Fix double-free in S3 static methods when path is passed as string #28592

claude · 2026-05-05T15:56:02Z

🔴 🔴 The diff no longer matches the PR description — only the original v1 tag-flip in S3File.zig and the test file remain. The encoded_slice clone in Store.initS3/initS3WithReferencedCredentials, the errdefer→defer conversions in S3File.zig/S3Client.zig, and the Blob.zig defers described in the PR body and CodeRabbit walkthrough are all absent (likely lost when rebasing onto the src/bun.js/→src/runtime/ restructure in c8b4c36/e643d7b). Concretely, the Path-2 double-free that was marked "✅ Addressed in commit 9538183" is reachable again, and the earlier review comments at Store.zig:74 and Blob.zig:2123 now give advice predicated on a clone that no longer exists — applying them as-is would introduce new double-frees.

Extended reasoning...

What the bug is

The PR description's Fix section states: "Clone encoded_slice in initS3/initS3WithReferencedCredentials so the store always owns an independent copy" and "Change errdefer to defer for path cleanup in S3File functions". The CodeRabbit walkthrough additionally lists changes to S3Client.zig (8 methods), Blob.zig (constructBunFile + findOrCreateFileFromPath), and stat() error-message corrections. However, the actual diff contains only two files: src/runtime/webcore/S3File.zig (six path_or_blob = .{ .blob = blob } tag-flips) and the test. Verified against the current tree at the post-restructure paths:

src/runtime/webcore/blob/Store.zig:68-124 — initS3/initS3WithReferencedCredentials contain only var path = pathlike; path.toThreadSafe(); with no toOwned/clone logic.

src/runtime/webcore/S3Client.zig:138,154,172,189,206,220,254 — all still use errdefer path.deinit(), not defer.

src/runtime/webcore/S3File.zig — the six errdefer { if (path_or_blob == .path) ... } blocks are unchanged (not converted to defer); stat() still says "get size" at both branches.

git log on Store.zig shows it was only touched by the pure git mv restructure (c8b4c36), never by this PR's fix commits. The edits to the old src/bun.js/webcore/ paths almost certainly did not survive the rebase onto the src/runtime/webcore/ restructure.

Concrete consequence: the Path-2 double-free is back

Inline comment 2996090258 was marked "✅ Addressed in commit 9538183", but with the Store.zig clone gone, the tag-flip alone cannot fix Path 2 because ownership transfers inside the try expression before the tag is flipped. Step-by-step, for Bun.S3Client.presign(<path>, <opts>) where opts has a type getter that throws on its second read (the first read happens earlier in getCredentialsWithOptions) and <path> produces an .encoded_slice:

PathOrBlob.fromJSNoCopy → path_or_blob = .path with encoded_slice buffer A.

Outer errdefer { if (path_or_blob == .path) path_or_blob.path.deinit() } armed.

try constructS3FileInternalStore(...) → constructS3FileWithS3Credentials:

Blob.Store.initS3(path, ...) runs. Store.zig:97-122 does var path = pathlike; path.toThreadSafe(); — PathLike.toThreadSafe() (types.zig:557-569) falls through to else => {} for .encoded_slice, a no-op, so store.data.s3.pathlike aliases buffer A.

errdefer store.deinit() armed.

try opts.getTruthyComptime(globalObject, "type") invokes the getter → throws → error.JSError.

errdefer store.deinit() fires → Store.deinit() (Store.zig:179-201) → s3.deinit() (Store.zig:454-459) → pathlike.deinit() → frees A.

The error propagates through the try at S3File.zig:86. Line 87 (path_or_blob = .{ .blob = blob }) never executes.

Outer errdefer fires: path_or_blob == .path is still true → path_or_blob.path.deinit() → frees A again → use-after-poison.

Why the existing change does not prevent it

The only Zig change in the diff is the tag-flip placed after try constructS3FileInternalStore(...). By Zig semantics, an assignment after a try does not run when the try propagates an error. So the tag-flip helps Path 1 (constructor succeeds, downstream op fails) but cannot help Path 2 (constructor fails after initS3). The intended fix for Path 2 was the Store.zig clone, which is missing.

Secondary consequence: stale review comments now give dangerous advice

Earlier comments at Store.zig:74 (#2996283354) and Blob.zig:2123 (#2996546999) instruct adding defer path.deinit() / moving defer path.deinitAndUnprotect() on the assumption that initS3 clones the path and the caller must free its own copy. With the clone gone, initS3 once again takes ownership of the caller's buffer; applying those suggestions as written would make both the caller and the store free the same buffer — a new double-free. Those comments only make sense once the Store.zig clone is restored.

Addressing the "duplicate" objection

One reviewer noted overlap with existing comments: the S3Client instance-method double-free is already tracked in #2997528729, and the stat() error message in #2996283366. That is true, but neither of those captures the root cause here — that the diff has regressed to its v1 state and no longer contains what the PR description and "✅ Addressed" markers claim. Without surfacing this explicitly, the author may believe commits 9538183+ are present when they are not, and may apply the now-dangerous follow-up suggestions on top of the wrong base. The actionable fix is different in kind ("restore the dropped commits at the new src/runtime/webcore/ paths") from any individual open comment.

How to fix

Re-apply the dropped changes at the post-restructure paths: (1) clone encoded_slice via toOwned(allocator) in Store.initS3/initS3WithReferencedCredentials; (2) convert the six errdefer blocks in S3File.zig to defer; (3) change errdefer path.deinit() → defer path.deinit() across the S3Client.zig instance/static methods; (4) add the Blob.zig defers (constructBunFile, findOrCreateFileFromPath); (5) fix the stat() error strings. Then re-evaluate the still-open follow-up comments against the restored base.

claude · 2026-05-06T18:44:28Z

🟣 🟣 Pre-existing: Store.initS3 leaks a JSC GC root when the path is a Buffer/Uint8Array. PathLike.toThreadSafe() for .buffer calls value.protect() (types.zig:564-566), but Store.S3.deinit() (Store.zig:454-459) calls this.pathlike.deinit() — a no-op for .buffer (types.zig:548-550) — instead of deinitAndUnprotect(), so the protect is never released. Reachable from every PR-modified call site here via e.g. Bun.S3Client.presign(Buffer.from("key")) (the .fd-only guard does not reject buffers). This is the .buffer mirror of the .encoded_slice ownership defect this PR targets — when restoring the Store.zig clone per #3189832498, change S3.deinit() to call deinitAndUnprotect() (or have initS3 clone buffer bytes into an owned .encoded_slice).

Extended reasoning...

What the bug is

Store.initS3 / initS3WithReferencedCredentials (Store.zig:68-100/97-123) take ownership of the incoming PathLike via var path = pathlike; path.toThreadSafe();. For the .buffer variant (the case when the user passes a Buffer/Uint8Array/DataView as the S3 key), PathLike.toThreadSafe() is:

// types.zig:564-566 .buffer => { this.buffer.buffer.value.protect(); },

i.e. it adds a JSC GC root on the underlying typed array's JSValue. The matching release lives only in PathLike.deinitAndUnprotect() (types.zig:576-578: .buffer => |val| val.buffer.value.unprotect()). But the store's destructor calls the other deinit:

// Store.zig:454-459 (S3.deinit) if (this.pathlike == .string) { allocator.free(@constCast(this.pathlike.slice())); } else { this.pathlike.deinit(); // PathLike.deinit: .string, .buffer => {} — no-op for .buffer }

PathLike.deinit() (types.zig:548-555) is explicitly {} for .buffer. So the protect() taken inside initS3 is never balanced by an unprotect() anywhere — every S3 store created from a Buffer path leaks one permanent GC root on the buffer's JSValue.

Reachability from the PR-modified code

PathLike.fromJSWithAllocator (types.zig:684-701) returns .buffer for any Uint8Array/DataView/ArrayBuffer first argument. PathOrBlob.fromJSNoCopy → PathOrFileDescriptor.fromJS does not reject buffers, and the if (path == .fd) guard in each PR-modified static method only rejects file descriptors. So Bun.S3Client.presign(Buffer.from("my-key")) (and unlink/write/size/exists/stat) flows straight to S3File.zig:86 → constructS3FileInternalStore → initS3 with a .buffer PathLike. The same applies to new Bun.S3Client(...).file(buf), Bun.s3(buf), constructInternal, etc., where the store is long-lived.

Why existing safeguards do not prevent it

There is a first protect on this same buffer taken by arguments.protectEat() inside fromJSWithAllocator (CallFrame.zig:233-238), and that one is correctly balanced by defer args.deinit() → ArgumentsSlice.unprotect() (CallFrame.zig:220-226). But JSC's JSValueProtect/Unprotect are reference-counted — releasing protect #1 does not cancel protect #2 taken inside initS3. The only function that would release protect #2 is PathLike.deinitAndUnprotect(), and Store.S3.deinit() never calls it. The PR's tag-flip on line 87 is irrelevant here (it targets the .encoded_slice aliasing problem and does not change which deinit the store calls), and the lost Store.zig clone (per #3189832498) only handled .encoded_slice, not .buffer.

Step-by-step proof — Bun.S3Client.presign(Buffer.from("k"))

PathLike.fromJSWithAllocator matches .Uint8Array, calls arguments.protectEat() → buf.protect() (Fix ?? operator #1) and records the index in args.protected. Returns .{ .buffer = ... }.

S3File.presign enters the .path arm (.fd guard does not match) and calls constructS3FileInternalStore(globalThis, path.path /* .buffer */, options) → Blob.Store.initS3.

initS3: var path = pathlike; path.toThreadSafe(); → .buffer branch → buf.protect() (Fix calling #private() functions in classes #2). Store's pathlike is .buffer.

PR's tag-flip on line 87 runs (irrelevant for .buffer); getPresignUrlFrom runs (success or failure — irrelevant).

defer blob.deinit() → store.deref() → ref 1→0 → Store.deinit() → s3.deinit() → this.pathlike.deinit() → no-op for .buffer. Protect Fix calling #private() functions in classes #2 is never released.

defer args.deinit() → ArgumentsSlice.unprotect() iterates the protected bitset → buf.unprotect() (Fix ?? operator #1).

Net: protect Fix calling #private() functions in classes #2 leaked. The Uint8Array (and anything it transitively references) is permanently rooted in JSC's GC.

Repeat in a loop and JS heap grows unboundedly even though no JS references remain.

Impact

A small but unbounded JS-heap leak: each S3 operation given a Buffer/Uint8Array path permanently roots that buffer in the GC. For long-running processes that loop S3 calls with buffer keys (or for Bun.s3(buf) / S3Client#file(buf) where the store outlives the call), this is a steady JS-heap growth with no way to reclaim it.

How to fix

Either:

(a) Change S3.deinit() (Store.zig:454-459) to call this.pathlike.deinitAndUnprotect() instead of this.pathlike.deinit() so the .buffer protect is released (note Store.deinit()'s .file branch at Store.zig:191 has the same mismatch), or

(b) Have initS3 / initS3WithReferencedCredentials clone the buffer's bytes into an owned .encoded_slice (analogous to the .encoded_slice clone described in this PR's Fix section) so the store never holds a JS-managed buffer at all and the existing S3.deinit() correctly frees it.

Relationship to this PR / not a duplicate

This is pre-existing — the current diff does not touch Store.zig or types.zig, and the tag-flip neither causes nor fixes it. It is flagged because (a) it is the same "initS3's toThreadSafe() mishandles per-variant ownership" defect class this PR targets, just for the .buffer variant instead of .encoded_slice; (b) it sits on the immediate call path of every PR-modified line (S3File.zig:86, 117, 155, 196, 230, 582 → constructS3FileInternalStore → initS3); and (c) per #3189832498 the author will be re-editing initS3 anyway to restore the .encoded_slice clone, making this a natural one-line additional fix in the same pass. None of the 14 existing PR comments mention .buffer, protect/unprotect, or Uint8Array paths — they all reason about .encoded_slice / .slice_with_underlying_string / content_type / JSPromise.Strong / test coverage.

claude · 2026-05-07T09:00:07Z

🟣 🟣 Pre-existing companion to #2996283366 (the stat() "get size" copy-paste): in getCredentialsWithOptions — invoked on the immediate path of every PR-modified line via constructS3FileInternalStore → constructS3FileWithS3Credentials → S3Credentials.getCredentialsWithOptions — the sessionToken block at credentials_jsc.zig:126 throws throwInvalidArgumentTypeValue("bucket", "string", js_value) when options.sessionToken is a non-string, so e.g. Bun.S3Client.presign("key", { sessionToken: 123 }) reports "The "bucket" argument must be of type string". The literal was copy-pasted from the preceding bucket block at line 105 and never updated. Fix: change line 126 to "sessionToken".

Extended reasoning...

What the bug is and how it manifests

S3Credentials.getCredentialsWithOptions (src/runtime/webcore/s3/credentials_jsc.zig) validates each option property in its own block, and on a non-string value throws throwInvalidArgumentTypeValue("<property>", "string", js_value) so the user sees "The "" argument must be of type string". The sessionToken block (lines 115-129) reads opts.sessionToken, checks js_value.isString(), and on the else branch at line 126 throws:

return globalObject.throwInvalidArgumentTypeValue("bucket", "string", js_value);

The string "bucket" was copy-pasted from the immediately preceding bucket block (which has the identical line at credentials_jsc.zig:105) and never updated to "sessionToken". So a user who passes a non-string sessionToken is told they passed an invalid bucket.

Reachability from the PR-modified code

Every PR-modified line (S3File.zig:87/118/156/196/230/582) is one line below try constructS3FileInternalStore(globalThis, path.path, options). That call goes to constructS3FileWithS3Credentials (S3File.zig:312) → S3Credentials.getCredentialsWithOptions(existing_credentials, .{}, options, …) → credentials_jsc.zig:115 reads options.sessionToken. So Bun.S3Client.presign("key", { sessionToken: 123 }) (or unlink/write/size/exists/stat) reaches the buggy line directly. The same applies to getPresignUrlFrom's second getCredentialsWithOptions call (S3File.zig:499), every S3Client.zig instance method, Store.S3.unlink/listObjects (Store.zig:361/419), and new Bun.S3Client({ sessionToken: 123 }).

Why existing safeguards do not prevent it

This is purely a wrong string literal. Every other property block in this function — accessKeyId (line 32), secretAccessKey (47), region (62), endpoint (90), bucket (105), contentDisposition (198), type (217), contentEncoding (236) — correctly names its own property in the throwInvalidArgumentTypeValue call; only the sessionToken block is mismatched. Nothing downstream rewrites the message.

Impact

Misleading error messages: a user who passes a non-string sessionToken to any S3 API receives TypeError: The "bucket" argument must be of type string, received <type>. Since bucket is a sibling option in the same options bag, this actively misdirects debugging — the user will inspect/change bucket while the actual problem is sessionToken. Minor UX bug, no memory or correctness implications.

Step-by-step proof

Bun.S3Client.presign("key", { sessionToken: 123 });

S3File.presign (S3File.zig:63-91) parses path_or_blob = .path, enters the .path arm, and calls constructS3FileInternalStore(globalThis, path.path, options) at S3File.zig:86.

→ constructS3FileWithS3Credentials (S3File.zig:306-348) → line 312: try S3Credentials.getCredentialsWithOptions(existing_credentials, .{}, options, null, null, false, globalObject).

credentials_jsc.zig:115: try opts.getTruthyComptime(globalObject, "sessionToken") → returns 123 (truthy).

Line 116: !js_value.isEmptyOrUndefinedOrNull() → true. Line 117: js_value.isString() → false (it is a number).

Line 126: return globalObject.throwInvalidArgumentTypeValue("bucket", "string", js_value) → throws TypeError: The "bucket" argument must be of type string, received 123.

The user sees an error about bucket despite never having set bucket and having set sessionToken to the wrong type.

How to fix

Change credentials_jsc.zig:126 to:

return globalObject.throwInvalidArgumentTypeValue("sessionToken", "string", js_value);

Relationship to this PR / not a duplicate

This is pre-existing — the PR diff does not touch credentials_jsc.zig. It is flagged because (a) it sits on the immediate options-processing path of S3File.zig:86, the line directly preceding this PR's tag-flip, reached via the same options argument that this PR's discussion and regression test revolve around; (b) it is the identical copy-paste-error defect class already accepted on this PR for stat() (#2996283366, "get size" → "get stat"); and (c) none of the 18 existing PR comments mention sessionToken, credentials_jsc.zig:126, or this error string — they cover path/encoded_slice ownership, content_type, JSPromise.Strong, .buffer protect, destination_blob, error-set mismatch, and test coverage.

claude · 2026-05-07T09:00:07Z

🟣 Pre-existing companion to #3189832498 (.encoded_slice) and #3196702451 (.buffer): the third PathLike variant, .slice_with_underlying_string, is what plain ASCII JS-string paths — including this PR's own Date() repro — actually produce, and for that variant var path = pathlike; path.toThreadSafe() in Store.initS3 is not an alias-preserving no-op: BunString__toThreadSafe transfers ownership (derefs the previous WTFStringImpl and migrates .utf8), consuming in-place the +2 refs the caller's shallow-copied PathLike held. So restoring the v2 fix exactly as #3189832498 describes (clone only .encoded_slice via toOwned + convert the six errdefers to unconditional defer) would over-deref the original WTFStringImpl by 2 on every call (success and error) for the most common string-path variant. When re-applying the Store.zig change, have initS3/initS3WithReferencedCredentials unconditionally allocator.dupe(pathlike.slice()) into an owned .encoded_slice (and skip toThreadSafe() entirely) so the store never shares refcount state with the caller for any variant — this simultaneously resolves .encoded_slice, .buffer, and .slice_with_underlying_string.

Extended reasoning...

What the bug is

The PR's root-cause analysis (and #3189832498's restoration instructions) reason exclusively about PathLike.encoded_slice, for which toThreadSafe() is a no-op and the v2 fix ("detect .encoded_slice backed by allocated memory and replace it with an owned clone", then convert caller-side errdefer→defer) is sound. But for a plain ASCII JS string — including the test's own Date() repro — PathLike.fromJSWithAllocator does not produce .encoded_slice; it produces .slice_with_underlying_string. And for that variant, the var path = pathlike; path.toThreadSafe() in Store.initS3 (Store.zig:98-100) has transfer semantics, not alias or ref-add semantics: it consumes the +2 refs the caller's shallow-copied struct held on the original WTFStringImpl and replaces them with refs on a new isolated copy. The Store.zig:70 comment "this actually protects/refs the pathlike" is therefore misleading for this variant.

How the variant is reached

ArgumentsSlice.init leaves will_be_async = false (CallFrame.zig:218, 249-256). PathLike.fromJSWithAllocator → fromBunString therefore takes the will_be_async == false else-branch (types.zig:759): str.toSlice() (string.zig:734-740) returns a SliceWithUnderlyingString whose .utf8 comes from WTFStringImpl.toUTF8 → for a pure-ASCII Latin1 string, toUTF8FromLatin1 returns null and falls through to toLatin1Slice() (wtf.zig:114-117, does this.ref() and tags the slice with refCountAllocator), and .underlying is the moved bun.String (one more ref on the same impl). isWTFAllocated() is true → fromBunString returns .slice_with_underlying_string (types.zig:768-769). Net: the PathLike holds +2 refs on WTFStringImpl A (one via .underlying, one via the WTF-allocator-backed .utf8).

Why toThreadSafe() transfers, not refs

Store.initS3 does var path = pathlike; path.toThreadSafe(); — a bitwise struct copy with no ref bump. PathLike.toThreadSafe for .slice_with_underlying_string (types.zig:559-562) → SliceWithUnderlyingString.toThreadSafe() (string.zig:1090-1106) → BunString__toThreadSafe, whose Zig-side doc explicitly states "transfers ownership: the reference this String held on the previous StringImpl is released" (string.zig:987-990). The C++ side (BunString.cpp:211-223) does auto impl = existing->isolatedCopy(); if (impl.ptr() != existing) { …; existing->deref(); } — A.rc -= 1. Then back in Zig, when the impl changed, this.utf8.deinit() runs (the WTF-allocator slice derefs A again — A.rc -= 1) and .utf8 is migrated to the new impl B's bytes. Net: A.rc -= 2. Those are exactly the two refs the caller's path_or_blob.path.path was depending on, since var path = pathlike is a shallow copy. The caller's struct still points at A as .slice_with_underlying_string, but its refs have been stolen.

Consequence for the v2 restoration #3189832498 describes

The v2 fix per the CodeRabbit walkthrough and #3189832498 is: (a) in initS3, after toThreadSafe(), special-case only .encoded_slice and clone it via toOwned(allocator); (b) at every caller, convert the six errdefer { if (path_or_blob == .path) path_or_blob.path.deinit() } blocks to unconditional defer ("so .path is deinitialized on all exits" — i.e. drop the tag-flip). For .slice_with_underlying_string:

After toThreadSafe() the local path becomes .threadsafe_string (string.zig:1098-1105 sets .underlying to the new impl and tags it thread-safe), so the .encoded_slice-only clone check is skipped.

With errdefer→defer and no tag-flip, the unconditional caller-side defer { … path_or_blob.path.deinit() } fires on every exit — success and error alike.

PathLike.deinit for .slice_with_underlying_string → SliceWithUnderlyingString.deinit() (string.zig:1108-1111) = utf8.deinit() (deref A) + underlying.deref() (deref A) → A.rc -= 2 more.

Step-by-step refcount proof — Bun.S3Client.presign(Date()) under restored v2

JSC creates the Date() JSString; its WTFStringImpl A is held by the JSString (rc = base, ≥1).

fromBunString returns .slice_with_underlying_string holding +2 on A → A.rc = base+2. path_or_blob = .{ .path = .{ .path = <swus on A> } }.

Caller registers defer { if (path_or_blob == .path) path_or_blob.path.deinit() } (v2, no tag-flip).

constructS3FileInternalStore → Store.initS3: var path = pathlike (shallow copy, no ref bump); path.toThreadSafe() → isolatedCopy() allocates B, existing->deref() (A.rc = base+1), utf8.deinit() (A.rc = base). The store's pathlike is now .threadsafe_string on B.

v2's "if .encoded_slice && allocated → toOwned" check: tag is .threadsafe_string, skipped.

Constructor returns successfully; store rc=1.

Unwind: defer blob.deinit() derefs the store → frees B (correct). Then the unconditional defer: path_or_blob == .path is still true (no tag-flip), so path_or_blob.path.deinit() runs → SliceWithUnderlyingString.deinit() on the stale struct still pointing at A → utf8.deinit() (A.rc = base-1) + underlying.deref() (A.rc = base-2).

Over-deref of A by 2 on the success path — once the JSString's own ref is the only base holder, A.rc goes negative → use-after-free / ASAN poison on the next access to that string's backing store.

So restoring v2 as written would introduce an over-deref on the happy path for the most common (ASCII string) path variant — strictly worse than the current tag-flip-only diff, whose happy path is fine for this variant (tag-flip → .blob, errdefer skipped, the stale A pointers are never touched).

Consequence for the current diff (tag-flip only)

Same root cause as #3189832498's Path-2, just a different variant/symptom: with tag-flip only, if the constructor throws after initS3 (e.g. throwing type getter), errdefer store.deinit() derefs/frees B, the outer errdefer still sees .path and runs SliceWithUnderlyingString.deinit() on the stale A struct → A.rc → base-2. This is a WTFStringImpl over-deref rather than a Zig-heap double-free. Noted for completeness; #3189832498 already covers the Path-2 reachability.

How to fix

When re-applying the Store.zig change per #3189832498, do not special-case .encoded_slice. Have initS3 / initS3WithReferencedCredentials unconditionally do:

const owned = try allocator.dupe(u8, pathlike.slice()); const path: jsc.Node.PathLike = .{ .encoded_slice = jsc.ZigString.Slice.init(allocator, owned) };

and skip toThreadSafe() entirely, so the store never shares refcount state with the caller for any variant. The caller-side defer path.deinit() (or deinitAndUnprotect()) then correctly releases the caller's own resource for all variants. This single change simultaneously resolves .encoded_slice (#3189832498), .buffer (#3196702451 — no protect is ever taken, and S3.deinit()'s existing pathlike.deinit() correctly frees the dupe), and .slice_with_underlying_string (this comment). The alternative — keep the current tag-flip approach and do not convert the errdefers to defer — also avoids the over-deref but leaves the Path-2 hole open and does not address .buffer.

Relationship to this PR / not a duplicate

This is pre-existing — Store.zig and types.zig are not in the PR diff, and the current tag-flip's success path is correct for this variant. It is flagged as a forward-looking refinement of #3189832498's restoration instructions: following them as-written would regress the happy path for the most common string-path variant. None of the 18 existing comments mention .slice_with_underlying_string, WTFStringImpl, isolatedCopy, or BunString__toThreadSafe's transfer semantics; #3189832498's trace and proposed fix reason exclusively about .encoded_slice, and #3196702451 about .buffer.

claude · 2026-05-07T15:44:48Z

🟣 🟣 🟣 Pre-existing companion to #3201498669 (which already directs the author to fetch.zig:1336, 37 lines above): in the fetch("s3://...") non-stream-body + proxy branch, fetch.zig:1373 does bun.copy(u8, buffer[proxy_.href.len..], proxy_.href) — the destination offset should be buffer[result.url.len..] (lines 1376-1377 read from that intended layout). When proxy_.href.len > result.url.len the destination slice (length result.url.len) is shorter than the source → Debug assert(output.len >= input.len) panic / release memmove heap overflow; when shorter, the proxy bytes splice into the middle of the signed URL and buffer[result.url.len..] is left uninitialized, so line 1377 parses garbage as the proxy host. Reachable via fetch("s3://b/k", { proxy: "http://...", method: "GET"|"PUT"|"DELETE"|"HEAD", s3: {...} }). Fix: change line 1373 to bun.copy(u8, buffer[result.url.len..], proxy_.href);.

Extended reasoning...

What the bug is

In the fetch("s3://...") non-presigned path with a proxy configured (fetch.zig:1367-1377 — sibling to the stream-body S3 branch at fetch.zig:1336 already referenced by #3201498669), the joined URL/proxy buffer is built with the wrong destination offset on the second copy:

// fetch.zig:1371-1377 var buffer = bun.handleOom(allocator.alloc(u8, result.url.len + proxy_.href.len)); bun.copy(u8, buffer[0..result.url.len], result.url); bun.copy(u8, buffer[proxy_.href.len..], proxy_.href); // ← BUG: should be buffer[result.url.len..] url_proxy_buffer = buffer; url = ZigURL.parse(url_proxy_buffer[0..result.url.len]); proxy = ZigURL.parse(url_proxy_buffer[result.url.len..]); // reads where proxy was *supposed* to go

The intended layout is [signed_url][proxy_url], and lines 1376-1377 read from exactly that layout — but line 1373 writes proxy_.href starting at offset proxy_.href.len instead of result.url.len. The two analogous proxy-buffer joins earlier in this function (the non-S3 path) write to buffer[url.href.len..]; only the S3 branch's copy uses the wrong index variable.

Concrete consequences

bun.copy → bun.memmove (bun.zig:3468-3478): in Debug it asserts output.len >= input.len; in release it does c.memmove(dest.ptr, src.ptr, src.len). The destination slice buffer[proxy_.href.len..] has length (result.url.len + proxy_.href.len) - proxy_.href.len = result.url.len.

Case A — proxy_.href.len > result.url.len (e.g. short bucket/key + short endpoint, long proxy URL with embedded auth like http://user:longpassword@proxy.corp.internal:3128/): the destination slice has length result.url.len < proxy_.href.len. Debug/ReleaseSafe: assert(output.len >= input.len) panics. ReleaseFast: memmove writes proxy_.href.len bytes starting at buffer.ptr + proxy_.href.len, i.e. end-of-write at offset 2*proxy_.href.len, which is proxy_.href.len - result.url.len bytes past the end of the allocation — heap buffer overflow.

Case B — proxy_.href.len < result.url.len (the common case — signRequest(..., false, null) here is not presigned so result.url is just https://<endpoint>/<bucket>/<key>): line 1373 overwrites buffer[proxy_.href.len .. 2*proxy_.href.len] (the middle of the signed URL just written at line 1372), and buffer[result.url.len..] is never written (allocator.alloc does not zero). Line 1376 then parses a corrupted signed URL (proxy bytes spliced into the middle of the host/path), and line 1377 calls ZigURL.parse on uninitialized heap memory — the resulting fetch is dispatched to a garbage proxy host/port.

Case C — proxy_.href.len == result.url.len: works by coincidence.

Reachability

proxy is set from the user's { proxy: "..." } option earlier in fetch.zig. The S3+proxy branch at line 1367 is reached for any fetch("s3://bucket/key", { proxy: "http://...", method: "GET"|"PUT"|"DELETE"|"HEAD" }) whose body is not a ReadableStream (the stream-body case takes the uploadStream branch at line 1336 instead). E.g.:

await fetch("s3://b/k", { proxy: "http://user:verylongpasswordxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@proxy:3128", s3: { accessKeyId: "x", secretAccessKey: "y", endpoint: "http://s3.local" }, });

with a proxy URL longer than the signed URL → heap overflow; with a shorter one → request issued with a corrupted URL to an uninitialized-memory "proxy".

Why existing safeguards don't prevent it

Lines 1376-1377 read from the intended offsets ([0..result.url.len] / [result.url.len..]), confirming the layout intent and the typo. Nothing re-derives the proxy URL after line 1377; whatever ZigURL.parse extracts from the uninitialized region is used verbatim as the HTTP CONNECT target.

Step-by-step proof (Case A, heap overflow)

Take result.url = "http://s3.local/b/k" (19 bytes) and proxy_.href = "http://user:passpasspasspasspass@proxy:3128/" (44 bytes):

Line 1371: buffer = alloc(19 + 44) = alloc(63).

