this.setHeader('Authorization', 'Basic ' +`
`105`		`- new Buffer(options.auth).toString('base64'));`
	`105`	`+ Buffer.from(options.auth).toString('base64'));`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`if (method === 'GET' \|\|`