[pve-eslint.git] / eslint / docs / rules / no-buffer-constructor.md

# disallow use of the Buffer() constructor (no-buffer-constructor)

This rule was **deprecated** in ESLint v7.0.0. Please use the corresponding rule in [`eslint-plugin-node`](https://github.com/mysticatea/eslint-plugin-node).

In Node.js, the behavior of the `Buffer` constructor is different depending on the type of its argument. Passing an argument from user input to `Buffer()` without validating its type can lead to security vulnerabilities such as remote memory disclosure and denial of service. As a result, the `Buffer` constructor has been deprecated and should not be used. Use the producer methods `Buffer.from`, `Buffer.alloc`, and `Buffer.allocUnsafe` instead.

## Rule Details

This rule disallows calling and constructing the `Buffer()` constructor.

Examples of **incorrect** code for this rule:

```js
new Buffer(5);
new Buffer([1, 2, 3]);

Buffer(5);
Buffer([1, 2, 3]);

new Buffer(res.body.amount);
new Buffer(res.body.values);
```

Examples of **correct** code for this rule:

```js
Buffer.alloc(5);
Buffer.allocUnsafe(5);
Buffer.from([1, 2, 3]);

Buffer.alloc(res.body.amount);
Buffer.from(res.body.values);
```

## When Not To Use It

If you don't use Node.js, or you still need to support versions of Node.js that lack methods like `Buffer.from`, then you should not enable this rule.

## Further Reading

* [Buffer API documentation](https://nodejs.org/api/buffer.html)
* [Let's fix Node.js Buffer API](https://github.com/ChALkeR/notes/blob/master/Lets-fix-Buffer-API.md)
* [Buffer(number) is unsafe](https://github.com/nodejs/node/issues/4660)
Commit	Line	Data
eb39fafa DC	1	# disallow use of the Buffer() constructor (no-buffer-constructor)
eb39fafa DC	2
56c4a2cb DC	3	This rule was deprecated in ESLint v7.0.0. Please use the corresponding rule in [`eslint-plugin-node`](https://github.com/mysticatea/eslint-plugin-node).
56c4a2cb DC	4
eb39fafa DC	5	In Node.js, the behavior of the `Buffer` constructor is different depending on the type of its argument. Passing an argument from user input to `Buffer()` without validating its type can lead to security vulnerabilities such as remote memory disclosure and denial of service. As a result, the `Buffer` constructor has been deprecated and should not be used. Use the producer methods `Buffer.from`, `Buffer.alloc`, and `Buffer.allocUnsafe` instead.
	6
	7	## Rule Details
	8
	9	This rule disallows calling and constructing the `Buffer()` constructor.
	10
	11	Examples of incorrect code for this rule:
	12
	13	```js
	14	new Buffer(5);
	15	new Buffer([1, 2, 3]);
	16
	17	Buffer(5);
	18	Buffer([1, 2, 3]);
	19
	20	new Buffer(res.body.amount);
	21	new Buffer(res.body.values);
	22	```
	23
	24	Examples of correct code for this rule:
	25
	26	```js
	27	Buffer.alloc(5);
	28	Buffer.allocUnsafe(5);
	29	Buffer.from([1, 2, 3]);
	30
	31	Buffer.alloc(res.body.amount);
	32	Buffer.from(res.body.values);
	33	```
	34
	35	## When Not To Use It
	36
	37	If you don't use Node.js, or you still need to support versions of Node.js that lack methods like `Buffer.from`, then you should not enable this rule.
	38
	39	## Further Reading
	40
	41	* [Buffer API documentation](https://nodejs.org/api/buffer.html)
	42	* [Let's fix Node.js Buffer API](https://github.com/ChALkeR/notes/blob/master/Lets-fix-Buffer-API.md)
	43	* [Buffer(number) is unsafe](https://github.com/nodejs/node/issues/4660)