Line 1372: buffer[0..19] = result.url — OK.

Line 1373: destination = buffer[44..], a slice of length 63 - 44 = 19. Source length = 44. Debug: assert(19 >= 44) → panic. Release: c.memmove(buffer.ptr + 44, proxy_.href.ptr, 44) writes bytes at offsets 44..88, but the allocation ends at offset 63 → 25-byte heap buffer overflow.

(Case B, uninitialized read): with result.url.len = 60, proxy_.href.len = 20: line 1373 writes proxy bytes at buffer[20..40] (clobbering the middle of the URL written at step 2); buffer[60..80] is never written. Line 1377 parses buffer[60..80] — uninitialized heap — as the proxy URL.

How to fix

Change fetch.zig:1373 to bun.copy(u8, buffer[result.url.len..], proxy_.href);.

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch fetch.zig, and the trigger requires the fetch("s3://...") API rather than the Bun.S3Client.* static methods this PR modifies. Flagged because (a) it sits in the same S3-request subsystem this PR's review thread has already enumerated end-to-end — #3201498669 already directs the author to fetch.zig:1336, 37 lines above, in the sibling stream-body S3 branch; (b) it is a crash/memory-safety bug (heap overflow + uninitialized read) rather than a leak, so strictly higher severity than most existing pre-existing comments on this PR; and (c) none of the 30 existing comments mention fetch.zig:1373, the proxy-buffer join, buffer[proxy_.href.len..], or fetch+S3+proxy at all.

claude · 2026-05-07T17:25:12Z

🟣 🟣 🟣 Pre-existing, download-side companion to the upload/request-side ownership defects already on this PR (#3199552705/#3201498672/#3200790769/#3201498669): doReadFromS3 (Blob.zig:119) wraps the consumer with lifetime = .clone while its file-read sibling NewReadFileHandler (read_file.zig:26) correctly uses .temporary; the .clone contract assumes "the store owns the memory" (comment at Blob.zig:3812), but for S3 the store holds only credentials+path. onS3DownloadResolved (Blob.zig:2398-2412) extracts response.body.list.items and never frees response.body (whose ownership simple_request.zig:300-307 explicitly transfers to the callback — see the doc at line 20: "body is owned and dont need to be copied, but dont forget to free it"). Under .clone, toArrayBufferViewWithBytes (3980) copies via Bun__createArrayBufferForCopy, and toStringWithBytes's all-ASCII arm (3810-3813) installs Store.external as the finalizer — which only does this.deref() (Store.zig:63-67) and never frees the byte pointer. Net: every successful s3file.text()/.arrayBuffer()/.bytes()/.json()/.formData() leaks the entire downloaded body buffer — by far the largest per-call leak in the subsystem. Fix: change Blob.zig:119 from .clone to .temporary. None of the PR-modified static methods trigger a download, so this is unrelated to the PR's actual changes.

Extended reasoning...

What the bug is

doReadFromS3 (Blob.zig:114-123) is the entry point for s3file.text() / .arrayBuffer() / .bytes() / .json() / .formData() (via toString/toArrayBufferView/toJSON/toFormData → isS3() → doReadFromS3). It binds the bytes consumer with the wrong lifetime:

// Blob.zig:117-121 const WrappedFn = struct { pub fn wrapped(b: *Blob, g: *JSGlobalObject, by: []u8) jsc.JSValue { return jsc.toJSHostCall(g, @src(), Function, .{ b, g, by, .clone }); } }; return S3BlobDownloadTask.init(global, this, WrappedFn.wrapped);

while its file-read sibling NewReadFileHandler (read_file.zig:24-26), which feeds the same Function set, correctly uses .temporary. The .clone contract assumes buf lives inside this.store — see the comment at Blob.zig:3812: "the store owns the memory" and the assert at 3817 (store.data == .bytes) for the .transfer arm. For an S3 store, this.store.data == .s3, which holds only credentials+path — never the downloaded body.

Where the bytes come from and why nothing frees them

S3HttpSimpleTask.onResponse for .download (simple_request.zig:300-313) moves the accumulated response_buffer into the callback's result.success.body and resets its own copy to empty (this.response_buffer = .{ .allocator = ..., .list = .{ .items = &.{}, .capacity = 0 } }), so its own defer this.deinit() → response_buffer.deinit() is a no-op. The S3DownloadResult doc at simple_request.zig:20 explicitly states: "body is owned and dont need to be copied, but dont forget to free it".

onS3DownloadResolved (Blob.zig:2398-2412) does:

.success => |response| { const bytes = response.body.list.items; ... try jsc.AnyPromise.wrap(..., S3BlobDownloadTask.callHandler, .{ this, bytes }); },

with no defer response.body.deinit(). S3BlobDownloadTask.deinit() (2445-2450) frees the task struct, derefs the S3 store, and deinits the Strong — but never sees response.body. So the only way the body buffer can be freed is if the consumer (toStringWithBytes/toArrayBufferViewWithBytes/etc.) adopts it. Under .clone, none of them do.

Why .clone leaks for every consumer

toArrayBufferViewWithBytes .clone arm (Blob.zig:3980): jsc.ArrayBuffer.create(global, buf, ...) → array_buffer.zig:150-156 → Bun__createArrayBufferForCopy / Bun__createUint8ArrayForCopy, which copy buf into a fresh JS-managed allocation. The original buf is never freed. (Contrast .temporary at 4015: ArrayBuffer.fromBytes(buf, ...).toJS(global) adopts buf and frees it via the default allocator on GC.)

toStringWithBytes all-ASCII .clone arm (Blob.zig:3810-3813): this.store.?.ref(); return ZigString.init(buf).external(global, this.store.?, Store.external) — creates a JS string that points directly into buf with the S3 store as finalizer context. Store.external (Store.zig:63-67) is { if (ptr == null) return; bun.cast(*Store, ptr).deref(); } — it ignores the byte pointer entirely. So when the JS string is GC'd, the S3 store is deref'd but buf is never freed.

toStringWithBytes non-ASCII branch (Blob.zig:3789-3801): allocates UTF-16 and returns; raw_bytes is freed only when lifetime == .temporary (3797-3799). Under .clone, the original buffer leaks.

toJSONWithBytes / toFormDataWithBytes: same pattern (they call into the same lifetime switch or copy-only paths).

Impact

Every successful s3file.text() / .json() / .arrayBuffer() / .bytes() / .formData() leaks the entire downloaded body buffer (object size + ArrayList over-capacity). For a service that loops await client.file(key).arrayBuffer() over many objects, native heap grows by the sum of all downloaded sizes — orders of magnitude larger than any other leak flagged on this PR (which are per-call structs, paths, or credential strings).

Step-by-step proof — await Bun.s3('bucket/key').arrayBuffer() (1 MB object)

Blob.toArrayBufferView → isS3() → doReadFromS3(toArrayBufferWithBytes, global) (Blob.zig:4040). WrappedFn.wrapped binds lifetime = .clone.

S3BlobDownloadTask.init (Blob.zig:2414+): .blob = blob.dupe() (S3 store rc+1), schedules S3.download.

HTTP 200. S3HttpSimpleTask.onResponse (simple_request.zig:300-307) moves the 1 MB response_buffer into result.success.body and resets its own to empty; defer this.deinit() later frees only the empty buffer. Ownership of the 1 MB allocation (ptr B) is now with the callback.

onS3DownloadResolved (Blob.zig:2402): bytes = response.body.list.items (~1 MB heap, ptr B). No defer response.body.deinit().

Handler → toArrayBufferViewWithBytes(&task.blob, global, bytes, .clone, .ArrayBuffer) → line 3980: ArrayBuffer.create(global, buf, .ArrayBuffer) → Bun__createArrayBufferForCopy allocates a fresh JS ArrayBuffer and memcpys buf into it.

Promise resolves with the copied ArrayBuffer. defer this.deinit() (Blob.zig:2399) frees the task struct, derefs the S3 store, deinits the Strong — but never frees ptr B.

Net: 1 MB leaked. Repeat in a loop and native heap grows unboundedly.

For the all-ASCII text() case, replace step 5 with ZigString.init(buf).external(global, s3_store, Store.external): the JS string points directly at B; on GC, Store.external(s3_store, B.ptr, B.len) runs and only does s3_store.deref() — B is still never freed.

How to fix

Change Blob.zig:119 from .clone to .temporary, matching NewReadFileHandler at read_file.zig:26. Under .temporary: toArrayBufferViewWithBytes adopts buf via ArrayBuffer.fromBytes(...).toJS() (Blob.zig:4015, default-allocator-freed on GC); toStringWithBytes adopts via toExternalValue (3842) or clone+free (3832-3839); the non-ASCII branch frees raw_bytes at 3797-3799. (Optionally also have onS3DownloadResolved pass response.body.list.allocatedSlice() truncated to .items.len so the freed pointer matches the allocation base, though with mimalloc the items pointer suffices.)

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch doReadFromS3, S3BlobDownloadTask, onS3DownloadResolved, or any download-side code, and none of the six PR-modified static methods (presign/unlink/write/size/exists/stat) trigger a download. Flagged because (a) it is the download-side counterpart of the upload/request-side ownership defects already enumerated on this PR (#3199552705/#3201498672 destination_blob, #3200790769 small-upload Wrapper, #3201498669 credentials.dupe()), in the same "native buffer ownership confused with store ownership" class; (b) it is by far the largest per-call leak in the subsystem (full object body vs. a struct/path/credentials); and (c) the fix is a one-token change in the same file as several existing comments. None of the existing PR comments mention doReadFromS3, S3BlobDownloadTask, onS3DownloadResolved, Lifetime.clone, Store.external, response.body, or the download path at all.

claude · 2026-05-08T12:00:21Z

🟣 🟣 Pre-existing (unrelated to this PR — track as a separate issue): structuredClone/postMessage of an S3-backed Blob is broken. _onStructuredCloneSerialize (Blob.zig:419-420) computes store_tag = if (store.data == .file) .file else .bytes, so a .s3 store is tagged .bytes, but Store.serialize()'s .s3 arm (Store.zig:226-232) then writes a file-shaped payload (u8 pathlike_tag=1 + u32 path_len + path). On deserialize, the .bytes arm (Blob.zig:543-545) reads the first 4 bytes as bytes_len (e.g. LE[01,03,00,00] = 769 for a 3-byte key), readSlice(769) overruns the ~13 remaining bytes → error.TooSmall → user sees "Blob.onStructuredCloneDeserialize failed". Store.SerializeTag (Store.zig:203-207) has no .s3 variant and the deserialize switch has no .s3 arm. Fix: add a .s3 SerializeTag with matching serialize/deserialize arms, or as a stopgap reject S3 blobs in onStructuredCloneSerialize with a clear error. Entirely orthogonal to this PR's tag-flips (none of the six PR-modified static methods produce a long-lived clonable Blob — they all defer blob.deinit()).

Extended reasoning...

What the bug is

Blob._onStructuredCloneSerialize (Blob.zig:419-422) computes the store tag with a two-way conditional that predates the .s3 store variant:

const store_tag: Store.SerializeTag = if (this.store) |store| if (store.data == .file) .file else .bytes else .empty;

For a .s3 store this evaluates to .bytes and writes that tag byte. Then store.serialize() is called, whose .s3 arm (Store.zig:226-232) writes a file-path-shaped payload:

.s3 => |s3| { const pathlike_tag: jsc.Node.PathOrFileDescriptor.SerializeTag = .path; // = 1 (types.zig:908) try writer.writeInt(u8, @intFromEnum(pathlike_tag), .little); const path_slice = s3.pathlike.slice(); try writer.writeInt(u32, @as(u32, @truncate(path_slice.len)), .little); try writer.writeAll(path_slice); },

So the byte stream after the store_tag is [u8 pathlike_tag = 1] [u32 path_len LE] [path bytes] — not the [u32 bytes_len] [bytes] [u32 name_len] [name] shape the .bytes deserialize arm expects.

The deserialize side

_onStructuredCloneDeserialize (Blob.zig:540-545) reads the tag back as .bytes and then:

.bytes => bytes: { const bytes_len = try reader.readInt(u32, .little); const bytes = try readSlice(reader, bytes_len, allocator);

readInt(u32) consumes the first 4 bytes after the tag — i.e. [pathlike_tag, path_len[0], path_len[1], path_len[2]]. For a 3-byte path that is LE[0x01, 0x03, 0x00, 0x00] = 769. readSlice(reader, 769, allocator) then attempts to read 769 bytes from a stream that only has path_len[3] + path + trailer (~12-13 bytes) remaining → error.TooSmall → caught at the top of onStructuredCloneDeserialize → throws "Blob.onStructuredCloneDeserialize failed".

Why nothing prevents it

Store.SerializeTag (Store.zig:203-207) is enum(u8) { file=0, bytes=1, empty=2 } — there is no .s3 variant, so the tag computation at Blob.zig:419-420 has nothing correct to pick, and the deserialize switch at Blob.zig:542+ has no .s3 arm. There is no guard rejecting S3 blobs in onStructuredCloneSerialize. readSlice bounds-checks against the remaining stream length (so it gracefully fails with error.TooSmall rather than reading out of bounds), but the surfaced error is opaque. The presence of an explicit .s3 => arm in Store.serialize() shows S3 serialization was intended — the tag enum and tag computation were just never extended past the original two-variant {file, bytes} store.

Impact

structuredClone(Bun.s3(...)), structuredClone(Bun.file("s3://...")), and worker.postMessage(s3file) are completely broken — they never reconstruct the S3 blob. In the common case the user sees a cryptic "Blob.onStructuredCloneDeserialize failed" error.

There is also a secondary risk: if the misread bytes_len happens to be satisfiable (e.g. a longer key plus other objects later in the same structured-clone payload), the deserializer would silently construct a .bytes Blob whose contents are misaligned bytes from the rest of the stream (the high byte of path_len + the path + the is_jsdom_file/last_modified trailer + adjacent serialized objects), then continue reading the trailer fields from the wrong offset — silent data corruption rather than a thrown error. The graceful-failure case is much more likely in practice, but the format mismatch makes silent corruption possible in principle.

Step-by-step proof — structuredClone(Bun.s3("b/k"))

Serialize:

_onStructuredCloneSerialize writes offset(u52), is_all_ascii(u8), size(u52), content_type_len(u32), content_type, content_type_was_set(u8).

Blob.zig:419-420: store.data == .s3, so store.data == .file is false → store_tag = .bytes (= 1). Writes u8 1.

store.serialize() → .s3 arm: writes u8 pathlike_tag = .path = 1, then u32 path_len = 3 (LE: 03 00 00 00), then "b/k" (3 bytes). Stream after the store_tag: [01, 03, 00, 00, 00, b, /, k] (8 bytes).

Trailer: is_jsdom_file (u8 = 0) + last_modified (f64, 8 bytes). ~17 bytes remain after the store_tag.

Deserialize:
5. readEnum(Store.SerializeTag) → .bytes.
6. .bytes arm: bytes_len = readInt(u32, .little) reads [01, 03, 00, 00] → bytes_len = 769.
7. readSlice(reader, 769, allocator): only ~13 bytes remain ([00, b, /, k, 00, <8-byte f64>]). n != 769 → return error.TooSmall.
8. Caught at the top of onStructuredCloneDeserialize → throws "Blob.onStructuredCloneDeserialize failed".

How to fix

Add an .s3 = 3 variant to Store.SerializeTag (Store.zig:203-207); change Blob.zig:419-422 to a 3-way switch (store.data) { .file => .file, .bytes => .bytes, .s3 => .s3 }; have the .s3 serialize arm also write enough state to reconstruct the file (at minimum bucket/endpoint/region — the path alone is insufficient since credentials are not portable across contexts); and add an .s3 => arm to the deserialize switch at Blob.zig:542+ that rebuilds an S3 store from the env credentials in the receiving context. Alternatively, as a stopgap, reject S3 blobs in onStructuredCloneSerialize with a clear "S3 files cannot be structured-cloned" error rather than producing a malformed stream.

Relationship to this PR / not a duplicate

Pre-existing and entirely unrelated to this PR. Neither Blob.zig:419-422 nor Store.zig:203-243 are in the diff. None of the six PR-modified static methods produce a long-lived S3 blob that could reach structuredClone — they all defer blob.deinit() on a stack-local temporary. The PR adds no callers to onStructuredCloneSerialize, does not change what flows there, and does not copy/extend the buggy pattern. The connection ("Store.serialize()'s .s3 arm reads the same s3.pathlike field this PR's discussion revolves around" / "#3189832498 directs the author into Store.zig") is purely associative — and the Store.zig changes referenced there are not actually in the current diff. None of the 45 existing comments mention structuredClone/postMessage, Store.SerializeTag, _onStructuredCloneSerialize/Deserialize, Blob.zig:419-420, or Store.zig:226. Given the volume of pre-existing S3-subsystem findings already piled onto this 6-line memory-safety fix, this is best tracked as a separate issue rather than blocking the merge.

claude · 2026-05-06T12:59:21Z

🟣 Pre-existing: when fixing the S3Client.zig instance methods (per comment #2997528729), note that defer blob.detach() there is also the wrong cleanup primitive — Blob.detach() only derefs the store and never frees blob.content_type (Blob.zig:3676-3679). constructS3FileWithS3CredentialsAndOptions heap-allocates content_type whenever a user-supplied type option misses the built-in MIME table, so every instance-method call with e.g. { type: "application/x-custom" } leaks one allocation. The PR-modified static methods here at S3File.zig:88 already use defer blob.deinit(), which is correct — the S3Client.zig side should switch detach()→deinit() in the same pass.

Extended reasoning...

What the bug is

The seven S3Client.zig instance methods — presign (line 158), exists (175), size (192), stat (209), write (227), listObjects (243), unlink (257), plus staticWrite (319) — clean up their stack-allocated temporary Blob with defer blob.detach(). But Blob.detach() is the wrong primitive for a Blob that may carry an allocated content_type: it only does store.deref(); store = null (Blob.zig:3676-3679) and never frees blob.content_type or derefs blob.name. Only Blob.deinit() (Blob.zig:3721-3735) does both — it calls detach(), then name.deref(), then bun.default_allocator.free(content_type) when content_type_allocated == true.

The specific code path that triggers it

constructS3FileWithS3CredentialsAndOptions (S3File.zig:257-304, in this PR's preloaded source) processes the type option as follows when opts.isObject() and opts.type is a string:

if (globalObject.bunVM().mimeType(str.slice())) |entry| { blob.content_type = entry.value; // static string, no allocation break :inner; } const content_type_buf = bun.handleOom(allocator.alloc(u8, slice.len)); blob.content_type = strings.copyLowercase(slice, content_type_buf); blob.content_type_allocated = true; // ← heap-owned, must be freed by Blob.deinit()

So whenever the user passes a type value that is all-ASCII but is not found in the built-in MIME table, the returned Blob carries a heap-allocated content_type buffer that lives only on the Blob struct (not on the store).

Why existing code does not prevent it

The Blob returned by constructS3FileWithS3CredentialsAndOptions is held by value on the stack (var blob = try ...). It is never wrapped by a JS object, so GC finalization never runs on it. The only cleanup is the explicit defer blob.detach(). detach() is documented to release the store reference and nothing else; it deliberately does not touch content_type because in the GC-managed case Blob.deinit() (the finalizer) handles that. Here, with no finalizer, content_type has no other owner.

Contrast with the structurally identical S3File.zig static methods that this PR modifies: at the line this comment is anchored to (S3File.zig:88) and at lines 119, 157, 197, 231, 583, the static-method side uses defer blob.deinit(), which correctly frees content_type. So the static side is already correct — only the S3Client.zig instance-method side leaks.

Impact

A small heap leak (len(type) bytes) per instance-method call with a custom MIME type. Trivially user-reachable, and unbounded in long-running processes that loop over S3 operations with non-standard content types.

Step-by-step proof

const client = new Bun.S3Client({ bucket: "b" }); client.presign("key", { type: "application/x-custom-thing" });

S3Client.presign (S3Client.zig:~150-160) parses path, then calls var blob = try constructS3FileWithS3CredentialsAndOptions(globalThis, path, options, this.credentials, ...).

Inside, opts.isObject() is true, opts.type is "application/x-custom-thing" (all ASCII). globalObject.bunVM().mimeType("application/x-custom-thing") returns null (not in the table).

allocator.alloc(u8, 26) allocates buffer C; blob.content_type = C; blob.content_type_allocated = true. Function returns blob by value.

Back in presign: defer blob.detach() is registered. getPresignUrlFrom(&blob, ...) runs (success or failure — irrelevant).

On scope exit, blob.detach() runs: store.deref() → store freed (ref 1→0). Buffer C is never freed — detach() does not look at content_type.

blob (stack value) is discarded. C is leaked.

The same trace applies to exists/size/stat/write/listObjects/unlink.

How to fix

Change defer blob.detach() → defer blob.deinit() in all the affected S3Client.zig instance methods, matching what the S3File.zig static methods already do at the line this comment is attached to. This is safe: deinit() is a strict superset of detach() for a stack-allocated Blob.

Relationship to this PR

This is pre-existing — the current PR diff does not touch S3Client.zig. It is flagged here because (a) existing comment #2997528729 already directs the author to edit exactly these S3Client.zig instance methods for the path double-free, and switching detach()→deinit() fixes both issues in one pass; (b) it is the direct mirror of the PR-modified S3File.zig static methods that already do this correctly; and (c) it is distinct from #2997528729 (which covers the path resource via the errdefer path.deinit() interaction) — this is a separate resource (content_type) leaked via a different mechanism (wrong cleanup primitive on the success path), and no existing comment on this PR mentions it.

claude · 2026-05-07T10:40:40Z

🟣 Pre-existing: getPresignUrlFrom (called here at line 89) seeds credentialsWithOptions with only .credentials and .request_payer from the store, and only reassigns via s3.getCredentialsWithOptions(options, ...) when extra_options != null — so client.presign("key") silently drops the client's configured acl/storageClass from the signed URL while client.presign("key", {}) includes them. Fix: also seed .acl = s3.acl, .storage_class = s3.storage_class, .options = s3.options in the literal at S3File.zig:481-484 (or call s3.getCredentialsWithOptions(extra_options, ...) unconditionally — it already handles null). While in that function, also fix the typo at S3File.zig:497: "expiresIn must be greather than 0" → "greater".

Extended reasoning...

What the bug is

getPresignUrlFrom (S3File.zig:472-517) initializes credentialsWithOptions as:

var credentialsWithOptions: S3.S3CredentialsWithOptions = .{ .credentials = s3.getCredentials().*, .request_payer = s3.request_payer, };

S3CredentialsWithOptions (credentials.zig:764-777) defaults acl: ?ACL = null and storage_class: ?StorageClass = null, so this literal leaves .acl/.storage_class/.options at their struct defaults rather than reading s3.acl / s3.storage_class / s3.options from the store. The reassignment credentialsWithOptions = try s3.getCredentialsWithOptions(options, globalThis) is gated inside if (extra_options) |options| { ... }, so it only runs when extra_options != null. Those defaults are then passed straight to signRequest (.acl = credentialsWithOptions.acl, .storage_class = credentialsWithOptions.storage_class), and signRequest (credentials.zig:537-539, 567-568) emits X-Amz-Acl=... / x-amz-storage-class=... query params iff non-null.

Observable inconsistency

Store.S3.getCredentialsWithOptions (Store.zig:309-310) does forward this.acl, this.storage_class as defaults to the underlying credentials parser, and that function handles a non-object options correctly (returns the defaults). So when extra_options is non-null — even an empty {} — the store's acl/storage_class flow through; when it is null, they are silently dropped. Net: client.presign("key") and client.presign("key", {}) produce different presigned URLs for the same client.

The fact that .request_payer is copied from s3 in the literal confirms the intent was for store-level settings to flow through — .acl/.storage_class were simply forgotten when those fields were added to the struct.

Reachability

This is reached from three places: (1) S3Client.presign instance method (S3Client.zig:157-159), which builds the blob via constructS3FileWithS3CredentialsAndOptions(..., ptr.acl, ptr.storage_class, ...) so store.data.s3.acl = ptr.acl, then calls getPresignUrlFrom(&blob, globalThis, options) where options = args.nextEat() is null for one-arg calls; (2) the prototype .presign() at S3File.zig:549; (3) the .blob arm at S3File.zig:91. At the PR-anchored static-method call site (line 89, .path arm), the freshly-built store has acl = null (it was constructed via constructS3FileWithS3Credentials with null defaults), so the defect is unobservable on that specific path — this is flagged here because getPresignUrlFrom sits two lines below the PR's tag-flip and is the same function the PR's whole presign discussion revolves around.

Step-by-step proof

const client = new Bun.S3Client({ bucket: "b", accessKeyId: "x", secretAccessKey: "y", acl: "public-read" }); client.presign("key"); // presigned URL has NO X-Amz-Acl client.presign("key", {}); // presigned URL DOES have X-Amz-Acl=public-read

S3Client.presign builds blob with store.data.s3.acl = "public-read".

One-arg call: args.nextEat() returns null (CallFrame.zig:288-294) → getPresignUrlFrom(&blob, globalThis, null).

Struct literal sets credentialsWithOptions.acl = null (default). if (extra_options) |options| → false → reassignment skipped.

signRequest receives .acl = null → credentials.zig:537 skips the X-Amz-Acl query param.

Two-arg call with {}: extra_options is non-null → s3.getCredentialsWithOptions({}, ...) runs → Store.zig:310 passes this.acl ("public-read") as the default → signRequest receives .acl = .public_read → X-Amz-Acl=public-read is included.

Same trace applies to storage_class.

How to fix

Either initialize the literal with the store's values:

var credentialsWithOptions: S3.S3CredentialsWithOptions = .{ .credentials = s3.getCredentials().*, .options = s3.options, .acl = s3.acl, .storage_class = s3.storage_class, .request_payer = s3.request_payer, };

or drop the literal entirely and unconditionally do var credentialsWithOptions = try s3.getCredentialsWithOptions(extra_options, globalThis); (it already handles null, and pulling it above the method/expiresIn reads avoids the redundant double-init).

Companion typo

While editing this function: S3File.zig:497 reads "expiresIn must be greather than 0" — should be "greater". Same wrong-string-literal class as #2996283366 (stat "get size") and #3200173422 (sessionToken "bucket") already on this PR; folded in here rather than posted as a separate comment to keep the review noise down.

Relationship to this PR

Both are pre-existing — the PR does not modify getPresignUrlFrom. None of the existing PR comments mention acl/storage_class, the extra_options == null branch, the presign()-vs-presign({}) divergence, "greather", or expiresIn.

claude · 2026-05-07T13:13:11Z

🟣 Pre-existing companion to #3200790776 in the same function: the signRequest struct literal at S3File.zig:505-513 passes .content_disposition and .content_type from credentialsWithOptions but omits .content_encoding, even though getCredentialsWithOptions parses/validates options.contentEncoding (credentials_jsc.zig:222-239), SignOptions has the field (credentials.zig:236), signRequest consumes it (credentials.zig:351-354/464/654/741-745), and every other S3 entry point passes it (e.g. executeSimpleS3Request at simple_request.zig:383). So Bun.S3Client.presign('key', { contentEncoding: 'gzip' }) parses, allocates, and validates the option, then silently drops it from the presigned URL — content-encoding never appears in SignedHeaders. Distinct from #3200790776, which covers acl/storage_class in the initial credentialsWithOptions literal at 481-484 (the extra_options == null gap); this is a missing field in the signRequest call literal and affects the options-present path. Fix: add .content_encoding = credentialsWithOptions.content_encoding alongside .content_disposition/.content_type in the same block #3200790776 already directs the author to edit.

Extended reasoning...

What the bug is and how it manifests

getPresignUrlFrom (S3File.zig:472-518) — called here at line 89, two lines after this PR's tag-flip — builds the signRequest struct literal at lines 505-513 as:

const result = credentialsWithOptions.credentials.signRequest(.{ .path = path, .method = method, .acl = credentialsWithOptions.acl, .storage_class = credentialsWithOptions.storage_class, .request_payer = credentialsWithOptions.request_payer, .content_disposition = credentialsWithOptions.content_disposition, .content_type = credentialsWithOptions.content_type, }, false, .{ .expires = expires }) catch |sign_err| { ... };

It passes .content_disposition and .content_type from credentialsWithOptions but omits .content_encoding. Yet SignOptions (credentials.zig:236) has content_encoding: ?[]const u8 = null, S3CredentialsWithOptions (credentials.zig:771) has content_encoding: ?[]const u8 = null, and getCredentialsWithOptions (credentials_jsc.zig:222-239) parses options.contentEncoding into it — including a CR/LF validation throw at line 231. So the option is fully parsed, allocated, and validated, then silently dropped at the signRequest call boundary.

The specific code path that triggers it

Any presign call — Bun.S3Client.presign(path, opts) (S3File.zig:89), the prototype .presign(opts) (S3File.zig:549), the .blob arm (S3File.zig:91), or S3Client#presign(path, opts) (S3Client.zig:~159) — that supplies { contentEncoding: '...' }. The if (extra_options) |options| branch at S3File.zig:489-501 reassigns credentialsWithOptions = try s3.getCredentialsWithOptions(options, globalThis) (line 501) → Store.S3.getCredentialsWithOptions (Store.zig:309-310) → S3Credentials.getCredentialsWithOptions → credentials_jsc.zig:222 reads options.contentEncoding, validates it (line 231 throws on CR/LF), and stores it in new_credentials.content_encoding. But the signRequest literal three statements later never reads that field.

