Skip to content

buffer: disallow ArrayBuffer transfer on pooled buffer #61372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
legendecas wants to merge 2 commits into
base: main
Choose a base branch
from
Open

buffer: disallow ArrayBuffer transfer on pooled buffer #61372

legendecas wants to merge 2 commits into from
+110 −2

Conversation

@legendecas
Copy link
Member

@legendecas legendecas commented Jan 13, 2026
edited
Loading

deps: V8: cherry-pick c5ff7c4d6cde

Original commit message:

[builtins] disallow ArrayBuffer transfer with a detach key

This allows embedder to disallow `ArrayBuffer.prototype.transfer()` on
an arraybuffer that is not detachable. This also fix the check on
`ArrayBufferCopyAndDetach` step 8 of `ArrayBuffer.prototype.transfer`.

Refs: https://github.com/nodejs/node/issues/61362
Refs: https://tc39.es/ecma262/#sec-arraybuffercopyanddetach
Change-Id: I3c6e156a8fad007fd100218d8b16aed5c4e1db68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7454288
Commit-Queue: Chengzhong Wu <[email protected]>
Reviewed-by: Olivier Flückiger <[email protected]>
Cr-Commit-Position: refs/heads/main@{#104697}

Refs: v8/v8@c5ff7c4

buffer: disallow ArrayBuffer transfer on pooled buffer

This is an alternative solution that disallows transfer operation on buffer pool.

Depends on https://chromium-review.googlesource.com/c/v8/v8/+/7454288.

Fixes: #61362

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jan 13, 2026

Review requested:

  • @nodejs/security-wg
  • @nodejs/v8-update

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Jan 13, 2026
@ChALkeR ChALkeR mentioned this pull request Jan 13, 2026
Open
@Renegade334
Copy link
Member

Renegade334 commented Jan 13, 2026
edited
Loading

This requires V8 changes to properly work.

I don't believe so – calling SetDetachKey() on the array buffer object should effectively mark the object as untransferable, without setting the flag on the object handle directly?

@ChALkeR ChALkeR mentioned this pull request Jan 13, 2026
Open
@legendecas
Copy link
Member Author

legendecas commented Jan 13, 2026

https://chromium-review.googlesource.com/c/v8/v8/+/7454288 would be required to have SetDetachKey() properly disables arrayBuffer.transfer().

@Renegade334 Renegade334 mentioned this pull request Jan 14, 2026
Closed
@legendecas
deps: V8: cherry-pick c5ff7c4d6cde
2209d95 
Original commit message:

    [builtins] disallow ArrayBuffer transfer with a detach key

    This allows embedder to disallow `ArrayBuffer.prototype.transfer()` on
    an arraybuffer that is not detachable. This also fix the check on
    `ArrayBufferCopyAndDetach` step 8 of `ArrayBuffer.prototype.transfer`.

    Refs: nodejs#61362
    Refs: https://tc39.es/ecma262/#sec-arraybuffercopyanddetach
    Change-Id: I3c6e156a8fad007fd100218d8b16aed5c4e1db68
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7454288
    Commit-Queue: Chengzhong Wu <[email protected]>
    Reviewed-by: Olivier Flückiger <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#104697}

Refs: v8/v8@c5ff7c4
@legendecas legendecas marked this pull request as ready for review January 15, 2026 14:24
addaleax
addaleax approved these changes Jan 15, 2026
View reviewed changes
lib/internal/buffer.js
obj[untransferable_object_private_symbol] = true;

if (isArrayBuffer(obj)) {
setDetachKey(obj, Symbol('unique_detach_key_for_untransferable_arraybuffer'));
Copy link
Member

@addaleax addaleax Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^ linter comment seems applicable

lib/internal/buffer.js

// This would better be placed in internal/worker/io.js, but that doesn't work
// because Buffer needs this and that would introduce a cyclic dependency.
function markAsUntransferable(obj) {
Copy link
Member

@addaleax addaleax Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a public method on the worker_threads module, I'd suggest adding a documentation update there (and I'd say this doesn't count as a breaking change, since it is very much in line with the intent of this method)

Renegade334
Renegade334 reviewed Jan 15, 2026
View reviewed changes
lib/internal/buffer.js
obj[untransferable_object_private_symbol] = true;

if (isArrayBuffer(obj)) {
setDetachKey(obj, Symbol('unique_detach_key_for_untransferable_arraybuffer'));
Copy link
Member

@Renegade334 Renegade334 Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: is there any disadvantage to making this a static key, rather than generating a new symbol for each invocation?

@codecov
Copy link

codecov bot commented Jan 15, 2026

Codecov Report

❌ Patch coverage is 83.87097% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.91%. Comparing base (daeafc0) to head (70fcbd5).
⚠️ Report is 12 commits behind head on main.

Files with missing lines Patch % Lines
lib/buffer.js 78.57% 3 Missing ⚠️
src/node_buffer.cc 77.77% 0 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #61372      +/-   ##
==========================================
- Coverage   88.51%   87.91%   -0.60%     
==========================================
  Files         704      702       -2     
  Lines      208776   208395     -381     
  Branches    40301    40125     -176     
==========================================
- Hits       184803   183220    -1583     
- Misses      15966    17470    +1504     
+ Partials     8007     7705     -302
Files with missing lines Coverage Δ
lib/internal/buffer.js 98.73% <100.00%> (+<0.01%) ⬆️
src/node_buffer.cc 68.90% <77.77%> (+0.08%) ⬆️
lib/buffer.js 99.78% <78.57%> (-0.22%) ⬇️

... and 74 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Renegade334 Renegade334 Renegade334 left review comments

@addaleax addaleax addaleax approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Can not construct Buffer after different Buffer was previously transfererd

4 participants

@legendecas @nodejs-github-bot @Renegade334 @addaleax