iframe-proxy

codebytere · 2019-10-23T18:14:58Z

Resolves #30089.

Explicitly whitelists --disallow-code-generation-from-strings in NODE_OPTIONS as a new V8 flag. This flag prevents strings like eval() from performing code generation.

Before:

node on git:whitelist-node-option ❯ node ~/Desktop/index.js
node: --disallow-code-generation-from-strings is not allowed in NODE_OPTIONS

After:

node on git:whitelist-node-option ❯ out/Release/node ~/Desktop/index.js
hello

Checklist

make -j4 test (UNIX), or vcbuild test (Windows) passes
tests and/or benchmarks are included
documentation is changed or added
commit message follows commit guidelines

nodejs-github-bot · 2019-10-23T21:00:20Z

codebytere · 2019-10-23T21:54:47Z

ope it looks like cli is not in fact a valid subsystem - what is this best marked as, in that case?

addaleax · 2019-10-23T22:08:26Z

@codebytere It is best marked as cli, you can ignore the Travis failure safely.

codebytere · 2019-10-23T22:11:39Z

@addaleax would that be worth a change to core-validate-commit? happy to pop that up!

addaleax · 2019-10-23T22:46:40Z

@codebytere Yes, exactly :) I think this is the one that pops up most frequently as unrecognized by the tool

devsnek · 2019-10-24T04:37:48Z

very nice catch about vm!

cjihrig

We should probably also update doc/node.1.

codebytere · 2019-10-24T16:09:00Z

@cjihrig done, i think that should be correctly formatted?

cjihrig · 2019-10-24T17:42:44Z

i think that should be correctly formatted?

I can never remember the formatting either. I just run make install and man node to look at it.

addaleax · 2019-10-24T20:36:14Z

@cjihrig You should also be able to run man doc/node.1 :)

cjihrig · 2019-10-24T20:38:41Z

Ah, good to know. Thanks!

nodejs-github-bot · 2019-10-25T18:11:21Z

CI: https://ci.nodejs.org/job/node-test-pull-request/26196/

nodejs-github-bot · 2019-10-27T09:55:12Z

CI: https://ci.nodejs.org/job/node-test-pull-request/26223/

codebytere · 2019-10-28T15:17:51Z

Explicitly whitelists --disallow-code-generation-from-strings in NODE_OPTIONS as a new V8 flag. This flag prevents strings like eval() from performing code generation. PR-URL: #30094 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Gus Caplan <me@gus.host> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>