Why existing safeguards don't prevent it

SignOptions.content_encoding defaults to null (credentials.zig:236), so omitting it from the struct literal compiles silently and signRequest just sees null. signRequest consumes the field exactly when non-null: it extracts it at credentials.zig:351-354, folds it into SignedHeaders.Key at line 464, includes it in the canonical request format string at lines 654/816/845, and emits the content-encoding header at lines 741-745. With null, all of those branches are skipped. Nothing downstream re-derives content_encoding from credentialsWithOptions.

The asymmetry vs. .content_disposition/.content_type (which are passed in the same literal, one and two lines above) confirms this is an oversight rather than intentional. And every other S3 entry point in the codebase passes it through: executeSimpleS3Request at simple_request.zig:383 (.content_encoding = options.content_encoding, right next to .content_disposition at 382), multipart at multipart.zig:319/612/691, upload/uploadStream at client.zig:257/317/498, and all writeFileInternal sites at Blob.zig:1134/1287/1330/1362/1570/1633/2614. getPresignUrlFrom is the lone holdout.

Impact

Bun.S3Client.presign('key', { contentEncoding: 'gzip' }) — and the prototype/instance presign equivalents — produces a presigned URL whose signature does not include content-encoding in SignedHeaders, so a client uploading via that URL cannot have S3 store the object with Content-Encoding: gzip metadata via the presigned headers (sending an unsigned Content-Encoding header alongside a SigV4-presigned PUT either fails signature verification or is ignored as metadata, depending on the provider). This is a user-visible functional bug that affects the options-present path regardless of whether extra_options is null — unlike #3200790776, which is null-only.

Step-by-step proof — Bun.S3Client.presign('key', { contentEncoding: 'gzip', bucket: 'b', accessKeyId: 'x', secretAccessKey: 'y' })

S3File.presign (S3File.zig:63-91) parses path_or_blob = .path, enters the .path arm, calls constructS3FileInternalStore (S3File.zig:86) → store with credentials. PR's tag-flip at line 87.

S3File.zig:89: getPresignUrlFrom(&blob, globalThis, options) with options = { contentEncoding: 'gzip', ... }.

Line 489: extra_options is non-null → enters the block. Line 501: credentialsWithOptions = try s3.getCredentialsWithOptions(options, globalThis).

→ credentials_jsc.zig:222: opts.getTruthyComptime('contentEncoding') → 'gzip'. Line 224-228: bun.String.fromJS → toUTF8 → new_credentials.content_encoding = 'gzip' (allocated). Line 231: CR/LF check passes. Returns. credentialsWithOptions.content_encoding = 'gzip'.

S3File.zig:505-513: the signRequest struct literal copies .content_disposition = credentialsWithOptions.content_disposition and .content_type = credentialsWithOptions.content_type, but does not copy .content_encoding. SignOptions.content_encoding defaults to null.

credentials.zig:351-354: const content_encoding = signOptions.content_encoding → null. Line 464: SignedHeaders.Key{ ..., .content_encoding = (content_encoding != null) } → false. Lines 654/816/845: the canonical-request content-encoding: line is omitted. Lines 741-745: the content-encoding header is not emitted.

The presigned URL's X-Amz-SignedHeaders query param does not contain content-encoding. The user's { contentEncoding: 'gzip' } was parsed, allocated, validated, then silently discarded.

How to fix

Add one line to the signRequest struct literal at S3File.zig:505-513:

const result = credentialsWithOptions.credentials.signRequest(.{ .path = path, .method = method, .acl = credentialsWithOptions.acl, .storage_class = credentialsWithOptions.storage_class, .request_payer = credentialsWithOptions.request_payer, .content_disposition = credentialsWithOptions.content_disposition, .content_type = credentialsWithOptions.content_type, .content_encoding = credentialsWithOptions.content_encoding, // ← add }, false, .{ .expires = expires }) catch |sign_err| { ... };

This is a one-line addition in the same block #3200790776 already directs the author to edit.

Relationship to this PR / not a duplicate

This is pre-existing — the PR diff does not modify getPresignUrlFrom. Distinct from #3200790776, which covers acl/storage_class in the initial credentialsWithOptions literal at lines 481-484 (the extra_options == null gap) and the 'greather' typo at 497 — that fix (seeding the initial literal, or calling getCredentialsWithOptions unconditionally) does not add .content_encoding to the signRequest call literal at 505-513, and this bug affects the options-present path which #3200790776's null-gap does not. None of the existing PR comments mention content_encoding/contentEncoding. Anchored at line 89 (the PR-modified getPresignUrlFrom call site).

claude · 2026-05-07T17:25:12Z

🟣 🟣 Pre-existing correction to #3201670545: that comment's recommended one-line fix (add .content_encoding = credentialsWithOptions.content_encoding to the signRequest literal at S3File.zig:505-513) is a no-op for presign, because signRequest's presigned-URL branch never reads content_encoding. getPresignUrlFrom passes a non-null third arg (S3File.zig:513) → signQuery = true (credentials.zig:362), and the signQuery branch hardcodes X-Amz-SignedHeaders=host (line 471/553) and emits only response-content-disposition (513-517/555-557/620-622) and response-content-type (519-523/559-561/624-626) — there is no encoded_content_encoding buffer and no response-content-encoding={s} append. The credentials.zig:464/654/741-745 references #3201670545 cites are all in the non-signQuery else branch (used by executeSimpleS3Request). Fix: in addition to #3201670545's S3File.zig change, add a response-content-encoding encode + query-param block in the signQuery branch between lines 557 and 559 (and 622/624 in url_query_parts).

Extended reasoning...

What the bug is

Existing comment #3201670545 correctly observes that getPresignUrlFrom's signRequest struct literal at S3File.zig:505-513 omits .content_encoding while passing .content_disposition and .content_type, and recommends adding .content_encoding = credentialsWithOptions.content_encoding. That recommendation is accurate as far as it goes — but it is insufficient on its own: applying it produces a byte-identical presigned URL, because signRequest's presigned-URL code path never reads signOptions.content_encoding.

The specific code path

getPresignUrlFrom calls credentialsWithOptions.credentials.signRequest(.{...}, false, .{ .expires = expires }) (S3File.zig:513). The non-null third argument makes signQuery = true (credentials.zig:362: const signQuery = signQueryOption != null). Execution then takes the if (signQuery) branch at credentials.zig:498-645. That branch:

Line 471: const signed_headers = if (signQuery) "host" else SignedHeaders.get(header_key); — hardcodes "host". So header_key.content_encoding (computed at line 464) is dead on this path; even if content_encoding were non-null, it could never appear in SignedHeaders for a presigned URL.

Lines 513-517: URI-encodes content_disposition into encoded_content_disposition.

Lines 519-523: URI-encodes content_type into encoded_content_type.

Lines 555-557 / 620-622: emits response-content-disposition={s} into both query_parts (canonical request) and url_query_parts (final URL).

Lines 559-561 / 624-626: emits response-content-type={s} likewise.

There is no encoded_content_encoding buffer, no response-content-encoding={s} append, and the alphabetical-order comments at lines 531/594 do not list it.

The lines #3201670545 cites as evidence that "signRequest consumes it" — credentials.zig:464 (SignedHeaders.Key), 654 (canonical-request format), 741-745 (content-encoding header emission) — all live in the non-signQuery else branch, which is reached only when signQueryOption == null (i.e. executeSimpleS3Request at simple_request.zig:378). The signQuery branch returns early at credentials.zig:680-692, so 741-745 is unreachable for presign.

Why #3201670545's fix alone is ineffective

Trace for Bun.S3Client.presign('key', { contentEncoding: 'gzip', bucket: 'b', accessKeyId: 'x', secretAccessKey: 'y' }) with #3201670545's one-line fix applied:

getPresignUrlFrom → S3File.zig:501: credentialsWithOptions = s3.getCredentialsWithOptions(options, ...) → credentialsWithOptions.content_encoding = 'gzip' (parsed/validated at credentials_jsc.zig:222-239).

(with fix) S3File.zig:~513: signRequest({..., .content_encoding = 'gzip'}, false, .{ .expires }).

credentials.zig:351-354: const content_encoding = signOptions.content_encoding → 'gzip'. Line 362: signQuery = true. Line 471: signed_headers = "host" — content_encoding is not folded in.

Line 498: enters if (signQuery). Lines 513-523: encode content_disposition/content_type only. Lines 529-575: build query_parts — response-content-disposition (555-557) and response-content-type (559-561) are appended iff non-null; content_encoding is never read. Same for url_query_parts at 592-626.

Returned URL has no response-content-encoding query param and X-Amz-SignedHeaders=host only. Output is identical to before the fix.

So the author would apply #3201670545, see it compile, and believe contentEncoding is plumbed through to presign — when it is still silently dropped at the second of two layers.

Impact

response-content-encoding is a standard S3 GetObject response-override query parameter (alongside response-content-disposition and response-content-type, which Bun already supports). Without it, there is no way to request a presigned GET URL that overrides the served Content-Encoding header — the user's { contentEncoding: 'gzip' } is parsed, allocated, and CR/LF-validated (credentials_jsc.zig:231), then discarded. Functional bug, not memory-safety; same "option silently dropped at consumer call site" class as #3200790776/#3201670545/#3202066991.

How to fix

In addition to #3201670545's S3File.zig change, in signRequest's signQuery branch:

After credentials.zig:523, add an encode block:
var content_encoding_encoded_buffer: [256]u8 = undefined; var encoded_content_encoding: ?[]const u8 = null; if (content_encoding) |ce| { encoded_content_encoding = encodeURIComponent(ce, &content_encoding_encoded_buffer, true) catch return error.FailedToGenerateSignature; }

Between lines 557 and 559 (and 622/624 in url_query_parts), insert (alphabetical: disposition < encoding < type):
if (encoded_content_encoding) |ce| { try query_parts.append(try std.fmt.allocPrint(allocator, "response-content-encoding={s}", .{ce})); }

Bump the BoundedArray capacities at lines 529/592 by one and update the alphabetical-order comments at 531/594.

Relationship to this PR / not a duplicate

Pre-existing — neither S3File.zig:505-513 nor credentials.zig:498-645 are in the diff. This is a correction to #3201670545's recommended fix, in the same vein as #3201498672 (correcting #3199552705) and #3200173448 (refining #3189832498) already on this PR: same user-visible symptom (contentEncoding dropped from presign) but a materially different fix locus — #3201670545 targets only the S3File.zig literal, but the second layer of the drop is in credentials.zig's signQuery branch, and applying #3201670545 alone leaves the symptom unresolved while giving false confidence. None of the existing PR comments mention response-content-encoding, the signQuery branch's response-override params, credentials.zig:555-561/620-626, or that X-Amz-SignedHeaders=host is hardcoded for presign.

claude · 2026-05-07T18:05:25Z

🟣 🟣 Pre-existing companion to #3202066971 (the <Code>/<Message> inverted-slice crash) at a user-config-triggered site that comment does not list: guessRegion (credentials.zig:268-282, reached from signRequest at line 373 whenever region.len == 0) does endpoint[start+3..end] where start = indexOf(endpoint, "s3.") and end = indexOf(endpoint, ".amazonaws.com"), both scanning from offset 0 with no start+3 <= end guard. For endpoint: "https://s3.amazonaws.com" (the documented legacy/global S3 endpoint, normalized to "s3.amazonaws.com" at credentials_jsc.zig:74) this yields endpoint[3..2] → Debug/ReleaseSafe panic, ReleaseFast UB (underflowed .len fed into bufPrint at line 484 → wild OOB read/segfault); same for "<bucket>.s3.amazonaws.com". Reachable from this PR-modified line via getPresignUrlFrom → signRequest (e.g. Bun.S3Client.presign("k", { endpoint: "https://s3.amazonaws.com", accessKeyId: "x", secretAccessKey: "y", bucket: "b" }) with no region — the trigger is a valid, documented AWS endpoint string in user options/env, not a malformed server response). Fix: guard if (start + 3 <= end) return endpoint[start+3..end] else return "us-east-1".

Extended reasoning...

What the bug is and how it manifests

S3Credentials.guessRegion (src/s3_signing/credentials.zig:268-282) is called from signRequest at line 373 (const region = if (this.region.len > 0) this.region else guessRegion(this.endpoint)) whenever no region is configured. It does:

if (strings.indexOf(endpoint, ".amazonaws.com")) |end| { if (strings.indexOf(endpoint, "s3.")) |start| { return endpoint[start + 3 .. end]; } }

Both indexOf calls scan from offset 0 of the same string, with no check that start + 3 <= end. For the legacy/global S3 endpoint "s3.amazonaws.com" — which AWS still documents and supports — indexOf(".amazonaws.com") matches at index 2 (end = 2) and indexOf("s3.") matches at index 0 (start = 0), giving endpoint[3..2]. In Debug/ReleaseSafe Zig panics (start index 3 is larger than end index 2); in ReleaseFast (Bun's shipped build) it is undefined behaviour: the resulting slice has .ptr = endpoint.ptr+3 and .len ≈ 2^64-1. That region is then fed into std.fmt.bufPrint(&tmp_buffer, "{s}{s}{s}", .{ region, "s3", secretAccessKey }) at line 484, which walks off the end of mapped memory → segfault.

The same applies to regionless virtual-hosted endpoints "<bucket>.s3.amazonaws.com" (the canonical us-east-1 vhost form): for "mybucket.s3.amazonaws.com", end = 11, start = 9, → endpoint[12..11] → same crash.

Reachability from the PR-modified code

endpoint is normalized via bun.URL.parse(...).hostWithPath() at both entry points (credentials_jsc.zig:74-77 for the options.endpoint JS property; env_loader.zig for S3_ENDPOINT/AWS_ENDPOINT), so endpoint: "https://s3.amazonaws.com" becomes exactly "s3.amazonaws.com". From the PR's tag-flip at S3File.zig:87:

Bun.S3Client.presign("key", { endpoint: "https://s3.amazonaws.com", accessKeyId: "x", secretAccessKey: "y", bucket: "b" }); // (no `region`, no AWS_REGION/S3_REGION in env — the PR's own test explicitly strips both)

→ S3File.zig:86 constructS3FileInternalStore builds a store with credentials.endpoint = "s3.amazonaws.com", credentials.region = "" → S3File.zig:89 getPresignUrlFrom → S3File.zig:505 signRequest → credentials.zig:373: this.region.len == 0 → guessRegion("s3.amazonaws.com") → endpoint[3..2] → crash. Same path for unlink/write/size/exists/stat (S3File.zig:120/160/199/233/585) via executeSimpleS3Request → signRequest.

Why existing safeguards don't prevent it

There is no start + 3 <= end guard. The function only works when the endpoint embeds a region between s3. and .amazonaws.com (e.g. "s3.us-west-2.amazonaws.com" → correctly returns "us-west-2"). The regionless forms — which are exactly what a user reaches for when they don't know the region (precisely the region.len == 0 case that triggers guessRegion) — are not handled. The R2 check at line 270 and the "auto" fallback at line 277 sit on different branches and do not cover this case.

Impact

A user-config-triggerable process crash from a valid, documented AWS endpoint string. This is the same inverted-slice defect class as #3202066971, but with materially higher practical exposure: #3202066971 requires a malformed server response (close-tag-before-open-tag XML) from a user-configured endpoint, whereas this requires only that the user set endpoint to the AWS global endpoint without also setting region — a configuration that the AWS docs and many tutorials explicitly show.

Step-by-step proof

endpoint = "s3.amazonaws.com" (16 bytes), region = "".

credentials.zig:373: this.region.len == 0 → guessRegion("s3.amazonaws.com").

Line 270: endsWith(".r2.cloudflarestorage.com") → false.

Line 271: indexOf("s3.amazonaws.com", ".amazonaws.com") → matches at index 2 → end = 2.

Line 272: indexOf("s3.amazonaws.com", "s3.") → matches at index 0 → start = 0.

Line 273: return endpoint[0+3 .. 2] = endpoint[3..2]. 3 > 2 → Debug/ReleaseSafe panic; ReleaseFast: .ptr = endpoint.ptr+3, .len = 18446744073709551615.

Back at line 484: bufPrint(&tmp_buffer[0..4096], "{s}{s}{s}", .{ region /* len≈2^64 */, "s3", secretAccessKey }) reads off the end of mapped memory → segfault.

The vhost-form trace is identical: "mybucket.s3.amazonaws.com" → end = 11 (.amazonaws.com at index 11), start = 9 (s3. at index 9) → endpoint[12..11].

How to fix

Either guard the slice:

if (strings.indexOf(endpoint, ".amazonaws.com")) |end| { if (strings.indexOf(endpoint, "s3.")) |start| { if (start + 3 <= end) return endpoint[start + 3 .. end]; return "us-east-1"; // global/regionless AWS endpoint } }

or search for ".amazonaws.com" only after start + 3 (e.g. indexOf(endpoint[start+3..], ".amazonaws.com") and add the offset back). Same shape as #3202066971's recommended fix.

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch credentials.zig, and the tag-flip at S3File.zig:87 neither causes nor fixes this. Distinct from #3202066971: that comment enumerates simple_request.zig:163-173/201-210, multipart.zig:496-498, and download_stream.zig:101-112 (all server-response XML parsing); this is credentials.zig:271-273 (user-supplied endpoint config, request-side), reached on the immediate path of the PR-modified getPresignUrlFrom call at line 89. None of the existing PR comments mention guessRegion, credentials.zig:271-273, s3.amazonaws.com, or the regionless-endpoint case.

claude · 2026-05-07T18:05:25Z

🟣 Pre-existing: AWSSignatureCache (rare_data.zig:254-297) — reached from this PR-modified presign at line 89 via getPresignUrlFrom → signRequest (credentials.zig:483-496), and from every other PR-modified static method via executeSimpleS3Request → signRequest — is broken in three interlocking ways: (1) credentials.zig:484 builds the cache key into tmp_buffer, line 490 overwrites tmp_buffer with "AWS4"+secret while key still points into it, then line 495 calls cache.set(..., key, ...) with the corrupted slice — get-key and set-key never match, so the cache always misses; (2) AWSSignatureCache.get (rare_data.zig:273) returns this.cache.getKey(key) — the stored key string, not the 32-byte signing-key value — so the obvious one-line fix to (1) would make every cached request fail with SignatureDoesNotMatch; (3) set (rare_data.zig:290) does put(allocator.dupe(key), value), which discards the freshly-duped key when found_existing — and because (1) makes the corrupted set-key deterministic per (region, secret), every signRequest after the first per day leaks ~50 bytes. Fix all three together: use a separate buffer for the cache key, change getKey → getPtr (returning the value slice), and use getOrPut so the key is only duped when !found_existing.

Extended reasoning...

What the bug is

AWSSignatureCache is the per-process cache of SigV4 derived signing keys (the 4-step HMAC("AWS4"+secret, date) → region → service → "aws4_request" chain), keyed by region + "s3" + secretAccessKey and bucketed by UTC day. It has three interlocking defects that together produce a steady ~50-byte/request leak today and a latent landmine that would break all S3 requests if the most obvious of the three were fixed in isolation.

(1) tmp_buffer is overwritten between cache get and set — credentials.zig:484-495

const key = try std.fmt.bufPrint(&tmp_buffer, "{s}{s}{s}", .{ region, service_name, this.secretAccessKey }); // 484 var cache = ...awsCache(); if (cache.get(date_result.numeric_day, key)) |cached| { break :brk_sign cached; } // 486 — sees correct key const sigDate = bun.hmac.generate(try std.fmt.bufPrint(&tmp_buffer, "AWS4{s}", .{this.secretAccessKey}), ...); // 490 — OVERWRITES tmp_buffer ... cache.set(date_result.numeric_day, key, hmac_sig_service2[0..DIGESTED_HMAC_256_LEN].*); // 495 — key now reads garbage

key is a slice into the stack tmp_buffer. Line 490's second bufPrint into the same buffer overwrites the first region.len + 2 + secret.len bytes with "AWS4" + secret (length 4 + secret.len), while key.len stays at the original length. So the bytes cache.get saw at line 486 (region+"s3"+secret) and the bytes cache.set sees at line 495 ("AWS4"+secret + <stale tail of the first write>) never match — the cache always misses, and the 4-HMAC chain is recomputed on every signRequest.

(2) AWSSignatureCache.get returns the stored key, not the value — rare_data.zig:273

pub fn get(this: *@This(), numeric_day: u64, key: []const u8) ?[]const u8 { ... if (this.cache.getKey(key)) |cached| { return cached;

The map is bun.StringArrayHashMap([DIGESTED_HMAC_256_LEN]u8) = std.ArrayHashMap([]const u8, [32]u8, ...). std.ArrayHashMap.getKey returns ?K — the stored key string (the duped region+"s3"+secret-shaped bytes) — not ?V (the 32-byte derived signing key). The function type-checks because both happen to be []const u8-coercible. The caller binds the result to sigDateRegionServiceReq (credentials.zig:486-487) and uses it as the HMAC key at lines 587/669: bun.hmac.generate(sigDateRegionServiceReq, signValue, .sha256, ...). So if the cache ever hit, every signature would be HMAC-SHA256(key-string, stringToSign) instead of HMAC-SHA256(derived-signing-key, stringToSign) → AWS rejects with SignatureDoesNotMatch.

This is currently masked by (1) — the cache never hits, so the wrong return value is never used. But the obvious one-line "perf fix" to (1) (compute the cache key in a separate small buffer) would unmask (2) and break every S3 request after the first per (day, region, secret).

(3) set leaks the duped key on duplicate put — rare_data.zig:290

bun.handleOom(this.cache.put(bun.handleOom(bun.default_allocator.dupe(u8, key)), value));

std.ArrayHashMap.put is implemented as getOrPut + gop.value_ptr.* = value. When the key already exists, key_ptr is not updated — the inline dupe(u8, key) result is discarded, never stored, never freed. (Compare HotMap.insert ~130 lines below in the same file, which correctly only dupes when !found_existing.)

Because (1) makes the corrupted set-key deterministic per (region, secret) — it is always "AWS4"+secret + secret[secret.len-(region.len-2)..] for the same inputs — every signRequest after the first per day passes a key that already exists in the map. So today, with (1) in place, every S3 sign operation after the first leaks region.len + 2 + secret.len bytes (~50-60 bytes for typical 40-char AWS secrets and us-east-1).

Why existing safeguards don't prevent it

Nothing else reads or writes tmp_buffer between lines 484 and 495, so the corruption is not incidentally repaired. AWSSignatureCache.get's return type is ?[]const u8, which both getKey's ?K and a hypothetical ?[]const u8 value-slice satisfy, so the type system does not catch (2). And std.ArrayHashMap.put has no "adopt key on insert, free key on update" semantics — the caller is responsible for the duped key, and here it is passed inline with no handle to free.

Reachability from the PR

Bun.S3Client.presign("key", { accessKeyId, secretAccessKey, bucket }) → S3File.zig:86 (one line above the PR's tag-flip at 87) → getPresignUrlFrom (S3File.zig:89) → credentialsWithOptions.credentials.signRequest(...) (S3File.zig:505) → credentials.zig:483-496. The other five PR-modified static methods reach the same block via executeSimpleS3Request → signRequest. The PR's own regression test does not reach it (credentials are stripped, so signRequest returns error.MissingCredentials at credentials.zig:361 before the cache block), but every real-world use of the PR-modified static methods with credentials does.

Net user-visible impact today

The 4-HMAC SigV4 derivation is recomputed on every request (perf only — cache is dead weight).

~50 bytes of native heap leaked per S3 sign operation (presign/upload/download/stat/delete/list — anything that reaches signRequest with credentials), unbounded over a long-running process.

Latent landmine: a one-line "fix" to (1) — the bug a profiler would surface first — would activate (2) and cause every S3 request after the first per (day, region, secret) to fail with SignatureDoesNotMatch.

Step-by-step proof of (3), the live leak

for (let i = 0; i < 1000; i++) Bun.S3Client.presign('k', { accessKeyId: 'AKIA...', secretAccessKey: 'X'.repeat(40), bucket: 'b' });

Iter 1: line 484 writes "us-east-1" + "s3" + secret into tmp_buffer; key.len = 9+2+40 = 51. Line 486 get → date == 0 → miss. Line 490 overwrites tmp_buffer[0..44] with "AWS4"+secret; key now reads tmp_buffer[0..51] = "AWS4"+secret + secret[33..40] (deterministic). Line 495 set → not in map → dupe(key) (51 bytes) stored as the map key.

Iter 2: line 484 writes "us-east-1s3"+secret again. Line 486 get("us-east-1s3"+secret) → the only stored key is the corrupted one from iter 1, no match → miss. Recompute. Line 490 corrupts key identically. Line 495 set(corrupted_key, ...) → getOrPut finds the existing entry (same corrupted bytes) → put writes only value_ptr; the inline dupe(u8, key) (51 bytes) is never stored, never freed.

Iters 3..1000: identical to iter 2. 999 × 51 bytes leaked.

How to fix

All three must be fixed together:

(a) Compute the cache key into a separate small stack buffer (e.g. var key_buf: [128]u8 = undefined; const key = try std.fmt.bufPrint(&key_buf, ...);) so line 490's bufPrint into tmp_buffer does not corrupt it.

(b) Change rare_data.zig:273 to return the value: e.g. if (this.cache.getPtr(key)) |v| return v[0..]; (and keep the ?[]const u8 return type so credentials.zig:587/669 continue to receive a 32-byte slice).

(c) In set, use getOrPut and only dupe when !found_existing:
const gop = bun.handleOom(this.cache.getOrPut(key)); if (!gop.found_existing) gop.key_ptr.* = bun.handleOom(bun.default_allocator.dupe(u8, key)); gop.value_ptr.* = value;

Fixing only (a) activates (2) and breaks signing; fixing only (c) leaves the cache permanently dead.

Relationship to this PR / not a duplicate

Pre-existing — the PR diff (six tag-flips in S3File.zig + a test) does not touch credentials.zig or rare_data.zig, does not add new signRequest callers, and does not change what data flows there. None of the 34 existing PR comments mention AWSSignatureCache, tmp_buffer, getKey, rare_data.zig, or the SigV4 derived-key cache. Flagged here because it sits on the immediate call path of every PR-modified line (S3File.zig:89 → getPresignUrlFrom → signRequest; S3File.zig:120/160/199/233/585 → executeSimpleS3Request → signRequest) and is in the same per-call-leak defect family already enumerated on this PR, with the added twist that the three defects must be fixed atomically.

claude · 2026-05-07T19:42:13Z

🟣 🟣 Pre-existing companion to #3203691082 (guessRegion), ~25 lines above in the same file: guessBucket (credentials.zig:242-267) — called from the writeFormat console.log/Bun.inspect formatters at S3Client.zig:111 and S3File.zig:5 when virtual_hosted_style && endpoint.len > 0 — does return endpoint[start+1..end] where start = indexOf(endpoint, "/") and end = indexOf(endpoint, ".s3.") (line 251) or indexOf(".") (R2 branch, line 264), both scanning from offset 0 with no start+1 <= end guard. The inline comment at line 247 assumes URL-form input (https://bucket-name.s3...), but credentials.endpoint is always normalized via bun.URL.parse(...).hostWithPath() (credentials_jsc.zig:74-77; env_loader.zig:110-115), which strips the protocol and preserves the path — so the only / present comes after .s3.. For endpoint: "https://my-bucket.s3.us-east-1.amazonaws.com/prefix" (normalized to my-bucket.s3.us-east-1.amazonaws.com/prefix): end = 9, start = 36 → endpoint[37..9] → Debug/ReleaseSafe panic, ReleaseFast UB (underflowed .len fed into the {s} formatter at S3Client.zig:113 → wild OOB read). Same for the R2 branch. Reachable via console.log(new Bun.S3Client({ endpoint: "https://b.s3.region.amazonaws.com/prefix", virtualHostedStyle: true })). Not on the call path of the PR-modified static methods (formatter-only); flagged because it sits in the same block as #3203691082's guessRegion fix with the identical defect class. Fix: drop the indexOf("/") logic entirely (the input never has a protocol prefix, so the orelse fallback endpoint[0..end] is always correct), or guard if (start + 1 <= end).

Extended reasoning...

What the bug is and how it manifests

S3Credentials.guessBucket (src/s3_signing/credentials.zig:242-267) — whose doc comment at line 241 reads "This is not used for signing but for console.log output, is just nice to have" — was written assuming URL-form input, per the inline comment at line 247: "its https://bucket-name.s3.region-code.amazonaws.com/key-name". So in the AWS branch it does:

if (strings.indexOf(endpoint, ".s3.")) |end| { // its https://bucket-name.s3.region-code.amazonaws.com/key-name const start = strings.indexOf(endpoint, "/") orelse { return endpoint[0..end]; }; return endpoint[start + 1 .. end]; // ← no start+1 <= end guard }

and the R2 branch at lines 261-264 has the identical structure (end = indexOf("."), start = indexOf("/"), return endpoint[start+1..end]). Both indexOf calls scan from offset 0 of the same string, with no check that start + 1 <= end.

But credentials.endpoint is never in URL form. Both entry points normalize it via bun.URL.parse(...).hostWithPath(): credentials_jsc.zig:74-77 for the JS options.endpoint property, and env_loader.zig:110-115 for S3_ENDPOINT/AWS_ENDPOINT. hostWithPath (url.zig:28-40) strips the scheme/:// prefix entirely but preserves the path component when path.len > 1. So for input "https://my-bucket.s3.us-east-1.amazonaws.com/prefix", the stored endpoint is "my-bucket.s3.us-east-1.amazonaws.com/prefix" — the only / present is the path separator, which is necessarily after .s3.. The indexOf("/") was written to skip past https:/, but that prefix is never present, so when a / is found it is always the wrong one.

