Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the case of using Buffer.allocUnsafe() and Buffer.alloc()?

Tags:

node.js

I am confused about using Buffer.allocUnsafe() and Buffer.alloc() , I know that Buffer.allocUnsafe() creates a buffer with pre-filled data or old buffers, but why do i need such thing if Buffer.alloc() creates a buffer with zero filled data

like image 390
Abdulrahman Falyoun Avatar asked Apr 23 '19 06:04

Abdulrahman Falyoun

2 Answers

In Node.js Buffer is an abstraction over RAM, therefore if you allocate it in an unsafe way, there is a high risk of having even some source code in the buffer instance. Try running console.log(Buffer.allocUnsafe(10000).toString('utf-8')) and I guarantee that you will see some code in your stdout.

Allocation is a synchronous operation and we know that single threaded Node.js doesn't really feel good about synchronous stuff. Unsafe allocation is much faster than safe, because the buffer santarization step takes time. Safe allocation is, well, safe, but there is a performance trade off.

I'd suggest sticking to safe allocation first and if you end up with low performance, you can think of ways to implement unsafe allocation, without exposing private stuff. Just keep in mind that allocUnsafe method has the word unsafe for a reason. E.g, if you are going to pass some compliance certification like PCI DSS, I'm pretty sure QSA will notice that and will have a lot of questions.

like image 162
Vladyslav Usenko Avatar answered Nov 14 '22 22:11

Vladyslav Usenko

Buffer.alloc(size, fill, encoding) -> returns a new initialized Buffer of the specified size. This method is slower than Buffer.allocUnsafe(size) but guarantees that newly created Buffer instances never contain old data that is potentially sensitive.

Buffer.allocUnsafe(size) -> the Buffer is uninitialized, the allocated segment of memory might contain old data that is potentially sensitive. Using a Buffer created by Buffer.allocUnsafe() without completely overwriting the memory can allow this old data to be leaked when the Buffer memory is read.

Note: While there are clear performance advantages to using Buffer.allocUnsafe(), extra care must be taken in order to avoid introducing security vulnerabilities into an application

like image 39
Chandan Kumar Avatar answered Nov 14 '22 22:11

Chandan Kumar
Sign in to Comment

Related questions

Mongoose Validation Based on Other Fields [duplicate]
join() for object properties?
Cloud Functions with Firestore error "Deadline Exceeded"
Handlebars as an email template
Object.assign() creates wierd properties when assigns mongoose doc
UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): Error: spawn EACCES Ionic 3
Unable to create views in mysql using sequelize ORM
How do you make a command which restarts your bot in discord.js?
Using google oauth2 for spreadsheets getting an error "google.sheets is not a function"
How to configure mocha to find all test files recursively?
How to use the $in operator with SequelizeJS?
MongoError: The 'cursor' option is required, except for aggregate with the explain argument
NodeJS VM2 proper way to access console when set to 'redirect'
How to properly mock ES6 classes with sinon
Gulp error after upgrading node to v10.4.1
How to hide .html extension in a Node.js server?
Multiple servers on Node.js
Convert JSON (from Sentry) to HTML with TypeScript
how to use nestjs redis microservice?
Setting up dotenv in firebase functions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!