Notable changes: New assert APIs The `assert` module now provides experimental `assert.match()` and `assert.doesNotMatch()` methods. They will validate that the first argument is a string and matches (or does not match) the provided regular expression This is an experimental feature. Ruben Bridgewater [#30929](#30929). Advanced serialization for IPC The `child_process` and `cluster` modules now support a `serialization` option to change the serialization mechanism used for IPC. The option can have one of two values: * `'json'` (default): `JSON.stringify()` and `JSON.parse()` are used. This is how message serialization was done before. * `'advanced'`: The serialization API of the `v8` module is used. It is based on the HTML structured clone algorithm. and is able to serialize more built-in JavaScript object types, such as `BigInt`, `Map`, `Set` etc. as well as circular data structures. Anna Henningsen [#30162](#30162). CLI flags The new `--trace-exit` CLI flag makes Node.js print a stack trace whenever the Node.js environment is exited proactively (i.e. by invoking the `process.exit()` function or pressing Ctrl+C). legendecas [#30516](#30516). ___ The new `--trace-uncaught` CLI flag makes Node.js print a stack trace at the time of throwing uncaught exceptions, rather than at the creation of the `Error` object, if there is any. This option is not enabled by default because it may affect garbage collection behavior negatively. Anna Henningsen [#30025](#30025). ___ The `--disallow-code-generation-from-strings` V8 CLI flag is now whitelisted in the `NODE_OPTIONS` environment variable. Shelley Vohr [#30094](#30094). New crypto APIs For DSA and ECDSA, a new signature encoding is now supported in addition to the existing one (DER). The `verify` and `sign` methods accept a `dsaEncoding` option, which can have one of two values: * `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`. * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363. Tobias Nießen [#29292](#29292). ___ A new method was added to `Hash`: `Hash.prototype.copy`. It makes it possible to clone the internal state of a `Hash` object into a new `Hash` object, allowing to compute the digest between updates. Ben Noordhuis [#29910](#29910). Dependency updates libuv was updated to 1.34.0. This includes fixes to `uv_fs_copyfile()` and `uv_interface_addresses()` and adds two new functions: `uv_sleep()` and `uv_fs_mkstemp()`. Colin Ihrig [#30783](#30783). ___ V8 was updated to 7.8.279.23. This includes performance improvements to object destructuring, RegExp match failures and WebAssembly startup time. The official release notes are available at https://v8.dev/blog/v8-release-78. Michaël Zasso [#30109](#30109). New EventEmitter APIs The new `EventEmitter.on` static method allows to async iterate over events. Matteo Collina [#27994](#27994). ___ It is now possible to monitor `'error'` events on an `EventEmitter` without consuming the emitted error by installing a listener using the symbol `EventEmitter.errorMonitor`. Gerhard Stoebich [#30932](#30932). ___ Using `async` functions with event handlers is problematic, because it can lead to an unhandled rejection in case of a thrown exception. The experimental `captureRejections` option in the `EventEmitter` constructor or the global setting change this behavior, installing a `.then(undefined, handler)` handler on the `Promise`. This handler routes the exception asynchronously to the `Symbol.for('nodejs.rejection')` method if there is one, or to the `'error'` event handler if there is none. Setting `EventEmitter.captureRejections = true` will change the default for all new instances of `EventEmitter`. This is an experimental feature. Matteo Collina [#27867](#27867). Performance Hooks are no longer experimental The `perf_hooks` module is now considered a stable API. legendecas [#31101](#31101). Introduction of experimental WebAssembly System Interface (WASI) support A new core module, `wasi`, is introduced to provide an implementation of the [WebAssembly System Interface](https://wasi.dev/) specification. WASI gives sandboxed WebAssembly applications access to the underlying operating system via a collection of POSIX-like functions. This is an experimental feature. Colin Ihrig [#30258](#30258). PR-URL: #31691

This work is modeled on nodejs#30094 which allowed `--disallow-code-generation-from-strings` in `NODE_OPTIONS`. The `--jitless` v8 option has been supported since 12.0.0. As a v8 option, node automatically picks it up, but there have been a few issues that were resolved by simply telling users about the option: nodejs#26758, nodejs#28800. This PR: - allows `--jitless` in `NODE_OPTIONS` - documents `--jitless` - moves `--experimental-loader=module` to locally restore alphabetical order in option documentation Refs: nodejs#30094 Refs: nodejs#26758 Refs: nodejs#28800

This work is modeled on #30094 which allowed `--disallow-code-generation-from-strings` in `NODE_OPTIONS`. The `--jitless` v8 option has been supported since 12.0.0. As a v8 option, node automatically picks it up, but there have been a few issues that were resolved by simply telling users about the option: #26758, This PR: - allows `--jitless` in `NODE_OPTIONS` - documents `--jitless` - moves `--experimental-loader=module` to locally restore alphabetical order in option documentation Refs: #30094 Refs: #26758 Refs: #28800 PR-URL: #32100 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Gus Caplan <me@gus.host> Reviewed-By: Shelley Vohr <codebytere@gmail.com> Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

This work is modeled on nodejs#30094 which allowed `--disallow-code-generation-from-strings` in `NODE_OPTIONS`. The `--jitless` v8 option has been supported since 12.0.0. As a v8 option, node automatically picks it up, but there have been a few issues that were resolved by simply telling users about the option: nodejs#26758, This PR: - allows `--jitless` in `NODE_OPTIONS` - documents `--jitless` - moves `--experimental-loader=module` to locally restore alphabetical order in option documentation Refs: nodejs#30094 Refs: nodejs#26758 Refs: nodejs#28800 PR-URL: nodejs#32100 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Gus Caplan <me@gus.host> Reviewed-By: Shelley Vohr <codebytere@gmail.com> Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