Reachability

guessBucket has exactly two call sites, both inside writeFormat (the console.log/Bun.inspect custom formatter), both gated on virtual_hosted_style && endpoint.len > 0:

S3Client.writeFormat at S3Client.zig:111 → result fed into writer.print("... \"{s}\" ...", .{bucket_name}) at line 113-117.

S3File's writeFormat at S3File.zig:5 → result fed into writer.print("... \"{s}/{s}\" ...", .{bucket_name, s3.path()}) at line 8-13.

So the trigger is:

console.log(new Bun.S3Client({ endpoint: "https://my-bucket.s3.us-east-1.amazonaws.com/prefix", virtualHostedStyle: true, }));

(or Bun.inspect(...), or util.inspect(...), or any console.log(client.file("k"))). The no-/ case — by far the common one — works correctly because indexOf("/") returns null and the orelse return endpoint[0..end] fallback fires.

Why existing safeguards don't prevent it

There is no start + 1 <= end guard, and the function's input-shape assumption (URL with https:// prefix) does not match what its only two call sites pass (host+path with no scheme). Nothing between hostWithPath and guessBucket re-adds the scheme. The R2 branch is even more exposed: end = indexOf(endpoint, ".") matches the first dot (e.g. index 6 for "bucket.account.r2.cloudflarestorage.com/p"), and any path / is at index 39+.

Impact

In Debug/ReleaseSafe builds Zig panics with "start index N is larger than end index M". In ReleaseFast (Bun's shipped build) it is undefined behaviour: the resulting slice has .ptr = endpoint.ptr + start + 1 and .len = end - (start+1) wrapped to ~2^64, which is then fed into the {s} formatter at S3Client.zig:113-117 / S3File.zig:8-13 → std.fmt walks off the end of mapped memory → segfault. A user-config-triggerable process crash from merely console.log-ing an S3Client whose endpoint has a path component — no network call required.

Step-by-step proof

endpoint: "https://my-bucket.s3.us-east-1.amazonaws.com/prefix", virtualHostedStyle: true:

credentials_jsc.zig:74-77: bun.URL.parse(...).hostWithPath() → stored credentials.endpoint = "my-bucket.s3.us-east-1.amazonaws.com/prefix" (43 bytes). url.zig:30 keeps the path because path.len > 1.

console.log(client) → S3Client.writeFormat → S3Client.zig:111: virtual_hosted_style && endpoint.len > 0 → guessBucket("my-bucket.s3.us-east-1.amazonaws.com/prefix").

credentials.zig:244: indexOf(".amazonaws.com") → matches at index 22 → enter branch.

credentials.zig:246: indexOf(".s3.") → matches at index 9 → end = 9.

credentials.zig:248: indexOf("/") → matches at index 36 → start = 36 (the orelse does not fire).

credentials.zig:251: return endpoint[36+1 .. 9] = endpoint[37..9]. 37 > 9 → Debug/ReleaseSafe: panic; ReleaseFast: .len = 9 - 37 = 18446744073709551588.

S3Client.zig:113: writer.print("... \"{s}\" ...", .{bucket_name}) reads ~2^64 bytes from endpoint.ptr+37 → segfault.

R2 trace: endpoint = "bucket.account.r2.cloudflarestorage.com/p" → line 255 end = indexOf(".") = 6; line 256 r2_start = 14 ≠ 6 → falls through to line 261 start = indexOf("/") = 39 → line 264 endpoint[40..6] → same crash.

How to fix

The cleanest fix is to drop the indexOf("/") logic entirely in both branches — since the input never has a protocol prefix, the orelse fallback return endpoint[0..end] is always the correct answer:

if (strings.indexOf(endpoint, ".s3.")) |end| { return endpoint[0..end]; }

Alternatively, guard the slice: if (start + 1 <= end) return endpoint[start+1..end] else return endpoint[0..end];. Same shape as #3203691082's recommended fix for guessRegion.

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch credentials.zig, S3Client.zig:111, or S3File.zig:5, and guessBucket is not on the call path of any of the six PR-modified static methods (presign/unlink/write/size/exists/stat — none of those format the blob). It is flagged because it sits ~25 lines above #3203691082's guessRegion (credentials.zig:268-282) in the same file, with the identical "two indexOf() from offset 0, no ordering guard, slice between" defect class already enumerated on this PR (#3202066971 for XML <Code>/<Message>, #3203691082 for guessRegion). #3203691082 covers guessRegion (signRequest path, signing-time crash); this is the formatter-side sibling in guessBucket — different function, different trigger surface (console.log instead of presign/upload), different gate (virtualHostedStyle: true), and a separate fix locus. None of the existing PR comments mention guessBucket, credentials.zig:248-251/261-264, virtualHostedStyle, or the writeFormat/console.log path.

claude · 2026-05-07T22:37:49Z

🟣 🟣 Pre-existing: in signRequest's bucket-guessing block (credentials.zig:388-396, reached from this PR-modified line via getPresignUrlFrom → signRequest when no bucket is configured), the inner if (backslash_index < end) branch's assignments at lines 391-392 are dead code — lines 395-396 (bucket = full_path[0..end]; path = full_path[end+1..];) run unconditionally afterward and overwrite both. So for a path like Bun.S3Client.presign("my-bucket\\folder/file.txt") with no bucket configured, the intended split (bucket=my-bucket, key=folder/file.txt) is computed and immediately clobbered to bucket=my-bucket\\folder (→ percent-encoded to my-bucket%5Cfolder), key=file.txt — the request is signed against a nonexistent bucket. The else if at line 397 (backslash-only case) and the leading-separator strip at 376-380 confirm backslash is an intended separator, so this is a missing-else overwrite, not vestigial logic. Same defect class as #2996547003 (Store.S3.path() no-op assignment). Fix: wrap lines 395-396 in an else so the backslash-first split is not clobbered.

Extended reasoning...

What the bug is and how it manifests

In signRequest's bucket-guessing block (src/s3_signing/credentials.zig:388-396), entered when !virtual_hosted_style && bucket.len == 0, the inner branch that handles "backslash before forward-slash" is unconditionally overwritten:

if (strings.indexOf(full_path, "/")) |end| { if (strings.indexOf(full_path, "\\")) |backslash_index| { if (backslash_index < end) { bucket = full_path[0..backslash_index]; // ← dead: overwritten by line 395 path = full_path[backslash_index + 1 ..]; // ← dead: overwritten by line 396 } } bucket = full_path[0..end]; // always runs path = full_path[end + 1 ..]; // always runs } else if (strings.indexOf(full_path, "\\")) |backslash_index| { bucket = full_path[0..backslash_index]; path = full_path[backslash_index + 1 ..]; }

There is no else/return/break between the inner block at 391-392 and the outer assignments at 395-396, so whenever the outer if matches (any path containing /), lines 395-396 execute regardless of whether 391-392 just ran. The clear intent — use whichever separator (/ or \) comes first as the bucket/key boundary — is defeated whenever both are present and the backslash comes first. The else if at line 397 (backslash-only path) and the leading-separator normalization at lines 376-380 both treat \ as a first-class separator, confirming that the inner branch is intended functionality, not vestigial.

The specific code path that triggers it

Bun.S3Client.presign("my-bucket\\folder/file.txt") (or any of the other PR-modified static methods — unlink/write/size/exists/stat) with no bucket configured (no bucket option, no AWS_BUCKET/S3_BUCKET env, and virtualHostedStyle not set). From the PR-modified S3File.zig:89, getPresignUrlFrom → credentialsWithOptions.credentials.signRequest(...) (S3File.zig:505) → credentials.zig:386: bucket.len == 0 → enters the guessing block.

Why existing safeguards don't prevent it

normalizeName at line 407 only trims leading/trailing separators, so the embedded backslash in "my-bucket\\folder" survives. encodeURIComponent at line 415 percent-encodes it to my-bucket%5Cfolder rather than rejecting it. Nothing downstream re-derives the bucket from the key.

Impact

When both \ and / are present in the path with the \ first, the request is signed (and sent) against bucket <prefix-up-to-/> instead of <prefix-up-to-\>. For presign, the user gets a URL pointing at a percent-encoded nonexistent bucket; for the operations that hit the network (unlink/write/size/exists/stat), the user gets NoSuchBucket / SignatureDoesNotMatch instead of the intended request. Practical exposure is narrow — backslash-as-separator in S3 paths is uncommon outside Windows-style inputs — but the dead-code analysis is unambiguous.

Step-by-step proof

Bun.S3Client.presign("my-bucket\\folder/file.txt"), no bucket/env configured:

full_path = "my-bucket\\folder/file.txt". Lines 376-380: does not start with / or \ → unchanged.

Line 386: bucket.len == 0 and !virtual_hosted_style → enter guessing block.

Line 388: indexOf(full_path, "/") → matches at index 16 → end = 16.

Line 389: indexOf(full_path, "\\") → matches at index 9 → backslash_index = 9.

Line 390: 9 < 16 → true. Lines 391-392: bucket = "my-bucket", path = "folder/file.txt". (Correct, intended result.)

Lines 395-396 run unconditionally: bucket = full_path[0..16] = "my-bucket\\folder", path = full_path[17..] = "file.txt". (Step 5's result is clobbered.)

Line 407: normalizeName("my-bucket\\folder") — embedded \ is not leading/trailing → unchanged.

Line 415: encodeURIComponent → bucket becomes "my-bucket%5Cfolder".

The presigned URL targets /my-bucket%5Cfolder/file.txt instead of /my-bucket/folder/file.txt.

How to fix

Wrap the forward-slash assignments in an else so they only run when the backslash-first split did not:

if (strings.indexOf(full_path, "/")) |end| { if (strings.indexOf(full_path, "\\")) |backslash_index| { if (backslash_index < end) { bucket = full_path[0..backslash_index]; path = full_path[backslash_index + 1 ..]; } else { bucket = full_path[0..end]; path = full_path[end + 1 ..]; } } else { bucket = full_path[0..end]; path = full_path[end + 1 ..]; } } else if (strings.indexOf(full_path, "\\")) |backslash_index| { ... }

(or equivalently, compute min(end, backslash_index) and split once).

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch credentials.zig, does not add new signRequest callers, and the tag-flip changes do not affect what data flows to this block. Same defect class as already-accepted #2996547003 (Store.S3.path() trailing-slash no-op — a separator-handling assignment that doesn't do what it looks like it does). On the immediate call path of every PR-modified line (S3File.zig:89 → getPresignUrlFrom → signRequest:385-403; S3File.zig:120/160/199/233/585 → executeSimpleS3Request → signRequest). None of the existing PR comments mention credentials.zig:388-396, the dead backslash branch, or backslash-vs-forward-slash bucket inference; #3203691082 (guessRegion) and #3204245320 (guessBucket) are different functions with different defects (inverted-slice crashes, not dead-code overwrite).

claude · 2026-05-08T11:32:42Z

🟣 🟣 Pre-existing: signRequest (credentials.zig:412-416, reached from this PR-modified line via getPresignUrlFrom → signRequest, and from S3File.zig:120/160/199/233/585 via executeSimpleS3Request) sizes the encoding buffers for raw S3 limits but writes percent-encoded output into them: var path_buffer: [1024]u8; path = encodeURIComponent(path, &path_buffer, false) catch return error.InvalidPath;. encodeURIComponent (credentials.zig:290-322) expands every byte outside RFC-3986 unreserved+/ to %XX (3×) and returns error.BufferTooSmall on overflow → caught as error.InvalidPath. So a valid 1024-byte UTF-8 key (AWS limit) with significant non-ASCII content — e.g. ~342 CJK chars, or any key whose encoded form exceeds 1024 bytes — is rejected by every Bun S3 API with a misleading ERR_S3_INVALID_PATH. normalized_path_buffer: [1024+63+2]u8 (line 412) similarly omits extra_path (the endpoint path component, up to ~2047 bytes per the endpoint.len < 2048 check at line 425), so path-prefixed endpoints like http://minio.local:9000/tenant-a/v1 plus a moderate key also overflow at line 452. This is a graceful failure (no crash/UB), just an undersized buffer with a misleading error. Fix: enlarge path_buffer to [1024*3]u8 and normalized_path_buffer to account for extra_path + 3× key expansion, or use a stack-fallback allocator like the signQuery branch already does. Orthogonal to this PR's tag-flip — credentials.zig is not in the diff; given the 44 pre-existing findings already here, best tracked as a follow-up issue.

Extended reasoning...

What the bug is and how it manifests

signRequest (src/s3_signing/credentials.zig:412-416) sizes its path-encoding stack buffers for the raw S3 limits but writes the percent-encoded output into them:

var normalized_path_buffer: [1024 + 63 + 2]u8 = undefined; // 1024 max key size and 63 max bucket name var path_buffer: [1024]u8 = undefined; var bucket_buffer: [63]u8 = undefined; bucket = encodeURIComponent(bucket, &bucket_buffer, false) catch return error.InvalidPath; path = encodeURIComponent(path, &path_buffer, false) catch return error.InvalidPath;

encodeURIComponent (credentials.zig:290-322) percent-encodes every byte outside RFC-3986 unreserved (A-Za-z0-9-_.~) plus / and \ to %XX (3 bytes per input byte, lines 309-316), and returns error.BufferTooSmall (lines 297/304/309) when the output buffer fills — caught here as error.InvalidPath.

There are two undersized buffers:

(a) path_buffer: [1024]u8 — AWS S3 keys may be up to 1024 raw UTF-8 bytes. A key whose percent-encoded form exceeds 1024 bytes is rejected even though the raw key is within AWS's documented limit. For non-ASCII content this happens early: a 3-byte CJK character encodes to 9 bytes (%E4%BB%B7), so ~114 CJK characters (342 raw bytes) already produces 1026 encoded bytes; ~342 spaces (342 raw bytes → 1026 encoded) likewise overflows.

(b) normalized_path_buffer: [1089]u8 — the inline comment accounts for key (1024) + bucket (63) + 2 separators, but the bufPrint at line 452 writes "{s}/{s}/{s}", .{extra_path, bucket, path}, where extra_path = this.endpoint[index..] (line 429) is the endpoint's path component. The only bound on the endpoint is endpoint.len < 2048 (line 425), so extra_path can be up to ~2047 bytes. A path-prefixed endpoint like http://minio.local:9000/tenant-a/storage/v1 plus a moderate-length key overflows here.

(bucket_buffer: [63]u8 has the same shape issue but is fine in practice — bucket names are restricted to [a-z0-9.-], all unreserved.)

The specific code path that triggers it

Every Bun S3 API reaches signRequest. From the PR-modified lines: S3File.zig:89 → getPresignUrlFrom → S3File.zig:505 → signRequest; S3File.zig:120/160/199/233/585 → executeSimpleS3Request (simple_request.zig:378) → signRequest. Also reachable from every S3Client.zig instance method, Bun.s3()/Bun.file("s3://..."), fetch("s3://..."), and MultiPartUpload.

Why existing safeguards don't prevent it

encodeURIComponent correctly bounds-checks (lines 297/304/309), so this is a graceful failure — no overflow, crash, or UB. But there is no fallback to a larger buffer, and the surfaced error (ERR_S3_INVALID_PATH: "Invalid path" via throwSignError) is misleading: the path is valid per AWS, the buffer is just too small for its encoded form. Nothing upstream limits the key to "1024 bytes after percent-encoding" — the user's key flows to signRequest verbatim from Store.S3.path().

Impact

Valid S3 object keys with significant non-ASCII content — CJK filenames, emoji, spaces/punctuation-heavy keys, URL-encoded user content — are rejected by every Bun S3 API (presign/unlink/write/size/exists/stat/download/list/multipart) with a misleading "Invalid path" error, despite being well within AWS's documented 1024-byte key limit. Same for path-style/MinIO/tenant-prefixed endpoints with non-trivial path prefixes. This is a functional limitation, not a memory-safety issue.

Step-by-step proof

Bun.S3Client.presign("价格表/" + "文".repeat(120), { bucket: "b", accessKeyId: "x", secretAccessKey: "y", });

The key is "价格表/" (10 bytes: 3×3 + 1) + 120 × "文" (3 bytes each) = 370 raw UTF-8 bytes — well under AWS's 1024-byte limit.

S3File.presign → constructS3FileInternalStore → store with pathlike = the key. Tag-flip at S3File.zig:87. getPresignUrlFrom (line 89) → signRequest (line 505).

credentials.zig:416: encodeURIComponent(path, &path_buffer /* [1024]u8 */, false). The 9 CJK bytes in "价格表" encode to 27; the / passes through (1 byte); each "文" (3 bytes) encodes to 9. Total encoded length = 27 + 1 + 120×9 = 1108 bytes.

After writing 1023 bytes, the next iteration hits line 309: if (written + 3 > buffer.len) → 1023 + 3 > 1024 → returns error.BufferTooSmall.

credentials.zig:416: catch return error.InvalidPath.

getPresignUrlFrom (S3File.zig:514) catches sign_err → S3.throwSignError(error.InvalidPath, globalThis) → user sees ERR_S3_INVALID_PATH: "Invalid path" for a key that AWS would accept.

For (b): endpoint: "http://minio.local:9000/tenants/acme-corp/storage/v1" (path component /tenants/acme-corp/storage/v1, 29 bytes) + bucket "my-bucket" (9) + an encoded key of 1024 bytes → bufPrint at line 452 needs 29+1+9+1+1024 = 1064 bytes into a 1089-byte buffer (fits) — but with a longer tenant prefix or a 3×-expanded key the 1089-byte ceiling is easily exceeded, again surfacing as error.InvalidPath.

How to fix

Enlarge path_buffer to [1024*3]u8 (worst-case 3× expansion of a 1024-byte key) and normalized_path_buffer to [1024*3 + 63 + 2048 + 2]u8 (encoded key + bucket + max extra_path + separators). Alternatively, switch to a std.heap.stackFallback/heap allocator the way the signQuery branch already does for its query-param assembly (credentials.zig:527/590), so over-long inputs allocate instead of failing.

Relationship to this PR / not a duplicate

Pre-existing — the PR diff (six path_or_blob = .{ .blob = blob } tag-flips in S3File.zig + a test) does not touch credentials.zig, does not add new signRequest callers, and does not change what data flows there. The connection is purely transitive (every PR-modified function called signRequest before the PR too). None of the 44 existing comments mention path_buffer/normalized_path_buffer/bucket_buffer, the percent-encoding 3× expansion, credentials.zig:412-416, or non-ASCII-key rejection — the closest are #3204867198 (params_buffer for upload_id, a different buffer with a different mechanism: catch unreachable crash), #3203691088 (tmp_buffer cache-key corruption), and #3205087624 (the bucket-guessing dead code at 388-396, ~20 lines above). Given the volume of pre-existing S3-subsystem findings already on this PR, this is best tracked as a follow-up issue rather than blocking the memory-safety fix.

claude · 2026-03-26T20:34:25Z

🔴 The double-free fix was applied to S3File.zig static methods but not to the structurally identical S3Client.zig instance methods (presign, exists, size, stat, write, unlink). In those methods, errdefer path.deinit() remains armed after constructS3FileWithS3CredentialsAndOptions succeeds and the store aliases the original path buffer — if any downstream call (e.g. getPresignUrlFrom with a throwing method getter) throws, both defer blob.detach() and errdefer path.deinit() fire on the same memory, causing use-after-poison. Apply the same path_or_blob = .{ .blob = blob } neutralization pattern to the corresponding .path => branches in all six S3Client.zig instance methods.

Extended reasoning...

What the bug is and how it manifests

The PR fixes a double-free in S3File.zig static methods (e.g. presign, unlink, write, size, exists, stat) by adding path_or_blob = .{ .blob = blob } after constructS3FileInternalStore succeeds. This changes the union tag so the outer errdefer (which only fires when path_or_blob == .path) is disabled once the store takes ownership. However, the structurally identical pattern in S3Client.zig instance methods was not updated — errdefer path.deinit() remains always armed after blob construction succeeds.

The specific code path that triggers it

In each S3Client.zig instance method (e.g. presign):

PathLike.fromJS(...) allocates an encoded_slice (pointer A).

errdefer path.deinit() is registered — no disabling mechanism exists.

constructS3FileWithS3CredentialsAndOptions(...) succeeds; inside, Blob.Store.initS3 stores pathlike directly (no clone for the non-allocated case), aliasing pointer A into the store.

defer blob.detach() is registered with store.ref_count = 1.

A downstream call (e.g. getPresignUrlFrom with a method getter that throws) raises a JS error.

Why existing code does not prevent it

The path_or_blob = .{ .blob = blob } assignment that disables the errdefer in S3File.zig is absent from S3Client.zig. There is no other mechanism to communicate to the outer errdefer that ownership has already been transferred. The S3File.zig fix is purely call-site level — it works because it resets the union tag after the successful constructor return — but S3Client.zig was never updated with the equivalent reset.

Impact

All six S3Client instance methods are affected: presign, exists, size, stat, write, unlink. The crash is deterministic and user-triggerable from JavaScript without any special permissions or credentials.

How to fix

In each S3Client.zig instance method, add the ownership-transfer line immediately after constructS3FileWithS3CredentialsAndOptions succeeds, neutralizing the errdefer path.deinit() the same way the static methods do it:

var blob = try constructS3FileWithS3CredentialsAndOptions(...); path_neutralized = blob; // or equivalent tag-flip to disable errdefer defer blob.detach();

Step-by-step proof (concrete trigger for presign)

const client = new Bun.S3Client({ bucket: "test" }); client.presign("mykey", { get method() { throw new Error("boom"); } });

PathLike.fromJS allocates encoded_slice for "mykey" → pointer A.

errdefer path.deinit() armed.

constructS3FileWithS3CredentialsAndOptions succeeds; store aliases pointer A (pathlike.encoded_slice = pointer A).

defer blob.detach() registered; store.ref_count = 1.

getPresignUrlFrom calls options.getTruthyComptime(globalObject, "method") → invokes the getter → throws Error("boom").

defer blob.detach() fires → store.deref() → ref 1→0 → store.deinit() → s3.deinit() → pathlike.deinit() → frees pointer A.

errdefer path.deinit() fires (because error occurred) → path.deinit() → frees pointer A again → use-after-poison.

claude · 2026-05-07T05:57:06Z

🟣 🟣 Pre-existing companion to #3194798988: Store.S3.listObjects (Store.zig:415-430) has the identical defect — jsc.JSPromise.Strong.init(globalThis) at line 415 is followed by two fallible user-driven try calls (getCredentialsWithOptions at 419, getListObjectsOptionsFromJS at 422) with no errdefer promise.deinit(), plus store.ref() at 423 with no errdefer store.deref(). A throwing getter on prefix/accessKeyId/etc. leaks one Bun__StrongRef + permanently-rooted JSPromise per call (and a partially-populated S3ListObjectsOptions). When applying #3194798988's fix to unlink, apply the same hoist-or-errdefer fix to listObjects ~60 lines below.

Extended reasoning...

What the bug is

Store.S3.listObjects in src/runtime/webcore/blob/Store.zig is the structural sibling of Store.S3.unlink (already flagged in comment #3194798988) and has the identical JSPromise.Strong leak, plus two additional resources on the same error path:

// Store.zig:415-430 const promise = jsc.JSPromise.Strong.init(globalThis); // heap-allocates Bun__StrongRef, GC-roots a JSPromise const value = promise.value(); ... var aws_options = try this.getCredentialsWithOptions(extra_options, globalThis); // ← (1) can throw JSError defer aws_options.deinit(); const options = try bun.S3.getListObjectsOptionsFromJS(globalThis, listOptions); // ← (2) can throw JSError store.ref(); // ← no errdefer store.deref() try bun.S3.listObjects(..., bun.new(Wrapper, .{ .promise = promise, // ← only sink for promise .store = store, .resolvedlistOptions = options, ... }), proxy);

There is no errdefer promise.deinit() between line 415 and the Wrapper.new sink at line 425, no errdefer options.deinit() between 422 and 425, and no errdefer store.deref() after 423.

The specific code path that triggers it

Both fallible calls read user-controlled JS properties:

Line 419 — getCredentialsWithOptions (→ S3Credentials.getCredentialsWithOptions, credentials_jsc.zig) reads ~15 option properties (accessKeyId, secretAccessKey, region, endpoint, bucket, sessionToken, …) via try opts.getTruthyComptime(...) / getOptional. Any throwing getter or Proxy trap raises error.JSError.

Line 422 — getListObjectsOptionsFromJS (list_objects.zig:523+) reads continuationToken, delimiter, encodingType, fetchOwner, maxKeys, prefix, startAfter via try listOptions.getTruthyComptime(...). Any of these can throw, and the function has no internal errdefer for the partially-populated S3ListObjectsOptions (e.g. an allocated _continuation_token leaks if a later property getter throws).

If either propagates error.JSError, the Bun__StrongRef heap allocation and the GC-rooted JSPromise from line 415 are never released. If (2) succeeds but bun.S3.listObjects at line 425 fails, the inline bun.new(Wrapper, ...) argument has already evaluated and the entire Wrapper (promise + store ref + options) leaks too.

Why existing code does not prevent it

The only sink for promise is the move into bun.new(Wrapper, ...) at line 425; Wrapper.deinit() (line 403-408) is the only place promise.deinit() / store.deref() / resolvedlistOptions.deinit() are called, and reaching it requires bun.S3.listObjects to have started successfully. value at line 416 is just a JSValue handle, not an owner. Comment #3194798988 covers Store.S3.unlink only — its suggested fix (errdefer promise.deinit() after line 357, or hoisting getCredentialsWithOptions above the Strong init) does not touch listObjects.

Impact

Each S3Client#list(...) / Bun.S3Client.list(...) call where any list-option or credential-option getter throws leaks:

One native Bun__StrongRef C++ heap allocation.

One permanently-rooted JSPromise in the JSC GC (never collectable).

If the throw is in getListObjectsOptionsFromJS after the first property: any already-allocated S3ListObjectsOptions strings.

Repeat in a loop and both native and JS heap grow unboundedly. Reachable via S3Client.zig:listObjects (instance) and S3Client.zig:staticListObjects → constructS3FileWithS3Credentials → Store.S3.listObjects.

Step-by-step proof

new Bun.S3Client({ bucket: "b" }).list({ get prefix() { throw new Error("boom"); } });

S3Client.listObjects (S3Client.zig:~244) constructs a temporary S3 blob and calls blob.store.?.data.s3.listObjects(store, globalThis, listOptions, options).

Line 415: jsc.JSPromise.Strong.init(globalThis) → Bun__StrongRef__new allocates a native StrongRef and roots a fresh JSPromise in the GC.

Line 419: getCredentialsWithOptions(extra_options, globalThis) succeeds (extra_options is null or a plain object).

Line 422: getListObjectsOptionsFromJS(globalThis, listOptions) reads listOptions.prefix via getTruthyComptime → invokes the getter → throws → error.JSError propagates out of the try.

No errdefer promise.deinit() is registered. bun.new(Wrapper, ...) at line 425 is never reached.

error.JSError returns to the caller. The StrongRef native allocation and the rooted JSPromise are leaked permanently.

The same trace applies with Bun.S3Client.list({}, { get accessKeyId() { throw 0 } }) failing at step 3 instead of step 4.

How to fix

Either:

Hoist both fallible calls (getCredentialsWithOptions, getListObjectsOptionsFromJS) and store.ref() above jsc.JSPromise.Strong.init, so the Strong is only created once nothing else can throw before Wrapper.new; or

Add errdefer promise.deinit(); after line 415, errdefer options.deinit(); after line 422, and errdefer store.deref(); after line 423 (changing const promise → var promise and clearing it after the move, or using a disarm flag).

Relationship to this PR / not a duplicate

This is pre-existing — the PR diff does not touch listObjects or any of its callers. It is flagged because (a) it is the immediate sibling (~60 lines below) of comment #3194798988 (Store.S3.unlink), which is already on this PR — applying that fix to unlink alone leaves this identical leak in listObjects; (b) it is triggered by exactly the throwing-options-getter scenario this PR's fix and regression test revolve around; and (c) S3Client.staticListObjects routes through constructS3FileWithS3Credentials, the same constructor whose ownership this PR's tag-flip protects. Comment #3194798988 mentions only unlink, so this is not a duplicate.

claude · 2026-05-07T10:40:40Z

🟣 Pre-existing companion to #3199168443: when fixing getListObjectsOptionsFromJS per that comment, also add defer str.deref(); after each const str = try bun.String.fromJS(val, globalThis) at list_objects.zig:525/536/547/568/579. bun.String.fromJS returns a +1 WTFStringImpl ref the caller must release, and str.toUTF8() takes its own independent ref (wtf.zig:114-117) — it does not consume str's — so each string option leaks one WTFStringImpl ref on every successful S3Client.list({prefix:..., continuationToken:...}) call. The structurally identical blocks in credentials_jsc.zig:25/40/55/70/98/119/188/207/226 all correctly include defer str.deref().

Extended reasoning...

What the bug is

Inside getListObjectsOptionsFromJS (src/runtime/webcore/s3/list_objects.zig:523-586), each of the five string-option blocks — continuationToken (525), delimiter (536), encodingType (547), prefix (568), startAfter (579) — does:

const str = try bun.String.fromJS(val, globalThis); if (str.tag != .Empty and str.tag != .Dead) { listObjectsOptions._X = str.toUTF8(bun.default_allocator); ... }

with no defer str.deref(). bun.String.fromJS (bun_string_jsc.zig:36-41 → BunString__fromJS → Bun::fromJS, BunString.cpp:196-208) ends with auto impl = str.releaseImpl(); return {…, .wtf = impl.leakRef()} — i.e. the returned bun.String holds a +1 ref on the WTFStringImpl that the caller is responsible for releasing via str.deref().

str.toUTF8() (string.zig:690-692, .WTFStringImpl arm → WTFStringImpl.toUTF8, wtf.zig:125-138) does not consume that ref. For a pure-ASCII Latin1 string, toUTF8FromLatin1 returns null and execution falls through to toLatin1Slice() (wtf.zig:114-117), which does this.ref() and returns a ZigString.Slice tagged with refCountAllocator. So the slice stored in listObjectsOptions._X carries its own independent +1 ref; str's +1 from fromJS is separate and never released.

