eslint/docs/rules/no-buffer-constructor.md

   1 # disallow use of the Buffer() constructor (no-buffer-constructor)
   2
   3 In Node.js, the behavior of the `Buffer` constructor is different depending on the type of its argument. Passing an argument from user input to `Buffer()` without validating its type can lead to security vulnerabilities such as remote memory disclosure and denial of service. As a result, the `Buffer` constructor has been deprecated and should not be used. Use the producer methods `Buffer.from`, `Buffer.alloc`, and `Buffer.allocUnsafe` instead.
   4
   5 ## Rule Details
   6
   7 This rule disallows calling and constructing the `Buffer()` constructor.
   8
   9 Examples of **incorrect** code for this rule:
  10
  11 ```js
  12 new Buffer(5);
  13 new Buffer([1, 2, 3]);
  14
  15 Buffer(5);
  16 Buffer([1, 2, 3]);
  17
  18 new Buffer(res.body.amount);
  19 new Buffer(res.body.values);
  20 ```
  21
  22 Examples of **correct** code for this rule:
  23
  24 ```js
  25 Buffer.alloc(5);
  26 Buffer.allocUnsafe(5);
  27 Buffer.from([1, 2, 3]);
  28
  29 Buffer.alloc(res.body.amount);
  30 Buffer.from(res.body.values);
  31 ```
  32
  33 ## When Not To Use It
  34
  35 If you don't use Node.js, or you still need to support versions of Node.js that lack methods like `Buffer.from`, then you should not enable this rule.
  36
  37 ## Further Reading
  38
  39 * [Buffer API documentation](https://nodejs.org/api/buffer.html)
  40 * [Let's fix Node.js Buffer API](https://github.com/ChALkeR/notes/blob/master/Lets-fix-Buffer-API.md)
  41 * [Buffer(number) is unsafe](https://github.com/nodejs/node/issues/4660)