]>
Commit | Line | Data |
---|---|---|
eb39fafa DC |
1 | # disallow use of the Buffer() constructor (no-buffer-constructor) |
2 | ||
56c4a2cb DC |
3 | This rule was **deprecated** in ESLint v7.0.0. Please use the corresponding rule in [`eslint-plugin-node`](https://github.com/mysticatea/eslint-plugin-node). |
4 | ||
eb39fafa DC |
5 | In Node.js, the behavior of the `Buffer` constructor is different depending on the type of its argument. Passing an argument from user input to `Buffer()` without validating its type can lead to security vulnerabilities such as remote memory disclosure and denial of service. As a result, the `Buffer` constructor has been deprecated and should not be used. Use the producer methods `Buffer.from`, `Buffer.alloc`, and `Buffer.allocUnsafe` instead. |
6 | ||
7 | ## Rule Details | |
8 | ||
9 | This rule disallows calling and constructing the `Buffer()` constructor. | |
10 | ||
11 | Examples of **incorrect** code for this rule: | |
12 | ||
13 | ```js | |
14 | new Buffer(5); | |
15 | new Buffer([1, 2, 3]); | |
16 | ||
17 | Buffer(5); | |
18 | Buffer([1, 2, 3]); | |
19 | ||
20 | new Buffer(res.body.amount); | |
21 | new Buffer(res.body.values); | |
22 | ``` | |
23 | ||
24 | Examples of **correct** code for this rule: | |
25 | ||
26 | ```js | |
27 | Buffer.alloc(5); | |
28 | Buffer.allocUnsafe(5); | |
29 | Buffer.from([1, 2, 3]); | |
30 | ||
31 | Buffer.alloc(res.body.amount); | |
32 | Buffer.from(res.body.values); | |
33 | ``` | |
34 | ||
35 | ## When Not To Use It | |
36 | ||
37 | If you don't use Node.js, or you still need to support versions of Node.js that lack methods like `Buffer.from`, then you should not enable this rule. | |
38 | ||
39 | ## Further Reading | |
40 | ||
41 | * [Buffer API documentation](https://nodejs.org/api/buffer.html) | |
42 | * [Let's fix Node.js Buffer API](https://github.com/ChALkeR/notes/blob/master/Lets-fix-Buffer-API.md) | |
43 | * [Buffer(number) is unsafe](https://github.com/nodejs/node/issues/4660) |