Why this is the buggy block, not the canonical pattern

The structurally identical option-parsing blocks in S3Credentials.getCredentialsWithOptions (credentials_jsc.zig:24-25, 39-40, 54-55, 69-70, 97-98, 118-119, 187-188, 206-207, 225-226) all include defer str.deref(); on the line immediately after const str = try bun.String.fromJS(...). That establishes the canonical ownership contract for this exact pattern in the same subsystem; list_objects.zig simply omits it in all five blocks.

Impact

One WTFStringImpl ref leaked per string option provided, on every call — success path included. Reachable via both S3Client#list(...) (S3Client.zig:~244) and Bun.S3Client.list(...) (S3Client.zig:~320) → Store.S3.listObjects → getListObjectsOptionsFromJS. A long-running process that paginates with continuationToken in a loop leaks unboundedly.

This is distinct from #3199168443, which covers the wrapper-side JSPromise.Strong / store.ref() / partial-S3ListObjectsOptions leaks in Store.S3.listObjects on the error path. This leak is a different resource (the bun.String ref) inside getListObjectsOptionsFromJS itself, and it fires unconditionally on the success path too.

Step-by-step proof — new Bun.S3Client({bucket:'b'}).list({prefix:'abc'})

S3Client.listObjects → Store.S3.listObjects → getListObjectsOptionsFromJS(globalThis, {prefix:'abc'}).

list_objects.zig:566: getTruthyComptime('prefix') → JSValue for 'abc'. Line 567: isString() → true.

Line 568: bun.String.fromJS → BunString.cpp:206-208 releaseImpl().leakRef() → str = {.WTFStringImpl, impl A}; A.rc += 1.

Line 571: str.toUTF8(allocator) → wtf.zig:131 falls through to toLatin1Slice() → wtf.zig:116 this.ref() → A.rc += 1; returns a refCountAllocator-tagged slice. listObjectsOptions._prefix holds this slice (its own +1).

Block ends. No defer str.deref(). str's +1 from step 3 is never released.

Function returns; later Wrapper.deinit() → resolvedlistOptions.deinit() → _prefix.deinit() → A.rc -= 1 (releases step 4's ref only).

Net: A.rc is permanently +1 over baseline. The WTFStringImpl is leaked.

How to fix

Add defer str.deref(); immediately after each const str = try bun.String.fromJS(val, globalThis); at list_objects.zig:525, 536, 547, 568, 579, matching the credentials_jsc.zig pattern.

Relationship to this PR

Pre-existing — the PR diff does not touch list_objects.zig or any listObjects caller. Flagged here because existing comment #3199168443 already directs the author to edit exactly this function (for the missing errdefer listObjectsOptions.deinit() / wrapper-side leaks), and adding defer str.deref() fixes both leaks in one pass. It is in the same "S3 option-parsing resource ownership" defect class this PR revolves around. Anchored at S3File.zig:118 alongside #3199168443.

claude · 2026-05-07T20:21:54Z

🟣 🟣 Pre-existing companion to #3199168443/#3200790781 — the response-side parser those request-side leaks feed into: parseS3ListObjectsResult (list_objects.zig:203-206) has an off-by-delete_result_pos loop bound: var i: usize = 0; while (i < xml[delete_result_pos..].len) { if (xml[i] != '<') .... The bound evaluates to xml.len - delete_result_pos but the body indexes xml[i] from offset 0, so the outer loop stops scanning delete_result_pos bytes (~38-40 for the AWS <?xml...?> preamble, more for servers with DOCTYPE/comments) before the end of the body. Any top-level element (<IsTruncated>, <NextContinuationToken>, <CommonPrefixes>) whose opening < falls in that tail window is silently dropped — e.g. a missed <IsTruncated>true makes the user's pagination loop terminate early with no error. The misnamed delete_result_pos (in a list parser) confirms copy-paste origin. Fix: change line 205 to while (i < xml.len). None of the existing comments mention parseS3ListObjectsResult/delete_result_pos/line 205.

Extended reasoning...

What the bug is

parseS3ListObjectsResult (src/runtime/webcore/s3/list_objects.zig:203-206) — reached from S3Client#list()/Bun.S3Client.list() via Store.S3.listObjects → bun.S3.listObjects → S3HttpSimpleTask.onResponse (simple_request.zig:269) — has a loop-bound off-by-delete_result_pos error:

// list_objects.zig:203-206 if (strings.indexOf(xml, "<ListBucketResult")) |delete_result_pos| { var i: usize = 0; while (i < xml[delete_result_pos..].len) { // = xml.len - delete_result_pos if (xml[i] != '<') { // indexes xml[i], NOT xml[delete_result_pos + i]

delete_result_pos is the offset of <ListBucketResult in the body (≈38-40 for AWS, after the <?xml ...?> preamble). The loop bound xml[delete_result_pos..].len evaluates to xml.len - delete_result_pos, but every indexing operation inside the outer loop reads xml[i] / xml[i+1..] from offset 0, not from delete_result_pos. So the outer loop scans xml[0 .. xml.len - delete_result_pos) — wastefully re-scanning the XML preamble (harmless) and stopping delete_result_pos bytes before the end of the response.

The variable name delete_result_pos (for a list parser) and the suffix-length-as-end-position confusion strongly suggest this was copy-pasted from a delete-result parser and never adapted.

Concrete consequence

Any top-level element whose opening < falls in the last delete_result_pos bytes of the body is silently dropped from the result — no error, no warning. For real AWS responses (delete_result_pos ≈ 39, trailing </ListBucketResult> = 19 bytes), the at-risk window is the ~20 bytes immediately before the closing root tag — narrow but nonzero. For S3-compatible servers that emit a longer preamble (DOCTYPE, comments, extra whitespace before <ListBucketResult), the truncated region grows proportionally and can swallow an entire trailing <CommonPrefixes> or <IsTruncated> element.

The inner <Contents> sub-loop (line 234+) is bounded by i >= xml.len and uses indexOf(xml[i..], ...) over the full remainder, so once a <Contents> block is entered it is parsed correctly even if it extends into the truncated region — only top-level elements whose opening < is past xml.len - delete_result_pos are lost.

Why existing safeguards do not prevent it

There is no other parse pass over the truncated tail. S3ListObjectsV2Result.toJS() reports only what parseS3ListObjectsResult populated, so e.g. a dropped <IsTruncated>true</IsTruncated> yields result.isTruncated === undefined and the user's pagination loop terminates early with no indication that more keys exist.

Step-by-step proof

Body (167 bytes total): <?xml version="1.0" encoding="UTF-8" standalone="yes"?>\n\n<ListBucketResult><Name>b</Name><KeyCount>0</KeyCount><IsTruncated>true</IsTruncated></ListBucketResult> — preamble before <ListBucketResult is 67 bytes.

Line 203: indexOf(xml, "<ListBucketResult") → delete_result_pos = 67.

Line 205: loop bound = xml[67..].len = 167 - 67 = 100. i starts at 0.

The outer loop scans xml[0..100). <IsTruncated> opens at offset 122, which is ≥ 100 → the outer loop never reaches it.

result.is_truncated stays null. toJS() skips the isTruncated property entirely.

The user's pagination loop sees result.isTruncated falsy → stops, silently missing all remaining keys in the bucket.

(For canonical AWS preambles the window is narrower but the math is identical; any element opening within delete_result_pos bytes of the end is lost.)

How to fix

Change line 205 to while (i < xml.len) { — the body already indexes xml[i] from 0, so the only change needed is the bound. Optionally also initialize var i: usize = delete_result_pos; to skip the wasted preamble re-scan.

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch list_objects.zig or any listObjects caller, and S3Client.list() is not among the six PR-modified static methods. Flagged because (a) two existing comments on this PR (#3199168443, #3200790781) already direct the author into getListObjectsOptionsFromJS in this same file, ~300 lines below, and into Store.S3.listObjects which calls this parser via onResponse; (b) it is a correctness bug (silent data loss) rather than a leak; and (c) it is the response-side counterpart to those request-side listObjects defects. None of the existing comments mention parseS3ListObjectsResult, delete_result_pos, the loop bound at line 205, or <ListBucketResult> parsing.

claude · 2026-05-07T21:05:23Z

🟣 🟣 Pre-existing companion to #3204455695 (loop bound at line 205), ~80 lines below in the same function: the per-<Contents> loop heap-allocates an XML-entity-decoded ETag at list_objects.zig:284 (bun.default_allocator.alloc(u8, size)) and sets etag_owned = true (line 290), but the only sink (contents.append at line 382-392) is gated on if (object_key) |...| at line 363 with no else-branch and no defer/errdefer. A <Contents> block with <ETag>"..."</ETag> but no <Key> leaks the allocation; a second <ETag> in the same block overwrites etag and leaks the first. Same malformed-server-response threat model as #3202066971/#3204455695. Fix: add else if (etag_owned) { if (etag) |e| bun.default_allocator.free(e); } after line 393, and free any prior owned etag before reassigning at line 284. Not on the call path of any PR-modified static method; flagged because #3204455695 already directs the author into this function.

Extended reasoning...

What the bug is

In parseS3ListObjectsResult (src/runtime/webcore/s3/list_objects.zig), the per-<Contents> inner loop heap-allocates a buffer for the XML-entity-decoded ETag at line 284:

} else if (strings.eql(inner_tag_name_or_tag_end, "ETag")) { if (strings.indexOf(xml[i..], "</ETag>")) |__tag_end| { const input = xml[i .. i + __tag_end]; const size = std.mem.replacementSize(u8, input, """, "\""); var output = try bun.default_allocator.alloc(u8, size); // ← line 284, heap alloc const len = std.mem.replace(u8, input, """, "\"", output); if (len != 0) { etag = output[0 .. input.len - len * 5]; etag_owned = true; // ← line 290, marks as owned } else { bun.default_allocator.free(output); etag = input; }

The only sink for an owned etag is the contents.append(.{ .etag = ... }) at lines 382-392, which is gated on if (object_key) |object_key_val| at line 363. There is no defer/errdefer freeing etag between line 284 and line 382, and no else branch on the if (object_key) check.

Two leak paths

(a) <Contents> without <Key> — if a <Contents> block contains <ETag>"abc"</ETag> (so etag_owned = true) but no <Key> element, object_key stays null at line 363, the append is skipped, and the heap allocation from line 284 is leaked. The next outer-loop iteration declares fresh locals (lines 221-232).

(b) Multiple <ETag> per <Contents> — if a <Contents> block contains two <ETag>"..."</ETag> elements, the second hit re-runs lines 280-297 and overwrites etag with a new allocation without checking/freeing the prior one; the first allocation has no other reference and is leaked.

Both require a malformed/non-conformant S3 response — same threat model as already-accepted comments #3202066971 (close-tag-before-open-tag XML crash) and #3204455695 (longer XML preamble truncation in this same function), since endpoint is a first-class user option (MinIO/R2/LocalStack/proxies).

Why existing safeguards don't prevent it

The per-<Contents> locals at lines 221-232 are plain stack vars with no cleanup; ownership only transfers when execution reaches line 384's if (etag_owned) .fromRawIn(etag_, .init()) else .... Nothing else holds the line-284 allocation. S3ListObjectsV2Result.deinit() (lines 65-73) only frees what made it into result.contents. There is no errdefer covering the allocation, and the <ETag> branch does not check if (etag_owned) before reassigning.

Step-by-step proof — case (a)

S3-compatible endpoint returns 200 with body containing ...<Contents><ETag>"d41d8cd9"</ETag><Size>0</Size></Contents>... (no <Key>):

simple_request.zig:269: parseS3ListObjectsResult(body.slice()).

Outer loop reaches <Contents> → enters inner loop at line 234 with object_key = null, etag = null, etag_owned = false (lines 221, 225-226).

Inner loop hits <ETag>: input = ""d41d8cd9"" (20 bytes). replacementSize = 10. Line 284: output = bun.default_allocator.alloc(u8, 10) → heap ptr E. replace returns 2 (two " replaced). Line 289: etag = E[0..10], line 290: etag_owned = true.

Inner loop hits <Size> → sets object_size = 0.

Inner loop hits </Contents> → looking_for_end_tag = false, exits at line 246.

Line 363: if (object_key) |object_key_val| → object_key == null → block skipped, append at line 382 never runs. There is no else-branch.

Outer loop continues to next tag. Locals etag/etag_owned go out of scope. E is leaked.

list_result.deinit() later frees only what's in result.contents — E was never appended.

Repeat per malformed <Contents> block; unbounded over a long-running process polling a buggy S3-compatible endpoint.

Impact

A small heap leak (one allocation of replacementSize bytes ≈ ETag length) per malformed <Contents> block in the response. Bounded per request but unbounded over a long-running process that periodically calls S3Client.list() against a non-conformant or buggy S3-compatible endpoint. Lower severity than the crashes in #3202066971/#3203691082 since well-formed AWS/R2/MinIO responses always include <Key> and a single <ETag> per <Contents>.

How to fix

After the inner while (looking_for_end_tag) loop (after line 393), add an else-branch freeing the owned etag when it won't be appended:

if (object_key) |object_key_val| { ... try contents.append(.{ ..., .etag = ... }); } else if (etag_owned) { if (etag) |e| bun.default_allocator.free(e); }

and inside the <ETag> branch, free any prior owned allocation before reassigning (e.g. if (etag_owned) { if (etag) |e| bun.default_allocator.free(e); etag = null; etag_owned = false; } immediately before line 283) to handle case (b). Also note that try contents.append(...) at line 382 itself can fail (OOM), which would also leak the owned etag — an errdefer covering both would be more robust.

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch list_objects.zig and listObjects is not among the six PR-modified static methods (presign/unlink/write/size/exists/stat). Flagged because it sits ~80 lines below #3204455695's fix locus (line 205 loop bound) in the same function the author is already directed to edit by three existing comments (#3204455695: line 205 loop bound; #3200790781: getListObjectsOptionsFromJS str.deref leaks; #3199168443: Store.S3.listObjects wrapper leaks). None of those mention etag_owned, line 284's allocation, the object_key == null skip at line 363, or multiple-<ETag> handling — #3204455695 covers the outer-loop bound, this covers the inner-loop resource. Anchored at S3File.zig:118 alongside the other listObjects-family comments.

claude · 2026-05-06T10:42:10Z

🟣 Pre-existing: Store.S3.unlink (Store.zig:357-361) — called directly from this PR-modified S3File.unlink at line 120 — creates jsc.JSPromise.Strong.init(globalThis) before the fallible try this.getCredentialsWithOptions(extra_options, globalThis), with no errdefer promise.deinit() between them. A throwing options getter (e.g. { get accessKeyId() { throw 0 } }) leaks one Bun__StrongRef native allocation and permanently roots the JSPromise in the GC on every call. Fix: add errdefer promise.deinit(); immediately after line 357, or hoist getCredentialsWithOptions above the JSPromise.Strong.init call.

Extended reasoning...

What the bug is

Store.S3.unlink in src/runtime/webcore/blob/Store.zig creates a strong JS promise root before doing fallible work that reads user-controlled option properties, with no cleanup on the error path:

// Store.zig:357-368 const promise = jsc.JSPromise.Strong.init(globalThis); // heap-allocates Bun__StrongRef, roots promise in GC const value = promise.value(); const proxy_url = ...; const proxy = ...; var aws_options = try this.getCredentialsWithOptions(extra_options, globalThis); // ← can throw JSError defer aws_options.deinit(); store.ref(); try bun.S3.delete(&aws_options.credentials, this.path(), ..., Wrapper.new(.{ .promise = promise, // ← only sink for promise — never reached on error ... }), ...);

jsc.JSPromise.Strong.init (Strong.zig:49-51) calls Impl.init → Bun__StrongRef__new, a C++ heap allocation that registers the promise as a GC root. The only place this root is ever released is Wrapper.deinit() (line 353: wrap.promise.deinit()), which requires execution to reach Wrapper.new(...) at line 365-368. There is no errdefer promise.deinit() between line 357 and line 365.

The specific code path that triggers it

getCredentialsWithOptions (Store.zig:309 → S3Credentials.getCredentialsWithOptions in credentials_jsc.zig:5-247) reads ~15 user-controlled option properties — accessKeyId, secretAccessKey, region, endpoint, bucket, sessionToken, etc. — via try opts.getTruthyComptime(...) / getOptional / getBooleanStrict. Any of these can throw error.JSError if the user supplies a throwing getter or Proxy trap. When that happens, the try at line 361 propagates the error and the Strong root at line 357 is never released.

There is also a secondary leak: if try bun.S3.delete(...) at line 365 itself fails after Wrapper.new(...) has evaluated, the entire Wrapper (promise + the store.ref() from line 363) leaks as well.

Why existing code does not prevent it

The only sink for promise is the move into Wrapper.new(...) at lines 365-368. value at line 358 is just a JSValue handle, not an owner. There is no errdefer for promise anywhere in the function, and promise is declared const so it cannot be neutralized after the move. Nothing on the error-propagation path between lines 357 and 365 releases the Strong root.

Impact

Each call to .unlink(options) on an S3-backed blob/file where any option-property read throws leaks:

One native Bun__StrongRef C++ heap allocation.

One permanently-rooted JSPromise in the JSC GC (plus its reaction chain, if any).

This is reachable from both branches of the PR-modified S3File.unlink: the .blob branch (line 122) calls blob.store.?.data.s3.unlink(...) directly with the user's options, and the .path branch reaches it at line 120 immediately after the new tag-flip at line 118. It is also reachable via Bun.file("s3://...").unlink(opts) and the S3Client instance unlink.

Step-by-step proof

const f = Bun.file("s3://bucket/key"); await f.unlink({ get accessKeyId() { throw new Error("boom"); } }).catch(() => {});

Blob.unlink / S3File.unlink reaches Store.S3.unlink(store, globalThis, options) with the throwing options object.

Line 357: jsc.JSPromise.Strong.init(globalThis) → Bun__StrongRef__new allocates a native StrongRef and roots a fresh JSPromise in the GC.

Line 361: try this.getCredentialsWithOptions(options, globalThis) → reads options.accessKeyId → getter throws → error.JSError propagates.

No errdefer for promise is registered. Wrapper.new at line 365 is never reached.

error.JSError returns to the caller. The StrongRef native allocation and the rooted JSPromise are leaked permanently — the promise is never collectable because the GC root list still holds it.

Repeat in a loop and both native heap and JS heap grow unboundedly.

How to fix

Either:

Add errdefer promise.deinit(); immediately after line 357 (requires changing const promise to var promise so it can be moved-and-cleared into Wrapper.new, or use a local flag to disarm the errdefer after the move), or

Hoist the fallible getCredentialsWithOptions call (and store.ref()) above jsc.JSPromise.Strong.init, so the Strong is only created once nothing else can throw before Wrapper.new.

Relationship to this PR

This is pre-existing — the PR diff does not modify Store.zig. It is flagged here because (a) it sits on the immediate call path of S3File.unlink, which the PR edits one line above at S3File.zig:118, and (b) it is triggered by exactly the throwing-options-getter scenario that this PR's discussion, fix, and regression test revolve around. It is not a duplicate of any existing comment on this PR (the open comments cover the path double-free, the Store.zig clone, S3Client instance methods, and test gaps — none cover the JSPromise.Strong leak in Store.S3.unlink).

claude · 2026-05-07T14:11:10Z

🟣 🟣 Pre-existing: the S3 response handler reached from every PR-modified static method (S3File.zig:120/160/199/233/585 → executeSimpleS3Request → onResponse → errorWithBody) parses error XML by independently scanning the whole body for the open and close tags, then slicing between them with no bounds check — e.g. simple_request.zig:163-165: if (indexOf(bytes, "<Code>")) |start| { if (indexOf(bytes, "</Code>")) |end| { code = bytes[start + "<Code>".len .. end];. A body like "</Code><Code>X" yields start=7, end=0 → bytes[13..0] → runtime panic in Debug/ReleaseSafe and UB (underflowed .len, wild OOB read) in ReleaseFast. The same defect exists for <Message> (simple_request.zig:169-173/206-210, download_stream.zig:107-112) and <UploadId> (multipart.zig:496-498). Secondarily, simple_request.zig:213 has an operator-precedence bug: if (!has_error and status == 200 or status == 206) parses as ((!has_error and status == 200) or status == 206), so a 206 with <Error> is treated as success. Fix: search for the closing tag starting after the open tag (indexOf(bytes[after..], "</Code>")) and parenthesise line 213.

Extended reasoning...

What the bug is and how it manifests

The S3 response handlers parse error XML by independently scanning the whole response body for the open and close tags, then slicing between them with no bounds check ensuring the close tag was found after the open tag:

// simple_request.zig:163-165 (errorWithBody) if (strings.indexOf(bytes, "<Code>")) |start| { if (strings.indexOf(bytes, "</Code>")) |end| { code = bytes[start + "<Code>".len .. end];

Both indexOf calls scan from offset 0 of the same buffer, so if the closing tag occurs before the opening tag in the response body, the slice expression has start_index > end_index. In Zig this is a runtime panic ("start index N is larger than end index M") in Debug/ReleaseSafe builds, and undefined behaviour in ReleaseFast — the resulting slice has .len underflowed to ~2^64 - (start - end), which is then passed to callback.fail → err.toJSWithAsyncStack → string formatting, producing a wild out-of-bounds read / segfault.

Affected sites

The same unguarded pattern appears at:

errorWithBody: simple_request.zig:163-165 (<Code>), 169-171 (<Message>)

failIfContainsError: simple_request.zig:201-203 (<Code>), 206-208 (<Message>)

S3DownloadStreamWrapper.callback: download_stream.zig:101-103 (<Code>), 107-109 (<Message>)

MultiPartUpload.startMultiPartRequestResult: multipart.zig:496-498 (<UploadId>)

bytes is the raw HTTP response body from a user-configured endpoint — Bun explicitly supports MinIO, Cloudflare R2, LocalStack, custom proxies, and arbitrary S3-compatible servers via options.endpoint. Nothing validates well-formedness; the second indexOf does not start from start + tag.len, and there is no end > start + tag.len guard.

Secondary: operator-precedence bug at line 213

failIfContainsError (simple_request.zig:213) reads:

if (!has_error and status == 200 or status == 206) {

Per Zig precedence rules, and binds tighter than or, so this parses as ((!has_error and status == 200) or status == 206). A 206 response containing <Error> is therefore treated as success (returns false) while a 200 with <Error> is correctly failed. The parallel at line 216 (status == 200 or status == 206) confirms the intended grouping. Practical impact is low — failIfContainsError is used for multipart .commit/.part which return 200 — but it is fixable in the same pass.

Reachability from the PR-modified code

Bun.S3Client.unlink("key", {endpoint, accessKeyId, secretAccessKey, bucket}) (PR tag-flip at S3File.zig:118) → Store.S3.unlink → bun.S3.delete → executeSimpleS3Request → async HTTP → onResponse → status≠200/204 → errorWithBody (simple_request.zig:152). Same path for size/exists/stat (S3File.zig:199/233/585 → S3BlobStatTask.* → .stat callback → 404/else → errorWithBody) and write (small-upload non-200, or multipart <UploadId> parse on the InitiateMultipartUpload response).

Step-by-step proof

await Bun.S3Client.unlink("key", { endpoint: "http://attacker.example", bucket: "b", accessKeyId: "x", secretAccessKey: "y" });

The endpoint returns HTTP 500 with body "</Code><Code>InternalError" (27 bytes):

onResponse (simple_request.zig:223): status is not 200/204/206/404 → falls through to errorWithBody(.failure) at line ~290.

Line 160: bytes = body.list.items = "</Code><Code>InternalError". bytes.len = 27 > 0.

Line 163: strings.indexOf(bytes, "<Code>") finds "<Code>" at index 7 → start = 7.

Line 164: strings.indexOf(bytes, "</Code>") scans from offset 0, finds "</Code>" at index 0 → end = 0.

Line 165: code = bytes[7 + 6 .. 0] = bytes[13..0]. 13 > 0 → in Debug/ReleaseSafe, @panic("start index 13 is larger than end index 0"); in ReleaseFast, code.len wraps to 0 - 13 = 18446744073709551603, and callback.fail(code, message, ...) → S3Error.toJSWithAsyncStack reads ~2^64 bytes from code.ptr → segfault.

Bun process crashes before the user's await ever resolves or rejects.

The same trace applies with </Message>...<Message> at lines 169-171, and with the multipart InitiateMultipartUpload response containing </UploadId>...<UploadId> at multipart.zig:496-498.

Impact

A malicious or buggy S3-compatible endpoint (or a MITM on a non-TLS endpoint) can crash any Bun process that issues an S3 request to it, with a single malformed response body. Real AWS/R2/MinIO would not normally emit close-before-open XML, so the practical exposure is limited to user-configured/untrusted endpoints — but endpoint is a first-class user option, and a server-input-controlled process crash is strictly higher severity than the resource-leak findings already on this PR.

How to fix

Search for the closing tag starting after the opening tag and use the relative offset:

if (strings.indexOf(bytes, "<Code>")) |start| { const after = start + "<Code>".len; if (strings.indexOf(bytes[after..], "</Code>")) |rel_end| { code = bytes[after .. after + rel_end];

applied at simple_request.zig:163-173/201-210, multipart.zig:496-498, and download_stream.zig:101-112; and parenthesise line 213 as if (!has_error and (status == 200 or status == 206)).

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch simple_request.zig, multipart.zig, or download_stream.zig, and the trigger requires a malformed server response (close-tag-before-open-tag), not anything the PR's tag-flip affects. Flagged because (a) it is the response-side counterpart of the request-side resource bugs already on this PR (#3194798988 unlink, #3199168443 listObjects, #3200790769 small-upload Wrapper) — those comments already direct the author into Store.S3.unlink/listObjects and the upload Wrapper, all of whose callbacks land in onResponse two frames later; (b) it is a crash (not a leak), so strictly higher severity than the existing pre-existing comments; and (c) none of the existing findings on this PR mention errorWithBody, failIfContainsError, <Code>/<Message>/<UploadId> parsing, inverted slice bounds, the line-213 precedence, or server-response-controlled crashes.

claude · 2026-05-08T02:37:27Z

🟣 🟣 Pre-existing companion to #3200173422 (which already targets the sessionToken block at credentials_jsc.zig:115-129): getCredentialsWithOptions applies a containsNewlineOrCR guard to the three options that flow into raw picohttp.Header values — contentDisposition (line 192), type (line 211), contentEncoding (line 230) — but not to sessionToken (lines 120-124), which flows verbatim into the x-amz-security-token header at credentials.zig:723-726 on the non-presign path used by unlink/write/size/exists/stat (the presign branch is safe via encodeURIComponent at credentials.zig:502). Threat model is narrow (sessionToken is a credential, and whether AsyncHTTP ultimately rejects CRLF in header values was not traced end-to-end), but the validation-layer asymmetry is real and the fix is a one-line addition while applying #3200173422: after toUTF8, add if (containsNewlineOrCR(slice)) return globalObject.throwInvalidArguments("sessionToken must not contain newline characters (CR/LF)", .{});.

Extended reasoning...

What the bug is and how it manifests

S3Credentials.getCredentialsWithOptions (src/runtime/webcore/s3/credentials_jsc.zig) is the validation layer for user-supplied S3 options. It applies a containsNewlineOrCR guard to exactly the three string options that flow into raw HTTP header values — contentDisposition (line 192 → Content-Disposition at credentials.zig:737), type (line 211 → Content-Type via simple_request.zig:402), and contentEncoding (line 230 → Content-Encoding at credentials.zig:744) — each throwing "… must not contain newline characters (CR/LF)". But the sessionToken block at lines 115-129 has no such guard:

if (str.tag != .Empty and str.tag != .Dead) { new_credentials._sessionTokenSlice = str.toUTF8(bun.default_allocator); new_credentials.credentials.sessionToken = new_credentials._sessionTokenSlice.?.slice(); new_credentials.changed_credentials = true; }

sessionToken then flows to credentials.zig:355 (session_token = this.sessionToken) → 723-726 on the non-signQuery branch:

if (session_token) |token| { const session_token_value = bun.handleOom(bun.default_allocator.dupe(u8, token)); result.session_token = session_token_value; result._headers[result._headers_len] = .{ .name = "x-amz-security-token", .value = session_token_value };

— a plain dupe straight into a picohttp.Header.value, with no encoding or validation. Headers.fromPicoHttpHeaders (Headers.zig:106-110) then memcpys it verbatim into the request buffer.

Why this is the buggy block, not intentional

The three siblings establish the pattern: any user-supplied option that becomes a raw picohttp.Header.value gets a containsNewlineOrCR guard. sessionToken is the only such option without one, yet it lands in the same result._headers array two slots earlier (credentials.zig:726 vs 737/744). Guarding the three less-sensitive content-metadata fields but not the credential field that goes into the same header array confirms oversight rather than design. The presign (signQuery) branch is safe — credentials.zig:502 percent-encodes the token via encodeURIComponent before placing it in the query string — which further confirms that CR/LF in this field is not expected to be accepted.

Reachability from the PR-modified code

Bun.S3Client.unlink("k", { sessionToken: "a\r\nb", ... }) → S3File.zig:117 constructS3FileInternalStore → constructS3FileWithS3Credentials → credentials_jsc.zig:115-124 stores the raw value (no CRLF check) → S3File.zig:118 (the PR's tag-flip) → S3File.zig:120 Store.S3.unlink → executeSimpleS3Request → signRequest non-signQuery branch → credentials.zig:726 emits the unvalidated value as the x-amz-security-token header. Same path for write/size/exists/stat (S3File.zig:160/199/233/585). presign (S3File.zig:89) takes the signQuery branch, which encodeURIComponents the token at credentials.zig:502 → safe.