This work is modeled on #30094 which allowed `--disallow-code-generation-from-strings` in `NODE_OPTIONS`. The `--jitless` v8 option has been supported since 12.0.0. As a v8 option, node automatically picks it up, but there have been a few issues that were resolved by simply telling users about the option: #26758, This PR: - allows `--jitless` in `NODE_OPTIONS` - documents `--jitless` - moves `--experimental-loader=module` to locally restore alphabetical order in option documentation Refs: #30094 Refs: #26758 Refs: #28800 Backport-PR-URL: #32594 PR-URL: #32100 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Gus Caplan <me@gus.host> Reviewed-By: Shelley Vohr <codebytere@gmail.com> Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

nodejs-github-bot added the c++ Issues and PRs that require attention from people who are familiar with C++. label Oct 23, 2019

codebytere added the cli Issues and PRs related to the Node.js command line interface. label Oct 23, 2019

lpinca approved these changes Oct 23, 2019

View reviewed changes

addaleax approved these changes Oct 23, 2019

View reviewed changes

Comment thread doc/api/cli.md Outdated

codebytere force-pushed the whitelist-node-option branch from 8727c87 to aa3f286 Compare October 23, 2019 20:32

targos reviewed Oct 23, 2019

View reviewed changes

Comment thread doc/api/cli.md Outdated

codebytere force-pushed the whitelist-node-option branch from aa3f286 to efbed2b Compare October 23, 2019 20:57

addaleax added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Oct 23, 2019

targos approved these changes Oct 23, 2019

View reviewed changes

codebytere mentioned this pull request Oct 23, 2019

lib: add cli to valid subsystems nodejs/core-validate-commit#79

Merged

gireeshpunathil approved these changes Oct 24, 2019

View reviewed changes

devsnek approved these changes Oct 24, 2019

View reviewed changes

Comment thread doc/api/cli.md Outdated

devsnek Oct 24, 2019

Copy link
Copy Markdown

Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very nice catch about vm!

cjihrig approved these changes Oct 24, 2019

View reviewed changes

cli: whitelist new V8 flag in NODE_OPTIONS

7e89aaa

codebytere force-pushed the whitelist-node-option branch from efbed2b to 7e89aaa Compare October 24, 2019 16:08

codebytere mentioned this pull request Oct 26, 2019

--disallow-code-generation-from-strings doesn't work with NODE_OPTIONS #30089

Closed

jasnell approved these changes Oct 26, 2019

View reviewed changes

codebytere closed this Oct 28, 2019

codebytere deleted the whitelist-node-option branch October 28, 2019 15:17

targos mentioned this pull request Nov 5, 2019

v13.1.0 release proposal #30262

Merged

targos added the semver-minor PRs that contain new features and should be released in the next minor version. label Nov 10, 2019

targos mentioned this pull request Jan 15, 2020

v12.15.0 release proposal #31368

Closed

MylesBorins mentioned this pull request Feb 8, 2020

v12.16.0 proposal #31691

Merged

andrewdotn mentioned this pull request Mar 5, 2020

cli: allow --jitless V8 flag in NODE_OPTIONS #32100

Closed

4 tasks

MylesBorins mentioned this pull request Apr 1, 2020

[v12.x] cli: allow --jitless V8 flag in NODE_OPTIONS #32594

Closed

Sunbelt Computer Software

PL/B Language Development and Support

Uh oh!

Uh oh!

Conversation

codebytere commented Oct 23, 2019

Checklist

Uh oh!

Uh oh!

Uh oh!

nodejs-github-bot commented Oct 23, 2019

Uh oh!

codebytere commented Oct 23, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

addaleax commented Oct 23, 2019

Uh oh!

codebytere commented Oct 23, 2019

Uh oh!

addaleax commented Oct 23, 2019

Uh oh!

devsnek Oct 24, 2019

Choose a reason for hiding this comment

Uh oh!

cjihrig left a comment

Choose a reason for hiding this comment

Uh oh!

codebytere commented Oct 24, 2019

Uh oh!

cjihrig commented Oct 24, 2019

Uh oh!

addaleax commented Oct 24, 2019

Uh oh!

cjihrig commented Oct 24, 2019

Uh oh!

nodejs-github-bot commented Oct 25, 2019

Uh oh!

nodejs-github-bot commented Oct 27, 2019

Uh oh!

codebytere commented Oct 28, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

codebytere commented Oct 23, 2019 •

edited

Loading