Uninitialized Memory Exposure vulnerability found in utile.base64 encode and decode methods. #28
Description
Vulnerability Description
From: https://hackerone.com/reports/321701
See https://github.com/flatiron/utile/blob/master/lib/base64.js#L19 in utile.base64.encode (and similar in utile.base64.decode below that).
The problem arises when a number is passed in, e.g. from user-submitted JSON-encoded data.
The API should not propagate the already-bad Buffer issue further.On Node.js 6.x and below, this exposes uninitialized memory, which could contain sensitive data.
This can be also used to cause a DoS on any Node.js version by consuming the memory when large numbers are passed on input.
Steps To Reproduce:
console.log(require('utile').base64.encode(200)) (Node.js 6.x and lower — note uninitialized memory in output)require('utile').base64.encode(1e8) (any Node.js verision — note memory usage and time)
Thoughts on Remediation
The source code in base64.js says that both encode¹ and decode² expect a string parameter. I see two obvious solutions.
- Return null when base64.encode or base64.decode are given something other than a string.
- Convert the parameter passed into base64.encode and base64.decode into a string before encoding or decoding.
To preserve backward compatibility with existing usage that might not be expecting null as a return value from encoding or decoding values that are not strings, I think we should covert the parameter to a string then perform that encode or decode operation.
¹ https://github.com/flatiron/utile/blob/master/lib/base64.js#L12
² https://github.com/flatiron/utile/blob/master/lib/base64.js#L30