Threat model / impact

Header injection / request smuggling when an application forwards sessionToken from a less-trusted boundary — e.g. a multi-tenant S3 gateway that accepts caller-provided STS credentials and proxies to a shared endpoint, or an app reading AWS_SESSION_TOKEN from a child-process/CI environment it does not fully control. Bun.S3Client.unlink("k", { sessionToken: "tok\r\nX-Amz-Copy-Source: /victim-bucket/secret\r\nIgnore: ", ... }) would, if the HTTP client serializes header values verbatim, splice arbitrary headers into the signed request.

Two honest caveats: (a) sessionToken is a credential, not user-content metadata — an attacker who controls it typically controls the whole STS triple, and applications would not normally source it from untrusted input, so the multi-tenant scenario where only sessionToken is attacker-influenced is plausible but uncommon; (b) whether Bun's AsyncHTTP writer ultimately rejects CR/LF in header values was not traced end-to-end here, and the SigV4 canonical request at credentials.zig:851 (x-amz-security-token:{s}\n) would include the CR/LF, likely producing a signature mismatch at AWS even if the bytes reach the wire. The point is that getCredentialsWithOptions is the documented validation layer — it guards the other three header-bound options — and sessionToken slipped through.

Step-by-step proof

Bun.S3Client.unlink("key", { sessionToken: "valid-token\r\nX-Injected: 1", bucket: "b", accessKeyId: "x", secretAccessKey: "y", });

credentials_jsc.zig:115: getTruthyComptime("sessionToken") → the string. Line 117: isString() → true.

Lines 120-122: toUTF8 → slice = "valid-token\r\nX-Injected: 1". No containsNewlineOrCR check. Stored in credentials.sessionToken.

By contrast, { contentDisposition: "a\r\nb" } would throw at line 192-193 in the same function.

Store.S3.unlink → executeSimpleS3Request → signRequest(..., null) → non-signQuery branch.

credentials.zig:723-726: dupe(u8, "valid-token\r\nX-Injected: 1") → result._headers[n] = .{ .name = "x-amz-security-token", .value = <CRLF-containing bytes> }.

Headers.fromPicoHttpHeaders memcpys the value verbatim. The CRLF-containing value reaches the HTTP request serialization layer with no validation having been applied at the S3 options layer.

How to fix

In the same block #3200173422 already directs the author to edit (credentials_jsc.zig:120-124), add the guard the three siblings have:

new_credentials._sessionTokenSlice = str.toUTF8(bun.default_allocator); const slice = new_credentials._sessionTokenSlice.?.slice(); if (containsNewlineOrCR(slice)) { return globalObject.throwInvalidArguments("sessionToken must not contain newline characters (CR/LF)", .{}); } new_credentials.credentials.sessionToken = slice;

Relationship to this PR / not a duplicate

Pre-existing — the PR diff (six tag-flips in S3File.zig + a test) does not touch credentials_jsc.zig or credentials.zig, does not change what flows to getCredentialsWithOptions, and does not increase the surface area for this defect. The connection to the PR is purely transitive (every PR-modified function calls constructS3FileInternalStore → getCredentialsWithOptions, equally true before the PR). Flagged here because #3200173422 already directs the author to credentials_jsc.zig:126 in the same sessionToken block (for the unrelated "bucket" copy-paste error message); this is a different defect (missing CRLF validation vs. wrong literal) at lines 120-124 of that same block, and a natural one-line addition while applying that fix. None of the existing PR comments mention containsNewlineOrCR, CR/LF validation, header injection, or x-amz-security-token. Given the volume of pre-existing findings already on this PR, this is best applied alongside #3200173422 rather than tracked separately.

claude · 2026-05-07T07:11:44Z

🟣 🟣 Pre-existing companion to the early-return-resource class on this PR's write path: Blob.writeFileInternal creates destination_blob = path_or_blob.blob.dupe() (Blob.zig:1517 — dupe() does store.ref()) with no defer/errdefer destination_blob.detach(). In the S3 + .Locked-body branches, return S3.uploadStream(...) at Blob.zig:1560/1623 returns without detaching (and uploadStream dupes s3.path() itself at client.zig:494, so the store ref is not adopted), and try s3.getCredentialsWithOptions (1548/1613) / try bodyValue.toReadableStream (1550/1615) propagate error.JSError with no errdefer — net store refcount is +1 after S3File.write's defer blob.deinit(), leaking the entire Blob.Store (path + S3Credentials) on every streaming S3 upload. Fix: add defer destination_blob.detach(); at the top of each if (destination_blob.isS3()) block (after Blob.zig:1547 and 1611) and drop the now-redundant explicit detach() calls inside.

Extended reasoning...

What the bug is

Blob.writeFileInternal builds the destination blob at Blob.zig:1517 with else path_or_blob.blob.dupe(). Blob.dupe() (Blob.zig:3684-3690) is a struct copy that calls this.store.?.ref(), so destination_blob holds a +1 store refcount that must be released via destination_blob.detach() before any return. There is no defer or errdefer destination_blob.detach() registered between line 1517 and the S3 streaming-upload branches.

In the Response/Request .Locked + isS3() branches (Blob.zig:1546-1579 and 1611-1642), every error sub-exit calls destination_blob.detach() explicitly (lines 1541, 1554, 1577, 1606, 1618, 1640), but the happy-path return S3.uploadStream(...) at lines 1560 and 1623 does not — and the two try calls inside those blocks (getCredentialsWithOptions at 1548/1613, bodyValue.toReadableStream at 1550/1615) propagate error.JSError with no errdefer registered.

Why uploadStream does not adopt the ref

S3.uploadStream (client.zig:449-504) receives only s3.path() as a []const u8 slice and immediately dupes it at line 494: .path = bun.handleOom(bun.default_allocator.dupe(u8, path)). It also does this.ref() on the credentials object at line 465 — but it never receives or refs the Blob.Store. So the destination_blob store ref taken at line 1517 has no consumer on this return path; it is simply dropped.

Reachability from the PR-modified line

S3File.write's .path arm (this PR's tag-flip at S3File.zig:156) calls Blob.writeFileInternal(globalThis, &blob_internal, data, .{ .extra_options = options }) at S3File.zig:160 with blob_internal = .{ .blob = blob }. So path_or_blob == .blob and line 1517's dupe() branch is taken. With data a Response/Request whose body is a .Locked ReadableStream, destination_blob.isS3() is true and the leaking branch is entered. Also reachable via Bun.write(s3file, response_with_stream) and the S3Client#write instance method.

Step-by-step refcount proof — Bun.S3Client.write("key", new Response(stream), opts)

S3File.write .path arm: constructS3FileInternalStore → Blob.Store.initS3 → store rc=1.

S3File.zig:156: path_or_blob = .{ .blob = blob } (the PR's tag-flip). S3File.zig:157: defer blob.deinit() registered.

S3File.zig:160: Blob.writeFileInternal(&blob_internal /* .blob */, data /* Response w/ stream */, …).

Blob.zig:1407 (top of writeFileInternal): input_store = path_or_blob.blob.store; input_store.ref() → rc=2, with defer input_store.deref() at 1408.

Blob.zig:1517: destination_blob = path_or_blob.blob.dupe() → store.ref() → rc=3. No defer/errdefer detach().

Blob.zig:1546: .Locked + isS3() branch entered. 1548/1550 succeed; 1552 yields a readable; isDisturbed false.

Blob.zig:1560: return S3.uploadStream(...). uploadStream dupes the path (client.zig:494) and refs the credentials (client.zig:465); it does not touch the store. destination_blob.detach() is never called.

Unwind: defer input_store.deref() (Blob.zig:1408) → rc=2.

Back in S3File.write: defer blob.deinit() (S3File.zig:157) → store.deref() → rc=1.

The store (heap-allocated Blob.Store + cloned path + S3Credentials) is leaked at rc=1 forever.

The same trace with a counter-based throwing accessKeyId getter (succeeds on the first read inside constructS3FileWithS3Credentials, throws on the second read at Blob.zig:1548) ends at step 6 with error.JSError propagating — same +1 leak via the missing errdefer.

Why this is intentional-omission, not ownership-transfer

Every other exit from these two blocks calls destination_blob.detach() explicitly: the .Error arm (1541/1606), the isDisturbed sub-branch (1554/1618), and the no-readable fallthrough (1577/1640). Only the return S3.uploadStream(...) line and the two try-error paths skip it. The non-S3 .Locked arm transfers destination_blob into WriteFileWaitFromLockedValueTask.file_blob (1582/1645), and the fallthrough at 1684 passes it to writeFileWithSourceDestination — both of those do adopt the ref. The S3 streaming arm is the lone exit with no sink and no detach.

Impact

One Blob.Store (path buffer + S3Credentials allocation) leaked per streaming S3 upload, on both success and the throwing-options-getter error path. Trivially user-reachable; unbounded growth in long-running processes that loop S3Client.write(key, new Response(stream)) or Bun.write(s3file, fetchResponse).

How to fix

Add defer destination_blob.detach(); immediately after entering each if (destination_blob.isS3()) { ... } block (after Blob.zig:1547 and Blob.zig:1611), then delete the now-redundant explicit destination_blob.detach() calls at 1554/1577/1618/1640. Alternatively: add errdefer destination_blob.detach(); right after Blob.zig:1517 and insert an explicit destination_blob.detach(); immediately before each return S3.uploadStream(...).

Relationship to this PR / not a duplicate

This is pre-existing — the PR diff does not touch Blob.zig. It is flagged here because (a) the PR-modified S3File.write at line 156 routes straight into this leak two lines later at line 160; (b) the error-path variant is triggered by exactly the throwing-options-getter scenario this PR's discussion and regression test revolve around; and (c) it is in the same "early-return without releasing the store ref" defect class as the path/credential issues already on this PR. None of the existing comments mention destination_blob, writeFileInternal's .Locked early-returns, or the uploadStream happy path — they cover the path/encoded_slice resource (#3189832498/#2996283354/#2997528729), content_type (#3195579613), JSPromise.Strong (#3194798988/#3199168443), and the .buffer protect (#3196702451).

claude · 2026-05-07T10:40:40Z

🟣 Pre-existing: the inline Wrapper for the S3 small-bytes upload path in writeFileWithSourceDestination (Blob.zig:1297-1318) is heap-allocated via bun.TrivialNew, but its deinit() only does promise.deinit(); store.deref(); — it never calls bun.destroy(this), unlike the sibling wrappers in Store.S3.unlink (Store.zig:351-355), Store.S3.listObjects (Store.zig:403-412), and S3BlobStatTask (S3File.zig:469-472). Every non-multipart S3 write — including this PR's own Bun.S3Client.write(Date(), "data") test case at line 18 — leaks one @sizeOf(Wrapper) allocation on both success and failure. Fix: append bun.destroy(this); to Wrapper.deinit() at Blob.zig:1318. (Secondary: the .failure arm's this.store.getPath() reads the source bytes store, not the destination S3 store, so the error's path context is null instead of the S3 key.)

Extended reasoning...

What the bug is

The inline Wrapper struct in writeFileWithSourceDestination (Blob.zig:1297-1318) — the callback context for the S3-destination + small-bytes-source path (≤ MAX_SINGLE_UPLOAD_SIZE) — heap-allocates itself via pub const new = bun.TrivialNew(@This()) (line 1302), which expands to bun.new(T, t) → handleOom(tryNew(T, init)) (bun.zig:2780-2786). But its deinit() is:

// Blob.zig:1315-1318 fn deinit(this: *@This()) void { this.promise.deinit(); this.store.deref(); }

It never calls bun.destroy(this). The only caller is defer this.deinit() at Blob.zig:1306 inside Wrapper.resolve, and simple_request.zig (lines 182/184/219/255/290) only ever invokes the callback with callback_context and never frees it — so the wrapper is solely responsible for freeing itself, and it doesn't. Every non-multipart S3 upload leaks one @sizeOf(Wrapper) heap allocation (~24-32 bytes: *Store + JSPromise.Strong + *JSGlobalObject).

Why this is an oversight, not intentional

All three structurally identical sibling wrappers correctly free themselves:

Store.S3.unlink's Wrapper (Store.zig:351-355): fn deinit(wrap) { wrap.store.deref(); wrap.promise.deinit(); bun.destroy(wrap); }

Store.S3.listObjects's Wrapper (Store.zig:403-412): fn deinit(self) { …; self.destroy(); }

S3BlobStatTask.deinit (S3File.zig:469-472): { this.store.deref(); this.promise.deinit(); bun.destroy(this); }

Only the small-upload Wrapper omits the destroy.

Reachability from the PR-modified code

S3File.write's .path arm — the PR's tag-flip at this line (S3File.zig:156) — calls Blob.writeFileInternal(globalThis, &blob_internal, data, …) four lines later at S3File.zig:160. With data a string/Blob/bytes ≤ 5 GiB, this falls through to writeFileWithSourceDestination (Blob.zig:1684) → destination_type == .s3 (Blob.zig:1261) → source_store.data == .bytes and bytes.len ≤ MAX_SINGLE_UPLOAD_SIZE (Blob.zig:1296) → the leaking Wrapper at line 1336. Also reachable via Bun.write(s3file, "data") and S3Client#write("key", "data").

Notably, the PR's own regression test exercises this leak at test/js/bun/s3/s3-presign-double-free.test.ts:18 — Bun.S3Client.write(Date(), "data"). Even with credentials stripped, executeSimpleS3Request synchronously calls Wrapper.resolve(.failure) → defer this.deinit() → leak.

Step-by-step proof — Bun.S3Client.write("key", "data")

S3File.write .path arm: constructS3FileInternalStore → S3 store rc=1; tag-flip (line 156); Blob.writeFileInternal (line 160).

writeFileInternal → source_blob = Blob from "data" (bytes store); falls through to writeFileWithSourceDestination (Blob.zig:1684).

destination_type == .s3, source_store.data == .bytes, bytes.len = 4 ≤ MAX_SINGLE_UPLOAD_SIZE → else branch (Blob.zig:1296-1343).

Line 1320: source_store.ref(). Line 1321: JSPromise.Strong.init. Line 1336: Wrapper.new(.{…}) → bun.new(Wrapper, …) heap-allocates pointer W.

S3.upload → executeSimpleS3Request: signRequest fails (no creds) → callback.fail → Wrapper.resolve(.failure, W).

defer this.deinit() (Blob.zig:1306) → promise.deinit() + store.deref(). bun.destroy(W) is never called.

W is leaked. Repeat in a loop and native heap grows unboundedly.

(Same trace on the success path: HTTP 200 → Wrapper.resolve(.success) → defer this.deinit() → same leak.)

Secondary observation (same Wrapper)

The .failure arm calls this.store.getPath() (Blob.zig:1310), but this.store is the source bytes store (line 1337: .store = source_store), not the destination S3 store — Store.getPath() for .bytes returns null when stored_name.len == 0 (Store.zig:22), so the error's path context is null instead of the S3 key. Minor UX issue alongside the leak.

How to fix

Append bun.destroy(this); to the end of Wrapper.deinit() (Blob.zig:1318), matching the sibling wrappers in Store.S3.unlink / Store.S3.listObjects / S3BlobStatTask.

Relationship to this PR / not a duplicate

This is pre-existing — the PR diff does not touch Blob.zig:1297-1318. It is flagged because (a) the PR-modified S3File.write at this line calls directly into this path four lines later at S3File.zig:160; (b) the PR's own regression test at line 18 exercises this leak on every run; and (c) it sits in the same Wrapper-cleanup defect class as the existing comments on this PR (#3194798988 unlink, #3199168443 listObjects, #3199552705 destination_blob). None of those mention bun.destroy, this small-upload Wrapper, or Blob.zig:1315-1318.

claude · 2026-05-07T12:46:24Z

🟣 🟣 Pre-existing companion to #3199552705 on the same return S3.uploadStream(...) calls, but a different resource: uploadStream does this.ref() on the credentials at client.zig:465 and MultiPartUpload releases exactly once (multipart.zig:293), so its contract is borrow-in / ref-internally — but 5 of its 6 callers (Blob.zig:1278/1353/1561/1624/2605) pass aws_options.credentials.dupe() (a fresh heap S3Credentials with rc=1) when extra_options != null, and fetch.zig:1336 dupes unconditionally: dupe rc=1 → this.ref() rc=2 → MultiPartUpload deref rc=1 → leaked, plus all 6 duped string buffers. Secondarily, the early returns at client.zig:468/473/485 sit after this.ref() but before the task.credentials = this sink, leaking the +1 in both the borrowed and dupe()'d cases. Reachable from this PR-modified S3File.write at line 156→160 with a stream/file body and non-null options. Fix: move this.ref() below the early-return checks (or add errdefer this.deref()), and either have callers defer the dupe()'d credentials or change uploadStream to adopt rather than ref.

Extended reasoning...

What the bug is

S3.uploadStream (client.zig:465) begins with this.ref() and stores the pointer once at task.credentials = this (client.zig:493); MultiPartUpload.deinit releases it exactly once via this.credentials.deref() (multipart.zig:293). So uploadStream's ownership contract is borrow-in, ref-internally — the caller passes a borrowed pointer, and uploadStream takes its own ref.

But 5 of its 6 callers conditionally pass aws_options.credentials.dupe() — a fresh heap S3Credentials with ref_count = .init() i.e. rc=1 (credentials.zig:41-43, bun.new(S3Credentials, .{.ref_count = .init(), ...})) — when extra_options != null:

Blob.zig:1278, 1353 (writeFileWithSourceDestination, large-bytes / file-or-S3 source)

Blob.zig:1561, 1624 (writeFileInternal, Response/Request .Locked body — exactly the path #3199552705 already flags for the destination_blob store leak)

Blob.zig:2605 (pipeReadableStreamToBlob)

and fetch.zig:1336 passes credentialsWithOptions.credentials.dupe() unconditionally.

In the dupe() case: rc=1 (dupe) → this.ref() → rc=2 → MultiPartUpload deref on completion → rc=1 → S3Credentials leaked at rc=1 forever, including every duped string buffer (accessKeyId, secretAccessKey, sessionToken, region, endpoint, bucket — credentials.zig:44-71). In the s3.getCredentials() (borrowed) case the math balances, which is why this only leaks when options are provided (or always, for fetch).

Secondarily, the three early returns inside uploadStream at client.zig:468/473/485 (isDisturbed / .Invalid / .File|.Bytes pending .err) sit after this.ref() (line 465) but before the task.credentials = this sink at line 493, with no errdefer this.deref() — so they leak the +1 from line 465 in both the borrowed and dupe()'d cases.

Why existing safeguards do not prevent it

There is no errdefer this.deref() after client.zig:465, and none of the dupe() call sites register defer dupedCreds.deref() — they pass the result directly as an inline argument expression (if (options.extra_options != null) aws_options.credentials.dupe() else s3.getCredentials()), so there is no local to clean up. The else-branch s3.getCredentials() (Store.zig:304-307) returns this.credentials.? with no extra ref bump, confirming the callee-refs contract; the dupe() branch simply violates it by handing over a +1 it never balances.

Reachability from the PR-modified code

S3File.write's .path arm — the PR's tag-flip at S3File.zig:156 — calls Blob.writeFileInternal(globalThis, &blob_internal, data, .{ .extra_options = options }) four lines later at S3File.zig:160. With data a Response/Request whose body is a ReadableStream and a non-null third arg, this reaches Blob.zig:1560 with options.extra_options != null → aws_options.credentials.dupe() → leak. With data = Bun.file(...) or another S3 file, it reaches Blob.zig:1352 → same. fetch('s3://bucket/key', {method:'PUT', body:stream}) reaches fetch.zig:1336 unconditionally.

Step-by-step refcount proof — Bun.S3Client.write('key', new Response(stream), {bucket:'b'})

S3File.write .path arm (PR line 156): constructS3FileInternalStore → store rc=1; tag-flip; Blob.writeFileInternal (line 160) with extra_options = {bucket:'b'}.

writeFileInternal → .Locked + isS3() branch (Blob.zig:1546). aws_options = s3.getCredentialsWithOptions({bucket:'b'}, ...) — aws_options.credentials is a stack S3Credentials value whose .bucket points into aws_options._bucketSlice.

Blob.zig:1561: options.extra_options != null → aws_options.credentials.dupe() heap-allocates C (rc=1) with its own duped accessKeyId/secretAccessKey/region/endpoint/bucket/sessionToken buffers.

uploadStream(C, ...): client.zig:465 this.ref() → C rc=2. None of the early returns fire. client.zig:491-508: task = MultiPartUpload{ .credentials = C, ... }. Upload completes → MultiPartUpload.deinit → multipart.zig:293 this.credentials.deref() → C rc=1.

Nothing else holds C. C leaked at rc=1, plus its 6 duped string buffers.

The same trace from fetch('s3://b/k', {method:'PUT', body:stream}) leaks unconditionally (fetch.zig:1336 always dupes). Repeat in a loop and native heap grows unboundedly.

For the early-return sub-bug: same trace, but with stream already-disturbed → client.zig:468 returns the rejected promise after this.ref() at 465 and before line 493, leaking +1 even on the borrowed path.

How to fix

Either (a) change uploadStream to adopt the incoming ref instead of adding its own — remove this.ref() at client.zig:465 and have the borrowed-pointer call sites add an explicit ref before passing (e.g. const c = s3.getCredentials(); c.ref(); ... uploadStream(c, ...)); or (b) keep this.ref() and have each dupe() call site capture the result in a local with defer creds.deref() so the caller's +1 is balanced. In either case, also cover the early returns at client.zig:468/473/485 — simplest is to move this.ref() down to immediately before line 491 (after all early-return checks), or add errdefer this.deref() right after line 465 that is disarmed once task.credentials = this is reached.

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch client.zig, multipart.zig, fetch.zig, or these Blob.zig sites. Flagged because it sits on the immediate call path of the PR-modified S3File.write at line 156→160, in the same defect family already on this PR: #3199552705 covers the destination_blob Store ref on the same return S3.uploadStream(...) statement; this covers the credentials argument of that statement — different resource, different mechanism (dupe()+ref() over-count vs. missing detach()). None of the existing comments mention aws_options.credentials.dupe(), client.zig:465's this.ref(), multipart.zig:293, or fetch.zig:1336.

claude · 2026-05-07T12:46:24Z

🟣 🟣 Pre-existing correction to #3199552705: that comment's claim that "the fallthrough at 1684 passes it to writeFileWithSourceDestination — both of those do adopt the ref" is false for S3 destinations. The entire .s3 branch of writeFileWithSourceDestination (Blob.zig:1261-1373) returns from every exit (1264/1292/1294/1342/1367/1369 and the trys at 1272/1347) without ever calling destination_blob.detach(), and neither uploadStream nor the small-upload Wrapper adopt the destination Store ref — so the +1 from path_or_blob.blob.dupe() (Blob.zig:1517) leaks on every non-.Locked S3 write, including this PR's own test line 18 (Bun.S3Client.write(Date(), "data")). #3199552705's recommended fix (defer destination_blob.detach() only inside the two .Locked isS3() blocks at 1547/1611) leaves all of these exits still leaking; also add defer destination_blob.detach(); at the top of the .s3 branch in writeFileWithSourceDestination (right after Blob.zig:1262), or hoist it to right after Blob.zig:1517 and audit each adopting sink.

Extended reasoning...

What the bug is

Existing comment #3199552705 correctly identifies that destination_blob = path_or_blob.blob.dupe() at Blob.zig:1517 takes a +1 store ref with no defer/errdefer destination_blob.detach(), and that the S3 .Locked streaming arms leak it. However, that comment's analysis of which exits are affected is incomplete: it explicitly states "the fallthrough at 1684 passes it to writeFileWithSourceDestination — both of those do adopt the ref. The S3 streaming arm is the lone exit with no sink and no detach." For S3 destinations this is false. The entire destination_type == .s3 branch of writeFileWithSourceDestination (Blob.zig:1261-1373) only reads destination_blob (for contentTypeOrMimeType() at 1285/1328/1360 and destination_store via the function-top unwrap), and returns from every exit without ever calling destination_blob.detach():

Line 1264: getCredentialsWithOptions failure → rejected promise return

Line 1292: return S3.uploadStream(...) (large-bytes streaming)

Line 1294: stream-creation failure → rejected promise return

Line 1342: return promise_value (small-bytes single-upload)

Line 1367: return S3.uploadStream(...) (file/s3 source)

Line 1369: stream-creation failure → rejected promise return

Plus try-propagation at 1272 and 1347

uploadStream (client.zig:494) dupes s3.path() itself and refs only the credentials, never the Store. The small-upload Wrapper (Blob.zig:1297-1319) holds source_store (line 1337: .store = source_store), not destination_store. So none of these exits adopt the destination ref.

Why #3199552705's recommended fix is incomplete

That comment recommends "add defer destination_blob.detach(); at the top of each if (destination_blob.isS3()) block (after Blob.zig:1547 and 1611)". Those two blocks live inside the .Locked Response/Request branches of writeFileInternal and only cover the streaming-body case. Plain string/bytes/Blob/file data never enters those blocks — it falls through to writeFileWithSourceDestination at line 1684, where the .s3 branch leaks via the six exits above. So applying #3199552705's fix as written would patch the rare streaming-upload case while leaving the common small-upload case (and the file/s3-source streaming case) still leaking.

Step-by-step refcount proof — Bun.S3Client.write(Date(), "data") (this PR's own test, line 18)

S3File.write .path arm: constructS3FileInternalStore → Blob.Store.initS3 → store rc=1. PR's tag-flip at S3File.zig:156. defer blob.deinit() registered.

S3File.zig:160 → Blob.writeFileInternal(&blob_internal /* .blob */, "data", …).

Blob.zig:1407: input_store.ref() → rc=2, with defer input_store.deref() at 1408.

Blob.zig:1430: !path_or_blob.blob.isS3() is false for an S3 blob → fast-path skipped.

Blob.zig:1517: destination_blob = path_or_blob.blob.dupe() → store.ref() (Blob.zig:3690) → rc=3. No defer/errdefer detach().

Blob.zig:1664: source_blob = Blob.get("data") → bytes store. destination_store.ref() at 1675 → rc=4 (with defer deref at 1680).

Blob.zig:1684 → writeFileWithSourceDestination. destination_type == .s3, source .bytes, len ≤ MAX_SINGLE_UPLOAD_SIZE → small-upload branch (1296-1342). Wrapper.new(.{ .store = source_store, … }) — destination store not captured. Line 1342: return promise_value. destination_blob.detach() never called.

Unwind: defer destination_store.deref() (1680) → rc=3; defer input_store.deref() (1408) → rc=2; back in S3File.write, defer blob.deinit() → rc=1.

Store leaked at rc=1 (heap-allocated Blob.Store + path + S3Credentials).

The same leak fires on the failure path (no credentials → getCredentialsWithOptions at 1263 catches nothing here, but if signing fails inside S3.upload the promise rejects and Wrapper.deinit() derefs only source_store — destination still leaked).

Why the balanced destination_store.ref()/deref() at 1674-1682 doesn't help

That pair is a separate +1/−1 around the writeFileWithSourceDestination call, intended to keep the store alive for the duration. It is balanced and unrelated to the +1 taken by dupe() at 1517 — it neither subsumes nor compensates for it.

Impact

One Blob.Store (path buffer + S3Credentials) leaked per non-.Locked S3 write — i.e. every Bun.S3Client.write(key, string|Blob|Buffer|file) / Bun.write(s3file, …) / S3Client#write(key, …). This is the common S3 write path (small-bytes single-upload), not the edge-case streaming path that #3199552705 covers. Trivially user-reachable; unbounded growth in long-running processes.

How to fix

Either:

Add defer destination_blob.detach(); at the top of the destination_type == .s3 branch in writeFileWithSourceDestination (right after Blob.zig:1262), in addition to #3199552705's two .Locked defers; or

Hoist a single defer destination_blob.detach(); to right after Blob.zig:1517 and audit each adopting sink (WriteFileWaitFromLockedValueTask.file_blob at 1582/1645, the non-S3 branches of writeFileWithSourceDestination) to neutralize it where ownership is genuinely transferred.

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch Blob.zig. This is a correction/extension of existing comment #3199552705: same root cause (dupe() at 1517 with no detach), but materially different in scope (every non-.Locked S3 write, not just the streaming arm) and in actionable fix location (the .s3 branch of writeFileWithSourceDestination, which #3199552705's recommended fix does not cover). Distinct from #3200790769, which covers the missing bun.destroy(this) in the same small-upload Wrapper — that's a different resource (the Wrapper struct itself) leaked via a different mechanism. Reachable from the PR-modified S3File.write at line 156→160 and exercised by the PR's own regression test at line 18.

claude · 2026-05-07T14:11:10Z

🟣 🟣 Pre-existing companion to #3201498672 in the same writeFileWithSourceDestination .s3 branch the author is already directed to edit, but a different argument: at Blob.zig:1357 the .file/.s3-source uploadStream call passes s3.options (the destination store's baked-in MultiPartUploadOptions) while the structurally identical .bytes-large-source call at line 1282 — and every other argument on lines 1358-1364 (aws_options.acl, aws_options.storage_class, aws_options.content_disposition, …) — correctly uses aws_options.*. Since aws_options = s3.getCredentialsWithOptions(options.extra_options, ctx) at line 1263 layers per-call partSize/queueSize/retry (credentials_jsc.zig:131-175) onto s3.options, e.g. Bun.write(s3blob, Bun.file('/big'), { partSize: 100*1024*1024 }) silently uploads with the store's default 5 MiB parts. The PR-anchored .path arm here is unaffected (the fresh store at S3File.zig:316 has s3.options == aws_options.options); reachable via the .blob arm at S3File.zig:165-168 / Bun.write(s3blob, fileBlob, opts). Fix: change s3.options → aws_options.options at Blob.zig:1357 to match line 1282 (and likewise s3.options.partSize → aws_options.options.partSize at 1275/1350).

Extended reasoning...

What the bug is

In Blob.writeFileWithSourceDestination's S3-destination branch, the .file/.s3-source arm calls:

// Blob.zig:1352-1367 return S3.uploadStream( (if (options.extra_options != null) aws_options.credentials.dupe() else s3.getCredentials()), s3.path(), stream, ctx, s3.options, // ← BUG: should be aws_options.options aws_options.acl, aws_options.storage_class, destination_blob.contentTypeOrMimeType(), aws_options.content_disposition, aws_options.content_encoding, proxy_url, aws_options.request_payer, null, undefined, );

while the structurally identical .bytes-large-source arm three blocks above passes aws_options.options at line 1282. Every other argument on lines 1358-1364 reads from aws_options.*; only the MultiPartUploadOptions struct reads from s3.* directly. The asymmetry — both vs. the sibling call at 1282 and vs. the surrounding arguments — confirms this is an oversight, not intentional.

The specific code path that triggers it

s3 is &destination_store.data.s3 (line 1262); s3.options is the MultiPartUploadOptions that was baked into the store when it was constructed (e.g. store.data.s3.options = aws_options.options at S3File.zig:316/271 for fresh stores, or whatever the user passed to new Bun.S3Client(...) / Bun.s3(...) for long-lived blobs). aws_options (line 1263) comes from Store.S3.getCredentialsWithOptions(options.extra_options, ctx) (Store.zig:309-310), which calls S3Credentials.getCredentialsWithOptions with default_options = this.options and then layers the user's per-call overrides on top: credentials_jsc.zig:131-175 reads opts.partSize / pageSize / queueSize / retry and writes them into new_credentials.options. So aws_options.options diverges from s3.options exactly when extra_options carries any of those keys.

uploadStream stores the received options verbatim in the MultiPartUpload task (task.options = options, client.zig:503), which then drives part sizing, concurrency, and retry behavior for the entire upload.

Why existing safeguards don't prevent it

There is no other place that re-reads partSize/queueSize/retry from extra_options on this path — uploadStream only sees what is passed in argument 5. The credentials are re-derived (line 1353 dupes aws_options.credentials when options are present), and acl/storage_class/content_disposition/content_encoding/request_payer all come from aws_options — but the multipart options struct alone is sourced from the wrong place. Two other uploadStream sites in the same file (Blob.zig:1565, 1628 in the .Locked-body branches) and pipeReadableStreamToBlob (Blob.zig:2609) also correctly use aws_options.options, leaving line 1357 the lone holdout.

Impact

Any S3 write whose source is a local file or another S3 file and whose destination is a pre-existing S3 blob silently ignores the per-call partSize/queueSize/retry overrides:

const dest = client.file('big-object'); // store.options.partSize = 5 MiB (default) await Bun.write(dest, Bun.file('/path/to/40GB.bin'), { partSize: 100 * 1024 * 1024 }); // → uploads with 5 MiB parts (≈8000 parts) instead of the requested 100 MiB parts

Same for s3blob.write(Bun.file(...), { queueSize: 32 }) (concurrency override dropped) and { retry: 10 }. The only workaround is to set the option on the client/file at construction time. Note the related @truncate(s3.options.partSize) at lines 1275 and 1350 (the ReadableStream chunk size) has the same defect.

Step-by-step proof — Bun.write(s3blob, Bun.file('/big'), { partSize: 100*1024*1024 })

Blob.writeFile (Blob.zig:1744-1748) → writeFileInternal with extra_options = { partSize: 100MiB }. s3blob.store.data.s3.options.partSize is whatever it was at construction (default 5 MiB).

Falls through to writeFileWithSourceDestination at Blob.zig:1684 with destination_blob = s3blob.dupe(), source_blob = Bun.file('/big').

Line 1261: destination_type == .s3. Line 1262: s3 = &destination_store.data.s3 → s3.options.partSize = 5 MiB.

Line 1263: aws_options = s3.getCredentialsWithOptions({partSize:100MiB}, ctx) → Store.zig:310 passes default_options = s3.options → credentials_jsc.zig:142-151 reads opts.partSize = 100MiB → aws_options.options.partSize = 100 MiB.

Line 1345: source_store.data == .file → enters the .file, .s3 => arm.

Line 1352-1357: S3.uploadStream(..., ctx, s3.options /* 5 MiB */, aws_options.acl, ...).

uploadStream stores task.options = { partSize: 5 MiB, ... } (client.zig:503). MultiPartUpload chunks the upload at 5 MiB. The user's 100 MiB override is silently discarded.

How to fix

Change Blob.zig:1357 from s3.options to aws_options.options, matching line 1282 and the other uploadStream callers at 1565/1628/2609. While there, also change s3.options.partSize → aws_options.options.partSize at lines 1275 and 1350 so the ReadableStream chunk size matches the upload part size.

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch Blob.zig. Distinct from #3199552705/#3201498672 (the destination_blob store-ref leak) and #3201498669 (the credentials.dupe() over-ref), which cover resource leaks on these same uploadStream call sites; this is a functional bug in a different argument (the multipart options struct). Same defect class as #3200790776 (presign drops acl/storage_class) and #3201670545 (presign drops content_encoding): a per-call user option is parsed and validated but silently ignored at the consumer call site. The PR-anchored .path arm at S3File.zig:156 is unaffected (the freshly-built store at S3File.zig:316 has s3.options == aws_options.options), but the .blob arm of the same S3File.write function at S3File.zig:165-168 routes directly into the diverging case via Blob.zig:1684, as do Bun.write(s3blob, fileBlob, opts) and s3blob.write(fileBlob, opts). None of the existing PR comments mention s3.options vs aws_options.options, line 1357, or partSize/queueSize/retry being dropped.

claude · 2026-05-07T14:58:36Z

🟣 🟣 Pre-existing companion to #3201498669 / #3200790776 / #3202066991 for the third multipart entry point — s3blob.writer() → S3.writableStream (client.zig:264-347, called from Blob.getWriter at Blob.zig:2862-2887). Three issues, none covered by existing comments: (1) Blob.zig:2863 passes credentialsWithOptions.credentials.dupe() (rc=1) into writableStream, which does this.ref() at client.zig:309 and MultiPartUpload derefs once (multipart.zig:293) → leaked at rc=1, identical to #3201498669; (2) the no-options branch at Blob.zig:2876-2887 passes .{} for MultiPartUploadOptions (line 2880) and null for storage_class (line 2885) instead of s3.options/s3.storage_class — yet line 2886 does pass s3.request_payer — same f()-vs-f({}) divergence class as #3200790776/#3202066991; (3) writableStream's signature has no acl parameter at all (unlike sibling uploadStream at client.zig:455) and its MultiPartUpload literal at client.zig:310-326 omits .acl, so s3blob.writer({acl:'public-read'}) and new Bun.S3Client({acl:...}).file('k').writer() silently upload with no x-amz-acl header on either branch — applying (1)/(2) alone won't fix this since there is no slot to fill. Fix: add acl: ?ACL to writableStream and set .acl = acl in its MultiPartUpload literal; at Blob.zig:2862-2873 pass credentialsWithOptions.acl and apply whichever dupe-vs-borrow convention is chosen for #3201498669; at Blob.zig:2876-2887 pass s3.options/s3.acl/s3.storage_class. Not reachable from the PR-modified static methods (.writer() is a separate API), but it is the direct sibling of uploadStream — applying #3201498669's fix to uploadStream alone leaves writableStream with the identical leak.

Extended reasoning...

What the bug is

S3.writableStream (client.zig:264-347) is the third MultiPartUpload entry point alongside uploadStream (client.zig:449+) and upload. It is reached only via Blob.getWriter — the JS s3blob.writer(opts) / client.file('k').writer(opts) API — at Blob.zig:2862-2887. Three pre-existing defects, each the direct sibling of an issue already flagged on this PR for uploadStream / presign, but none of the existing 28 comments mention writableStream, getWriter, .writer(), or Blob.zig:2862-2887.

(1) credentials.dupe() + this.ref() over-count — identical to #3201498669

writableStream does this.ref() on the credentials at client.zig:309 and stores the pointer at line 312 (.credentials = this); MultiPartUpload.deinit releases exactly once via this.credentials.deref() (multipart.zig:293). So writableStream's ownership contract is borrow-in, ref-internally — confirmed by the no-options call site at Blob.zig:2877, which correctly passes the borrowed s3.getCredentials() (Store.zig:304-307 returns this.credentials.? with no extra ref). But the with-options call site at Blob.zig:2863 passes credentialsWithOptions.credentials.dupe() — a fresh heap S3Credentials with rc=1 (credentials.zig:41-43) — directly as an inline argument with no local cleanup. dupe rc=1 → this.ref() rc=2 → MultiPartUpload deref rc=1 → leaked at rc=1, plus all 6 duped string buffers (accessKeyId/secretAccessKey/sessionToken/region/endpoint/bucket). Triggered on every s3blob.writer({...}) call with a non-null options object. #3201498669 lists 5 uploadStream callers + fetch.zig:1336; writableStream and Blob.zig:2863 are not in that list.

(2) No-options branch drops store defaults — same class as #3200790776/#3202066991

When s3blob.writer() is called without an options object (or with a non-object), the fall-through call at Blob.zig:2876 passes .{} for MultiPartUploadOptions (line 2880) and null for storage_class (line 2885) instead of s3.options / s3.storage_class, while line 2886 does pass s3.request_payer — confirming the intent that store-level settings flow through. So client.file('k').writer() silently uploads with the 5 MiB default partSize/queueSize/retry and no storageClass, whereas client.file('k').writer({}) (empty object) goes through s3.getCredentialsWithOptions at line 2860 (Store.zig:309-310 forwards this.options/this.storage_class as defaults) and correctly inherits them. Same f()-vs-f({}) divergence class as #3200790776 (presign drops acl/storage_class when extra_options == null) and same wrong-source-for-MultiPartUploadOptions class as #3202066991 (Blob.zig:1357 s3.options vs aws_options.options).

(3) writableStream has no acl parameter at all — distinct fix shape

writableStream's signature (client.zig:264-275) takes (this, path, globalThis, options, content_type, content_disposition, content_encoding, proxy, storage_class, request_payer) — no acl. Sibling uploadStream (client.zig:449-464) has acl: ?ACL at line 455 and sets .acl = acl in its MultiPartUpload literal at line 504. writableStream's bun.new(MultiPartUpload, .{...}) literal at client.zig:310-326 sets .storage_class/.request_payer but omits .acl, so it defaults to null (multipart.zig:106 acl: ?ACL = null). MultiPartUpload consumes this.acl at multipart.zig:320/613/692 (passed to signRequest for InitiateMultipartUpload / single-PUT), which emits the x-amz-acl header iff non-null.

This is distinct from (2) in fix shape: (2) is a call-site literal edit (fill existing parameter slots with the right values), but (3) requires a signature change — there is no acl slot to fill. Even after applying (2), the with-options branch at Blob.zig:2860 calls s3.getCredentialsWithOptions(options, globalThis), which parses and validates options.acl (credentials_jsc.zig:176-178) into credentialsWithOptions.acl, and then never passes it because writableStream has no slot. Same defect class as #3201670545 (presign drops content_encoding because the signRequest literal omits the field).

Step-by-step proof

(1) — new Bun.S3Client({bucket:'b'}).file('key').writer({partSize: 16*1024*1024})

Blob.getWriter: isS3(), arguments.len > 0, options.isObject() → with-options branch.

Blob.zig:2860: s3.getCredentialsWithOptions({partSize:16MiB}, globalThis) → credentialsWithOptions.credentials is a stack S3Credentials value.

Blob.zig:2863: credentialsWithOptions.credentials.dupe() heap-allocates C (rc=1) with its own duped string buffers.

writableStream(C, ...): client.zig:309 this.ref() → C rc=2. client.zig:310-312: MultiPartUpload{ .credentials = C, ... }.

User writes/closes the sink → upload completes → MultiPartUpload.deinit → multipart.zig:293 this.credentials.deref() → C rc=1.

Nothing else holds C. C leaked at rc=1, plus its duped accessKeyId/secretAccessKey/region/endpoint/bucket/sessionToken buffers.

(2) — new Bun.S3Client({bucket:'b', partSize: 64*1024*1024, storageClass:'STANDARD_IA'}).file('key').writer()

Blob.getWriter: arguments.len == 0 → no-options branch.

Blob.zig:2876: S3.writableStream(s3.getCredentials() /* borrowed, correct */, path, globalThis, .{} /* line 2880 */, contentType, null, null, proxy_url, null /* line 2885 */, s3.request_payer /* line 2886 */).

client.zig:324: task.options = .{} → partSize = 5 MiB (default), not 64 MiB. client.zig:318: .storage_class = null, not STANDARD_IA.

By contrast, ...writer({}) would hit Blob.zig:2860 → getCredentialsWithOptions seeds defaults from s3.options/s3.storage_class → both flow through correctly. .writer() and .writer({}) produce different multipart configurations.

(3) — s3blob.writer({ acl: 'public-read' })

Blob.getWriter → with-options branch.

Blob.zig:2860: s3.getCredentialsWithOptions({acl:'public-read'}, globalThis) → credentials_jsc.zig:176 reads opts.acl via getOptionalEnum → credentialsWithOptions.acl = .public_read.

Blob.zig:2862-2873: S3.writableStream(creds.dupe(), path, globalThis, credentialsWithOptions.options, contentType, cd, ce, proxy_url, credentialsWithOptions.storage_class, credentialsWithOptions.request_payer) — credentialsWithOptions.acl is never read.

client.zig:310-326: MultiPartUpload{ ..., .storage_class = storage_class, .request_payer = request_payer, ... } — .acl is omitted → defaults to null (multipart.zig:106).

multipart.zig:613/692: InitiateMultipartUpload / single-PUT call signRequest with .acl = this.acl = null → no x-amz-acl header → uploaded object gets the bucket's default ACL, not public-read.

The same trace applies to new Bun.S3Client({acl:'public-read'}).file('k').writer() (no-options branch, where s3.acl = .public_read from the client but there is no parameter slot to forward it).

Impact

(1) is an unbounded native-heap leak: every s3blob.writer({...}) call with options leaks one S3Credentials allocation + 6 string buffers. (2) is a silent functional bug: client-level partSize/queueSize/retry/storageClass are dropped for .writer() but honored for .writer({}). (3) is a silent functional bug: acl is parsed/validated then dropped on both branches — there is no way to set an ACL via .writer() at all.

How to fix

client.zig:264-275: add acl: ?ACL to writableStream's signature (between options and content_type, matching uploadStream's order) and set .acl = acl in the bun.new(MultiPartUpload, .{...}) literal at client.zig:310-326.

Blob.zig:2862-2873 (with-options branch): pass credentialsWithOptions.acl in the new slot, and apply whichever dupe-vs-borrow convention is chosen for #3201498669 (e.g. capture the dupe()'d credentials in a local with defer creds.deref(), or change writableStream to adopt rather than ref).

Blob.zig:2876-2887 (no-options branch): change .{} → s3.options (line 2880), null → s3.storage_class (line 2885), and pass s3.acl in the new slot.

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch getWriter, writableStream, or these Blob.zig lines, and .writer() is not on the call path of any PR-modified static method (presign/unlink/write/size/exists/stat — S3File.write routes through writeFileInternal → uploadStream, not writableStream). Flagged because (a) it is the third sibling of uploadStream (#3201498669) and shares the identical this.ref()+MultiPartUpload ownership contract — applying #3201498669's fix to uploadStream alone leaves writableStream with the identical leak; (b) (2) and (3) are the same defect classes as #3200790776/#3202066991/#3201670545, all already accepted on this PR; and (c) none of the existing PR comments mention writableStream, getWriter, .writer(), Blob.zig:2862-2887, or writableStream's missing acl parameter.

claude · 2026-05-07T15:44:48Z

🟣 🟣 🟣 Pre-existing companion to #3201498669 at the same fetch.zig→uploadStream boundary, different (worse) symptom: fetch.zig:1335 does _ = try bun.S3.uploadStream(...), discarding the return value, then returns its own s3_stream.promise at line 1353. uploadStream's three early returns at client.zig:468/473/485 (isDisturbed / .Invalid / pending .err) produce a rejected-promise JSValue before the MultiPartUpload task and callback are created at line 491+, so Wrapper.resolve — the only place s3_stream is freed and its promise settled (fetch.zig:1274-1319) — is never invoked. Net: the rejection is silently discarded, the heap Wrapper + JSPromise.Strong + url_proxy_buffer are leaked, and await fetch('s3://...', {method:'PUT', body:disturbedStream}) hangs forever. All other uploadStream callers (Blob.zig:1278/1353/1561/1624/2605) do return S3.uploadStream(...); only fetch.zig discards it. Fix: capture the return and, if it's already-rejected, reject s3_stream.promise and free s3_stream (or drop the wrapper entirely and return try bun.S3.uploadStream(...) with a thin Response-building callback).

Extended reasoning...

What the bug is

At fetch.zig:1324-1353, the S3 + ReadableStream-body branch of fetch() does:

const promise = jsc.JSPromise.Strong.init(globalThis); // line 1324 const s3_stream = Wrapper.new(.{ .url = url, .url_proxy_buffer = url_proxy_buffer, .promise = promise, .global = globalThis, }); // 1326-1331 const promise_value = promise.value(); _ = try bun.S3.uploadStream( // 1335 — RETURN VALUE DISCARDED credentialsWithOptions.credentials.dupe(), url.s3Path(), body.ReadableStream.get(globalThis).?, ..., @ptrCast(&Wrapper.resolve), s3_stream, ); url = .{}; url_proxy_buffer = ""; return promise_value; // 1353 — s3_stream.promise

uploadStream (client.zig:449-518) returns bun.JSError!JSValue. On the happy path it returns the multipart task's own promise and later invokes callback (Wrapper.resolve, which settles s3_stream.promise and frees the wrapper). But on its three early-return paths at client.zig:468 (readable_stream.isDisturbed(globalThis)), 473 (.Invalid), and 485 (.File|.Bytes with pending.result == .err), it returns jsc.JSPromise.rejectedPromise(...).toJS() before the MultiPartUpload task and S3UploadStreamWrapper (which holds callback/callback_context) are created at line 491+. fetch.zig:1335 discards that rejected-promise return value via _ =.

The specific code path that triggers it

fetch('s3://bucket/key', { method: 'PUT', body: <stream>, s3: {...} }) reaches fetch.zig:1263 (body == .ReadableStream) → line 1335. The early returns trigger when:

The body stream has already been read/locked (isDisturbed — e.g. the user already called reader.read() or passed the same stream twice).

The stream's .ptr tag is .Invalid.

The body is a Bun.file(...)/bytes-backed stream whose source already has a pending .err (e.g. Bun.file('/nonexistent').stream() after the open fails).

Why existing safeguards don't prevent it

Wrapper.resolve (fetch.zig:1274-1319) is the only place that does defer bun.destroy(self) (line 1276), defer bun.default_allocator.free(self.url_proxy_buffer) (line 1277), and self.promise.resolve(...)/reject(...) (lines 1293/1316). It is reached solely via the MultiPartUpload callback chain that begins at client.zig:491+ — the early returns at 468/473/485 are before that, so the callback is never registered. There is no errdefer s3_stream.deinit() or fallback rejection between fetch.zig:1326 and 1353.

The other 5 uploadStream callers (Blob.zig:1278/1353/1561/1624/2605) all do return S3.uploadStream(...), so they propagate the rejected promise to their caller. Only fetch.zig wraps its own outer promise and discards uploadStream's return.

Impact

When any early return fires:

The rejected promise is discarded (_ =) → the rejection is never observed (silent unhandled rejection inside native code).

Wrapper.resolve is never called → the heap Wrapper struct, its JSPromise.Strong (a Bun__StrongRef native allocation that permanently roots the promise in the GC), and the url_proxy_buffer allocation are leaked.

s3_stream.promise is never settled → fetch() returns promise_value which hangs forever; await never resolves or rejects, and the leaked Strong roots the entire await chain.

This is in addition to the credentials/this.ref() leak that #3201498669 already flags for these same early returns — fixing that (moving this.ref() below the checks, per #3201498669) would not fix the forever-pending fetch promise or the Wrapper/Strong/url_proxy_buffer leak, since the fix locus is fetch.zig (the discarding caller), not client.zig.

Step-by-step proof

const s = new ReadableStream({ pull(c){ c.enqueue(new Uint8Array([1])); c.close(); } }); await s.getReader().read(); // disturb the stream await fetch('s3://bucket/key', { method: 'PUT', body: s, s3: { accessKeyId: 'x', secretAccessKey: 'y' } }); // ↑ HANGS FOREVER

fetch.zig:1263: body == .ReadableStream, URL is S3 → enters the branch.

Line 1324: JSPromise.Strong.init(globalThis) allocates a Bun__StrongRef and roots a fresh JSPromise P.

Lines 1326-1331: Wrapper.new(.{ .promise = P, .url_proxy_buffer = <buf>, ... }) heap-allocates W.

Line 1335: _ = try bun.S3.uploadStream(creds.dupe(), path, s, ..., &Wrapper.resolve, W).

client.zig:465: this.ref() (the credentials leak — #3201498669). Line 467: readable_stream.isDisturbed(globalThis) → true. Line 468: return jsc.JSPromise.rejectedPromise(globalThis, ...).toJS(). The MultiPartUpload task at line 491 and S3UploadStreamWrapper at line 512 are never created, so Wrapper.resolve is never registered as a callback.

fetch.zig:1335: the rejected promise JSValue is assigned to _ — discarded.

Line 1353: return promise_value (the JSValue handle for P). P is never resolved or rejected.

The user's await fetch(...) hangs forever. W, the Strong root on P, and url_proxy_buffer are permanently leaked.

How to fix

Either (a) capture the return and bridge it on synchronous rejection:

const r = try bun.S3.uploadStream(...); if (r.asAnyPromise()) |p| if (p.status(globalThis.vm()) == .rejected) { s3_stream.promise.reject(globalThis, p.result(globalThis.vm())) catch {}; bun.default_allocator.free(s3_stream.url_proxy_buffer); s3_stream.promise.deinit(); bun.destroy(s3_stream); return r; // or return promise_value }

or (b) drop Wrapper/s3_stream entirely and return try bun.S3.uploadStream(...) directly (the pattern used at every other call site), with a thin callback that builds the Response and frees url_proxy_buffer.

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch fetch.zig, and this is not on the call path of any PR-modified function (S3File.write routes through Blob.writeFileInternal, whose uploadStream callers do return S3.uploadStream(...)). Flagged because it is the explicit companion to #3201498669, which is already accepted on this PR and references fetch.zig:1336 and the same client.zig:468/473/485 early returns: that comment covers the credentials this.ref() leak on those returns; this covers the discarded _ = return value, the s3_stream Wrapper/JSPromise.Strong/url_proxy_buffer leak, and the user-visible forever-pending fetch promise, none of which #3201498669 (or any other comment on this PR) mentions. Anchored at S3File.zig:156 alongside #3201498669/#3199552705 since the PR diff doesn't touch fetch.zig.

claude · 2026-05-07T20:21:54Z

🟣 🟣 Pre-existing: MultiPartUpload.deinit() (multipart.zig:267-303) frees queue/path/proxy/content_type/content_disposition/content_encoding/credentials/uploadid_buffer/multipart_etags/multipart_upload_list then bun.destroy(this), but never calls this.buffered.deinit() — buffered is a bun.io.StreamBuffer (multipart.zig:114) backed by a heap std.array_list.Managed(u8) with a real deinit() at PipeWriter.zig:1224-1229. On the single-file path (processBuffered, multipart.zig:679-695, taken when total bytes < partSize), .body = this.buffered.slice() is borrowed and never moved/reset, so the entire upload body (up to ~5 MiB default partSize) leaks per streaming upload; on the multipart path reset() (line 632) retains ~pageSize. Reachable from this PR-modified S3File.write at line 156→160 via writeFileInternal → uploadStream (client.zig:491+) and via s3blob.writer() → writableStream. Distinct from #3201498669 (credentials), #3200790769 (small-upload Wrapper — different code path via S3.upload), and #3199552705/#3201498672 (destination_blob) — none mention buffered/StreamBuffer. Fix: add this.buffered.deinit(); to MultiPartUpload.deinit() (e.g. between lines 273 and 274).

Extended reasoning...

What the bug is

MultiPartUpload.deinit() (src/runtime/webcore/s3/multipart.zig:267-303) is the destructor for the heap-allocated multipart-upload task created by both S3.uploadStream (client.zig:491+) and S3.writableStream (client.zig:310+). It frees every owned field — queue, path, proxy, content_type/content_disposition/content_encoding, derefs credentials, deinits uploadid_buffer/multipart_etags/multipart_upload_list — and then bun.destroy(this). But it never calls this.buffered.deinit(). buffered (multipart.zig:114) is a bun.io.StreamBuffer = .{}, which is backed by a heap std.array_list.Managed(u8) (PipeWriter.zig:1112) and has a real deinit() at PipeWriter.zig:1224-1229 that does list.clearAndFree(). Grep confirms zero buffered.deinit() calls in multipart.zig — only buffered.reset() (line 632) and this.buffered = .{} (line 654) are ever invoked.

The specific code path that triggers it

Single-file path (worst case — leaks the entire body): processBuffered (multipart.zig:679-695) is taken when ended && buffered.size() < partSize && state == .not_started — i.e. the total streamed body fits in one PUT (default partSize ≈ 5 MiB). It calls executeSimpleS3Request with .body = this.buffered.slice() (line 688). The slice is borrowed: executeSimpleS3Request passes it to AsyncHTTP.init (simple_request.zig) and S3HttpSimpleTask.deinit() does not free it. buffered is never moved (this.buffered = .{}) or reset on this path — state goes straight from .not_started to .singlefile_started, so processMultiPart (the only place that moves/resets buffered) is never entered. After the PUT completes, singleSendUploadResponse → done() (multipart.zig:475-480) → defer this.deref() → rc→0 → deinit() with buffered.list.capacity == <body size> still allocated. Same on the failure path via fail() (multipart.zig:425-447), which cancels parts but never touches buffered.

Multipart path (leaks ~pageSize): processMultiPart either moves the whole buffer into a part via this.buffered = .{} (line 654 — fine) or, when slicing, advances the cursor (line 667) and on drain calls reset() (line 631-632). StreamBuffer.reset() (PipeWriter.zig:1115-1119) does maybeShrink() → shrinkAndFree(pageSize()) + clearRetainingCapacity() — capacity is reduced to ~4 KiB but retained, then leaked at deinit().

Why existing code does not prevent it

The only ownership transfer of buffered is the line-654 whole-buffer move into a part, which the single-file path (state == .not_started, never enters processMultiPart) cannot reach. done() and fail() do not touch buffered. executeSimpleS3Request borrows .body (it does not adopt the allocation). And MultiPartUpload.deinit() simply omits the field — every sibling owned field is freed, but buffered is not.

Reachability from the PR-modified code

S3File.write's .path arm — the PR's tag-flip at S3File.zig:156 — calls Blob.writeFileInternal(globalThis, &blob_internal, data, .{ .extra_options = options }) four lines later at S3File.zig:160. With data a Response/Request whose body is a .Locked ReadableStream (Blob.zig:1561/1624), or a local-file/S3 source (Blob.zig:1353), or large bytes (Blob.zig:1278), this reaches S3.uploadStream (client.zig:491+), which creates the MultiPartUpload. Also reachable via s3blob.writer() → writableStream (client.zig:310-326). For e.g. Bun.write(s3file, Bun.file('/local')) where the file is < partSize, the entire file body is leaked.

Impact

Per streaming S3 upload: up to ~5 MiB (default partSize) leaked on the single-file path, ~4 KiB on the multipart path, on both success and failure. Trivially user-reachable; unbounded native-heap growth in long-running processes that loop Bun.write(s3file, stream) / s3file.writer() for sub-5-MiB payloads. By bytes-per-call, this is the second-largest leak in the subsystem after #3203432290 (the download-side body leak).

Step-by-step proof — Bun.S3Client.write('key', new Response(stream2MB), opts)

S3File.write .path arm (PR line 156): tag-flip; line 160 → writeFileInternal → .Locked + isS3() → uploadStream.

client.zig:491: bun.new(MultiPartUpload, .{...}) (rc=1), buffered = .{} (empty, capacity 0).

Stream pumps 2 MB via MultiPartUpload.write() (multipart.zig:749/759) → buffered.write(chunk) → buffered.list grows to 2 MB heap.

Stream ends → processBuffered (multipart.zig:679): ended && 2MB < 5MB && state == .not_started → state = .singlefile_started; line 684-695: executeSimpleS3Request(.{ ..., .body = this.buffered.slice() /* borrowed 2 MB into list */ }). buffered is never moved or reset.

PUT completes → singleSendUploadResponse → .success → done() → defer this.deref() → rc 1→0 → deinit().

deinit() (multipart.zig:267-303): frees queue/path/proxy/content_type/content_disposition/content_encoding, derefs credentials, deinits uploadid_buffer/multipart_etags/multipart_upload_list, never buffered.deinit(), then bun.destroy(this). 2 MB leaked.

(Failure path: same trace, but at step 5 signRequest fails or HTTP returns non-200 → singleSendUploadResponse → fail() (multipart.zig:425-447) → callback + deref() → deinit() — buffered still untouched, same leak.)

How to fix

Add this.buffered.deinit(); to MultiPartUpload.deinit() — e.g. between lines 273 (poll_ref.unref) and 274 (free(this.path)). Safe in all paths: when buffered was moved via line 654, it is .{} (capacity 0) and deinit() is a no-op; when it was reset(), it frees the retained ~pageSize; on the single-file path it frees the full body buffer (which is no longer in use — executeSimpleS3Request has already completed and its task has been deinit'd before MultiPartUpload.deinit() runs).

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch multipart.zig, and the PR's own test (4-byte "data" string at line 18) goes through the small-upload Wrapper (Blob.zig:1296-1342, S3.upload), not MultiPartUpload, so the test does not exercise this leak. Distinct from every existing comment on this PR: #3201498669 covers the credentials field of the same struct (over-ref via dupe()+this.ref()); #3200790769 covers the small-upload Wrapper's missing bun.destroy (different struct, different entry point — S3.upload/executeSimpleS3Request, not MultiPartUpload); #3199552705/#3201498672 cover the destination_blob Store ref in the caller; #3202406763 covers writableStream's missing acl/options. None mention buffered, StreamBuffer, processBuffered, multipart.zig:114/267-303, or PipeWriter.zig:1224. Anchored at S3File.zig:156 alongside the other uploadStream-path comments.

claude · 2026-05-07T21:42:53Z

🟣 🟣 Pre-existing companion to #3202066971 in the same multipart.zig the author is already directed to edit, ~260 lines below the <UploadId> parse: at multipart.zig:234/568/584, the server-supplied upload_id (stored unbounded at line 498 as slice[start+10..end]) is formatted into a fixed [2048]u8 via std.fmt.bufPrint(...) catch unreachable. A well-formed <UploadId> >~2000 bytes from a user-configured S3-compatible endpoint makes bufPrint return error.NoSpaceLeft → unreachable → panic (Debug/ReleaseSafe) / UB (ReleaseFast) on the very next part/commit/rollback request. Distinct from #3202066971: that needs close-tag-before-open-tag; this just needs a long well-formed UploadId — and #3202066971's recommended fix (search for closing tag after the open tag) does not bound the resulting slice length, so applying it leaves these three sites still crashable. Reachable from the PR-modified S3File.write at line 156→160 via writeFileInternal → uploadStream → MultiPartUpload. Fix: cap upload_id length when storing it at multipart.zig:498 (e.g. fail with InvalidUploadId if > 1024), or replace the three catch unreachable with a graceful this.fail(...) / this.ctx.fail(...).

Extended reasoning...

What the bug is and how it manifests

MultiPartUpload formats the server-returned upload_id into a fixed 2 KiB stack buffer with catch unreachable at three sites:

// multipart.zig:233-237 (UploadPart.perform) var params_buffer: [2048]u8 = undefined; const search_params = std.fmt.bufPrint(&params_buffer, "?partNumber={}&uploadId={s}&x-id=UploadPart", .{ this.partNumber, this.ctx.upload_id, }) catch unreachable;

// multipart.zig:567-570 (commitMultiPartRequest) var params_buffer: [2048]u8 = undefined; const searchParams = std.fmt.bufPrint(&params_buffer, "?uploadId={s}", .{ this.upload_id, }) catch unreachable;

// multipart.zig:583-586 (rollbackMultiPartRequest) var params_buffer: [2048]u8 = undefined; const search_params = std.fmt.bufPrint(&params_buffer, "?uploadId={s}", .{ this.upload_id, }) catch unreachable;

this.upload_id is set at multipart.zig:498 directly from the InitiateMultipartUpload response body — this.upload_id = slice[start + 10 .. end] — with no length cap. The only check is upload_id.len == 0 at line 501. So an S3-compatible endpoint that returns a well-formed <UploadId>...</UploadId> whose content exceeds ~2000 bytes makes std.fmt.bufPrint return error.NoSpaceLeft, which hits unreachable: in Debug/ReleaseSafe Zig panics ("reached unreachable code"), and in ReleaseFast (Bun's shipped build) it is undefined behaviour.

Why this is distinct from #3202066971

#3202066971 covers the inverted-slice at multipart.zig:496-498 (and the analogous <Code>/<Message> sites): a body like </UploadId><UploadId>X yields slice[start+10..end] with start+10 > end → panic at the slice expression itself. Its recommended fix is to search for the closing tag after the opening tag (indexOf(slice[after..], "</UploadId>")), which guarantees start+10 ≤ end but does not bound end - (start+10). So after applying #3202066971's fix, a well-formed <UploadId> with a 2 KiB+ payload still flows unbounded into this.upload_id, and the three catch unreachable sites at 234/568/584 remain crashable. The trigger is also different: #3202066971 needs malformed XML (close-before-open); this just needs a long but syntactically-valid UploadId.

Why existing safeguards do not prevent it

There is no length validation on upload_id — only the .len == 0 check at line 501. The three bufPrint calls assume the formatted string fits in 2048 bytes and convert any overflow into unreachable. Nothing between line 498 and lines 234/568/584 truncates or validates the slice.

Reachability from the PR-modified code

S3File.write's .path arm (PR's tag-flip at S3File.zig:156) calls Blob.writeFileInternal four lines later at S3File.zig:160. With a stream/file body or large bytes (≥ partSize), this reaches S3.uploadStream (client.zig:491+) → bun.new(MultiPartUpload, ...) → startMultiPartRequest issues the InitiateMultipartUpload POST → startMultiPartRequestResult (multipart.zig:496-498) parses the response and stores upload_id → drainEnqueuedParts → UploadPart.perform (line 234) on the very next part. Also reachable via s3blob.writer() → writableStream and fetch("s3://...", {method:"PUT", body:stream}). The PR's own test (4-byte "data" string) goes through the small-upload path, not MultiPartUpload, so it does not exercise this.

Impact

A malicious or buggy S3-compatible endpoint can crash any Bun process performing a multipart upload to it with a single InitiateMultipartUpload response. Same threat model as already-accepted #3202066971: real AWS UploadIds are ~80-100 bytes, so practical exposure is limited to user-configured endpoints (MinIO/R2/LocalStack/proxies/MITM on non-TLS), but endpoint is a first-class user option and a server-input-controlled process crash is the same severity class #3202066971 was accepted under.

Step-by-step proof

await Bun.S3Client.write("key", new Response(streamOf6MB), { endpoint: "http://attacker.example", bucket: "b", accessKeyId: "x", secretAccessKey: "y", });

The endpoint responds to the POST /b/key?uploads (InitiateMultipartUpload) with HTTP 200 and body <InitiateMultipartUploadResult><UploadId> + "A".repeat(2100) + </UploadId></InitiateMultipartUploadResult>:

S3File.write (S3File.zig:156 tag-flip → 160) → writeFileInternal → .Locked + isS3() → uploadStream → MultiPartUpload (rc=1).

6 MB > 5 MiB partSize → processBuffered → state = .wait_stream_check → startMultiPartRequest issues the POST.

Response arrives → startMultiPartRequestResult (multipart.zig:489+). failIfContainsError(200) → false (no <Error>). Line 496: indexOf("<UploadId>") → start. Line 497: indexOf("</UploadId>") → end. Line 498: this.upload_id = slice[start+10..end] — 2100 bytes.

Line 501: upload_id.len == 0 → false. Line 511: state = .multipart_completed. Line 513: drainEnqueuedParts(0) → enqueues part 1 → UploadPart.start → UploadPart.perform.

multipart.zig:233-237: std.fmt.bufPrint(&[2048]u8, "?partNumber=1&uploadId={s}&x-id=UploadPart", .{ /* 2100-byte upload_id */ }) — needed length ≈ 12+1+10+2100+16 = 2139 > 2048 → returns error.NoSpaceLeft → catch unreachable → Debug/ReleaseSafe: @panic("reached unreachable code"); ReleaseFast: UB.

Bun process crashes mid-upload before any part is sent.

(If the user calls writer.flush()/end() after a failure instead, commitMultiPartRequest at 568 or rollbackMultiPartRequest at 584 hit the same catch unreachable with the ?uploadId={s} format — threshold ~2038 bytes.)

How to fix

Either (a) bound the slice when storing it at multipart.zig:498-509:

this.upload_id = slice[start + 10 .. end]; if (this.upload_id.len == 0 or this.upload_id.len > 1024) { try this.fail(.{ .code = "UnknownError", .message = "Failed to initiate multipart upload (invalid UploadId)" }); return; }

or (b) replace the three catch unreachable with a graceful failure that routes through the existing fail() machinery, e.g. at line 237: }) catch return this.ctx.fail(.{ .code = "InvalidUploadId", .message = "upload id too long" }); (and this.fail(...) at 570/586). Option (a) is one edit at the source and also hardens against future consumers of upload_id.

Relationship to this PR / not a duplicate

Pre-existing — the PR diff does not touch multipart.zig, does not add new MultiPartUpload callers, and the tag-flip neither causes nor affects this. Distinct from #3202066971 (inverted-slice at multipart.zig:496-498 — different trigger, different crash site, and #3202066971's fix does not address these three catch unreachable sites) and from #3204455708 (buffered.deinit() leak in the same struct). None of the existing PR comments mention params_buffer, bufPrint ... catch unreachable, NoSpaceLeft, multipart.zig:234/568/584, or upload_id length bounding. Anchored at S3File.zig:156 alongside the other MultiPartUpload-path comments (#3201498669/#3204455708/#3202066991).

claude · 2026-05-07T14:58:36Z

🟣 Pre-existing: in this PR-modified function, the .blob arm of S3File.size() (S3File.zig:201-203, five lines below this tag-flip) calls Blob.getSize(blob, globalThis) — the synchronous .size property getter, which short-circuits to jsNumber(NaN) for S3 blobs (Blob.zig:3400-3404). So Bun.S3Client.size(s3file) returns the bare number NaN with no HEAD request, while the .path arm at line 199, the .blob arms of stat()/exists(), and S3Client#size all return Promises. The guard at line 185 admits only S3-backed blobs to the .blob arm, so it always hits the NaN short-circuit. Fix: change the .blob arm to return S3BlobStatTask.size(globalThis, blob);, matching stat()'s .blob arm at line 588.

Extended reasoning...

What the bug is and how it manifests

S3File.size()'s .blob arm (S3File.zig:201-203 — five lines below this PR's tag-flip at line 196) calls Blob.getSize(blob, globalThis), which is the synchronous .size property getter. For S3 blobs that getter short-circuits to jsc.JSValue.jsNumber(std.math.nan(f64)) (Blob.zig:3400-3404) because the size cannot be known without a network round-trip; even when size != max_size it returns jsNumber(this.size), still a synchronous number. So Bun.S3Client.size(s3file) (routed via S3Client.staticSize → S3File.size, S3Client.zig:286-288) returns the bare number NaN, while Bun.S3Client.size("path") (the .path arm, S3BlobStatTask.size at line 199) returns a Promise that issues a HEAD request and resolves to the real size.

Why this is the buggy arm, not the canonical pattern

The two structurally identical sibling functions handle the .blob arm correctly:

stat()'s .blob arm (S3File.zig:587-589) calls S3BlobStatTask.stat(globalThis, blob) — a Promise.

exists()'s .blob arm (S3File.zig:235-237) calls Blob.getExists(blob, ...), which dispatches to S3BlobStatTask.exists for S3 blobs (Blob.zig:2529-2531) — a Promise.

Only size() funnels into the synchronous property getter. The function-top guard (S3File.zig:185-187) explicitly accepts S3 blobs and rejects non-S3 ones, so the .blob arm is only reachable with an S3-backed Blob — for which Blob.getSize unconditionally returns NaN.

Step-by-step proof — Bun.S3Client.size(Bun.s3('bucket/key'))

PathOrBlob.fromJSNoCopy (types.zig:1226-1229): arg.as(Blob) matches → returns .{ .blob = blob.* } (struct copy, store borrowed).

Guard at S3File.zig:185: blob.store.?.data == .s3 → passes.

switch → .blob arm (S3File.zig:202): return Blob.getSize(blob, globalThis).

Blob.getSize (Blob.zig:3400): this.size == Blob.max_size (uninitialised) → this.isS3() == true → return jsc.JSValue.jsNumber(std.math.nan(f64)).

User receives NaN. await NaN === NaN. The HEAD request that the .path arm would issue is never made.

By contrast Bun.S3Client.size('bucket/key') → .path arm → constructS3FileInternalStore → S3BlobStatTask.size → Promise<number>.

Impact

User-visible API inconsistency: the documented contract of the static S3Client.size() method is to return a Promise that resolves to the object's size (the .path arm and the S3Client#size instance method both do). Passing an S3File/S3-backed Blob — which the guard explicitly admits — silently returns NaN with no network call, no error, and the wrong return type (number vs. Promise). await Bun.S3Client.size(s3file) yields NaN, which downstream arithmetic will propagate without throwing.

How to fix

Change the .blob arm of S3File.size to return S3BlobStatTask.size(globalThis, blob);, matching stat()'s .blob arm at line 588.

Relationship to this PR / not a duplicate

Pre-existing — the PR's tag-flip at S3File.zig:196 is in the .path arm of the same function and does not touch the .blob arm. Flagged here because the PR directly modifies size() and the .blob arm sits five lines below the new tag-flip. None of the existing PR comments mention Blob.getSize, NaN, the .blob-arm/.path-arm return-type asymmetry, or S3BlobStatTask.size vs. the property getter — they cover path/encoded_slice ownership, content_type, JSPromise.Strong, .buffer protect, destination_blob, error-set mismatch, signRequest field omissions, XML parsing, and test coverage.

claude · 2026-05-08T01:39:32Z

🟣 🟣 Pre-existing: every S3 env-proxy lookup hardcodes getHttpProxy(true, null, null) (S3File.zig:429/445/461 — called from this PR-modified exists at line 233, stat at 585, size at 199 — plus Store.zig:359/417, Blob.zig:245/1125/1267/1557/1621/2434/2436/2440/2601/2815, ReadableStream.zig:346). is_http=true selects http_proxy/HTTP_PROXY (env_loader.zig:181-190) instead of https_proxy/HTTPS_PROXY (191-200), but signRequest defaults to HTTPS (insecure_http: bool = false, credentials.zig:15/418); and hostname=null makes the NO_PROXY check at env_loader.zig:203 unreachable. Net: a user with only HTTPS_PROXY set has every Bun S3 request bypass the proxy, and NO_PROXY=localhost is ignored for MinIO/LocalStack endpoints. By contrast fetch() uses getHttpProxyFor(url) (env_loader.zig:163-165), which derives is_http from the scheme and passes the real hostname. Fix: centralize the lookup in executeSimpleS3Request (the signed URL is already parsed at simple_request.zig:421) using env.getHttpProxyFor(url), or derive is_http from credentials.insecure_http and pass the endpoint hostname at each site. Orthogonal to this PR's tag-flip — none of the 16 lookup lines are in the diff.

Extended reasoning...

What the bug is and how it manifests

Every S3 call site that derives an HTTP proxy from the environment hardcodes getHttpProxy(true, null, null). The first argument is_http=true makes getHttpProxy (env_loader.zig:181-190) read http_proxy/HTTP_PROXY; the else branch at 191-200 that reads https_proxy/HTTPS_PROXY is never reached. But signRequest builds the actual request URL with const protocol = if (this.insecure_http) "http" else "https" (credentials.zig:418), and insecure_http defaults to false (credentials.zig:15) — so unless the user explicitly opts into insecure HTTP, every S3 connection is HTTPS. The proxy env var consulted (http_proxy) therefore does not match the scheme actually used.

Separately, the third/second arguments hostname=null, host=null cause the NO_PROXY gate at env_loader.zig:203 (if (http_proxy != null and hostname != null)) to be skipped unconditionally — isNoProxy is never invoked for any S3 request.

Affected sites

All 16 sites hardcode the identical (true, null, null) arguments:

S3File.zig:429/445/461 — S3BlobStatTask.exists/stat/size, called directly from the PR-modified lines 233/585/199.

Store.zig:359 (Store.S3.unlink), Store.zig:417 (Store.S3.listObjects).

Blob.zig:245/1125/1267/1557/1621/2434/2436/2440/2601/2815.

ReadableStream.zig:346.

By contrast, fetch() for ordinary URLs uses getHttpProxyFor(url) (env_loader.zig:163-165), which does this.getHttpProxy(url.isHTTP(), url.hostname, url.host) — deriving is_http from the actual scheme and passing the real hostname so NO_PROXY is honored. That confirms the intended contract; the S3 call sites simply bypass it.

Why existing safeguards do not prevent it

There is no later re-derivation of the proxy from the actual scheme/host. The proxy_url returned by these lookups is passed straight into executeSimpleS3Request / S3.stat / S3.upload / uploadStream and ultimately into the HTTP client. Nothing between the env lookup and the socket connect re-evaluates https_proxy or NO_PROXY. The signed URL is parsed at simple_request.zig:421 after the proxy has already been chosen (or nulled) by the caller, so the correct scheme/host information exists but is not used for proxy selection.

Impact

HTTPS_PROXY is ignored. A user in a corporate/CI egress-restricted network with HTTPS_PROXY=http://corp-proxy:3128 set (the conventional env var for HTTPS traffic) but no HTTP_PROXY will have every Bun S3 request attempt a direct HTTPS connection to *.amazonaws.com — ECONNREFUSED/timeout. Conversely, a user with only HTTP_PROXY (intended for plain-HTTP traffic) will have S3's HTTPS requests routed through it, which may be unintended.

NO_PROXY is ignored. With hostname=null, the isNoProxy check is unreachable. A user with HTTP_PROXY=http://proxy:3128 set globally and NO_PROXY=localhost,127.0.0.1 (standard local-dev MinIO/LocalStack setup) will still have all S3 requests to endpoint: "http://localhost:9000" tunneled through the corporate proxy — which typically cannot reach localhost.

Step-by-step proof

export HTTPS_PROXY=http://corp-proxy:3128 # (no HTTP_PROXY)

await Bun.S3Client.exists("key", { bucket: "b", accessKeyId: "x", secretAccessKey: "y" });

S3File.exists .path arm (PR-modified S3File.zig:229-233): constructS3FileInternalStore succeeds; tag-flip; S3BlobStatTask.exists(globalThis, &blob).

S3File.zig:429: env.getHttpProxy(true, null, null).

env_loader.zig:181: is_http == true → reads http_proxy (unset) then HTTP_PROXY (unset) → http_proxy local stays null. The else branch at 191-200 (which would have read HTTPS_PROXY) is not taken.

env_loader.zig:203: http_proxy == null → skip; even if it were non-null, hostname == null → isNoProxy is never called. Returns null.

S3.stat → executeSimpleS3Request with proxy_url = null. signRequest builds https://b.s3.<region>.amazonaws.com/key (credentials.zig:418, insecure_http defaults false).

The HEAD request is issued directly to AWS over HTTPS, bypassing HTTPS_PROXY entirely. In an egress-restricted network → ECONNREFUSED / timeout.

NO_PROXY case: HTTP_PROXY=http://proxy:3128 NO_PROXY=localhost + { endpoint: "http://localhost:9000" } → step 3 returns the proxy URL (http_proxy is set); step 4: hostname == null → isNoProxy skipped → proxy URL returned. The request to localhost MinIO is incorrectly tunneled through the corporate proxy.

How to fix

Derive is_http from credentials.insecure_http (or the resolved endpoint URL's scheme) and pass the endpoint hostname so NO_PROXY is honored. The cleanest approach is to centralize the lookup inside executeSimpleS3Request — the signed URL is already known there (const url = bun.URL.parse(result.url) at simple_request.zig:421), so calling env.getHttpProxyFor(url) at that point and using it as the default when no explicit proxy was passed would fix all 16 call sites at once. Alternatively, change each call site to env.getHttpProxy(!credentials.insecure_http == false, endpoint_hostname, endpoint_host) — but that is 16 edits and still requires threading the endpoint host to each site.

Relationship to this PR / not a duplicate

Pre-existing — the PR diff (six path_or_blob = .{ .blob = blob } tag-flips + a test) does not touch any of the 16 proxy-lookup lines, does not add new callers, and does not change what data flows to getHttpProxy. The connection to the PR is purely transitive (the PR-modified exists/stat/size/unlink/write static methods eventually reach S3File.zig:429/445/461 and Store.zig:359). None of the 42 existing comments on this PR mention getHttpProxy, http_proxy/https_proxy env-var selection, the hardcoded is_http=true, or NO_PROXY — the closest (#3202768590) covers fetch.zig:1373's explicit {proxy:"…"} buffer-join overflow, which is the user-supplied-proxy path and unrelated to env-derived proxy selection. Given this PR is already heavily loaded with pre-existing S3-subsystem findings, this is best tracked as a separate issue rather than blocking the memory-safety fix.

claude · 2026-05-07T08:15:38Z

🟣 Pre-existing: onS3StatResolved (S3File.zig:399) is declared bun.JSError!void, but it is passed via @ptrCast to S3.stat whose callback type is *const fn(S3StatResult, *anyopaque) bun.JSTerminated!void (simple_request.zig:85) — its siblings onS3ExistsResolved/onS3SizeResolved correctly use bun.JSTerminated!void. If S3Stat.init (which does try date_str.parseDate(globalThis)) ever returns error.JSError/error.OutOfMemory, the out-of-set error value flows through onResponse (simple_request.zig:223, bun.JSTerminated!void) and is silently swallowed by the event-loop's catch {}, leaving the stat() promise forever pending. Fix: change the return type to bun.JSTerminated!void and locally catch the JSError from S3Stat.init to reject the promise, matching the sibling pattern.

Extended reasoning...

What the bug is

S3BlobStatTask.onS3StatResolved is declared with return type bun.JSError!void:

// S3File.zig:399 pub fn onS3StatResolved(result: S3.S3StatResult, this: *S3BlobStatTask) bun.JSError!void {

while its two structurally identical siblings use the narrower set:

pub fn onS3ExistsResolved(result: S3.S3StatResult, this: *S3BlobStatTask) bun.JSTerminated!void { ... } pub fn onS3SizeResolved (result: S3.S3StatResult, this: *S3BlobStatTask) bun.JSTerminated!void { ... }

All three are passed to S3.stat via @ptrCast(&S3BlobStatTask.on…) at S3File.zig:431/447/463. The receiving parameter type is:

// simple_request.zig:85 stat: *const fn (S3StatResult, *anyopaque) bun.JSTerminated!void,

bun.JSError = error{ JSError, OutOfMemory, JSTerminated } (bun.zig:156-164) is a strict superset of bun.JSTerminated = error{ JSTerminated } (bun.zig:166). For onS3StatResolved the @ptrCast is therefore a function-pointer cast across mismatched error sets, which Zig would normally reject — @ptrCast bypasses that check entirely.

The specific code path that triggers it

onS3StatResolved's .success arm does:

try this.promise.resolve(globalThis, (try S3Stat.init( stat_result.size, stat_result.etag, stat_result.contentType, stat_result.lastModified, globalThis, )).toJS(globalThis));

S3Stat.init (S3Stat.zig:25-28) returns bun.JSError!*@This() because it calls try date_str.parseDate(globalThis) (bun_string_jsc.zig:88-91, bun.JSError!f64, exception-checked C++ binding). If that call — or any future fallible addition to S3Stat.init — returns error.JSError or error.OutOfMemory, that error code is returned from a function pointer whose declared type only admits error.JSTerminated.

Why existing safeguards don't prevent it

The @ptrCast at S3File.zig:447 is the only thing standing between the mismatched signatures, and it explicitly bypasses Zig's error-set coercion rules. The asymmetry vs. the siblings (which correctly use bun.JSTerminated!void) confirms this is an oversight specific to the stat callback — likely because stat is the only one of the three whose .success arm does fallible JS work via S3Stat.init.

Impact

In Zig, error codes are global integers; returning error.JSError through a function pointer typed error{JSTerminated}!void produces an out-of-set error value in the caller's error union. The call site is onResponse (simple_request.zig:223, bun.JSTerminated!void) at try callback(...) on line 235, which propagates to the event-loop task dispatcher (Task.zig:225 → tickQueueWithCount → event_loop.zig:235 catch {}). Concretely:

Any downstream exhaustive switch on the 1-element error{JSTerminated} set hits unreachable — panic in Debug/ReleaseSafe, true UB in ReleaseFast.

Even with today's generic catch {}, a pending JS exception (the whole point of error.JSError) is silently treated as engine termination: the exception is left on the VM and never reported, and — because defer this.deinit() releases the JSPromise.Strong without ever calling resolve/reject — the user's await s3file.stat() promise is left forever pending.

Practical reachability today is narrow (JS Date.parse typically returns NaN rather than throwing for a malformed Last-Modified header, so error.JSError from parseDate is unlikely outside OOM/termination), but the type-safety violation is concrete and the fix is one line.

Step-by-step proof

Bun.S3Client.stat("key") (PR-modified S3File.zig:582) → line 585: S3BlobStatTask.stat(globalThis, &blob).

S3File.zig:447: try S3.stat(credentials, path, @ptrCast(&S3BlobStatTask.onS3StatResolved), this, …) — @ptrCast reinterprets a *const fn(...) error{JSError,OutOfMemory,JSTerminated}!void as *const fn(...) error{JSTerminated}!void.

HTTP HEAD returns 200 with a Last-Modified header. onResponse (simple_request.zig:223) is invoked; line 235: try callback.stat(.{ .success = … }, callback_context).

onS3StatResolved runs try S3Stat.init(…) → try date_str.parseDate(globalThis). Suppose it returns error.JSError (a JS exception is now pending on the VM).

error.JSError propagates out of onS3StatResolved. At the call site, the error union is typed error{JSTerminated}!void, but the payload integer is the global tag for JSError — out-of-set.

onResponse's try re-propagates it; the event-loop dispatcher's catch {} discards it. The pending JS exception is never surfaced; this.deinit() (deferred in step 4's scope) drops the Strong, so the promise is never resolved or rejected.

How to fix

Change onS3StatResolved's return type to bun.JSTerminated!void and handle the JSError from S3Stat.init locally — e.g.:

pub fn onS3StatResolved(result: S3.S3StatResult, this: *S3BlobStatTask) bun.JSTerminated!void { defer this.deinit(); const globalThis = this.global; switch (result) { .success => |stat_result| { const stat_js = (S3Stat.init(...) catch |e| switch (e) { error.JSTerminated => return error.JSTerminated, error.JSError, error.OutOfMemory => { try this.promise.reject(globalThis, globalThis.takeException(e)); return; }, }).toJS(globalThis); try this.promise.resolve(globalThis, stat_js); }, .not_found, .failure => |err| { ... }, } }

This matches the sibling pattern and removes the unsafe error-set widening through @ptrCast.

Relationship to this PR / not a duplicate

This is pre-existing — the PR diff does not touch onS3StatResolved, the @ptrCast at line 447, S3Stat.init, or simple_request.zig. It is flagged because the PR-modified S3File.stat at line 582 calls directly into this path at line 585 (S3BlobStatTask.stat). None of the existing PR comments mention onS3StatResolved, @ptrCast, error-set mismatches, S3Stat.init, or parseDate — they cover path/encoded_slice ownership, content_type, JSPromise.Strong leaks, the .buffer protect, destination_blob, and test coverage.

claude · 2026-03-26T19:59:46Z

🟡 The regression test uses Date() (without new) as the options argument, which returns a string — not a JS object. Because opts.isObject() returns false for a string, the getTruthyComptime("type") branch inside constructS3FileWithS3Credentials is never reached, so the test only exercises the no-credentials failure path (Path 1) and not the throwing-type-getter failure path (Path 2) described in the PR. Adding a case like () => Bun.S3Client.presign(Date(), { get type() { throw new Error("boom"); } }) would deterministically trigger the post-initS3() code path the PR claims to fix.

Extended reasoning...

What the bug is and how it manifests

In JavaScript, Date() called without new returns a plain string (e.g., "Thu Mar 26 2026 ...") rather than a Date object. The test passes this string as the options argument to every call in the calls array (e.g., Bun.S3Client.presign(Date(), Date())). Inside constructS3FileWithS3Credentials, the options object is only interrogated when opts.isObject() is true. Since a string is not an object, opts.isObject() returns false and the entire getTruthyComptime("type") block — which is the code that could exercise the post-initS3() failure path — is skipped unconditionally.

The specific code path that triggers Path 2

The PR description identifies two double-free paths. Path 2 occurs when constructS3FileWithS3Credentials itself fails after Blob.Store.initS3() has already aliased the path: (1) initS3 runs and the store holds a pointer to the path buffer; (2) errdefer store.deinit() is armed; (3) opts.getTruthyComptime(globalObject, "type") invokes a throwing getter; (4) the store errdefer fires and frees the path buffer; (5) error.JSError propagates to the caller before path_or_blob = .{ .blob = blob } is reached; (6) the outer errdefer still sees path_or_blob == .path and calls path_or_blob.path.deinit() on already-freed memory.

Why the current test does not prevent it

All entries in the calls array pass either no options or a Date() string as options. A string fails opts.isObject(), so getTruthyComptime is never invoked. The test therefore only exercises the path where the constructor succeeds but getPresignUrlFrom / the subsequent operation fails due to missing S3 credentials. This is Path 1, not Path 2.

Addressing the refutation

One verifier argued that Store.zig was not modified in commit 9538183, so Path 2 was never actually fixed — and therefore not testing it is consistent. This is a fair observation about implementation completeness. However, it cuts both ways: if Path 2 remains broken, a test that attempts to trigger it (with { get type() { throw new Error("boom"); } }) would either crash under ASAN (revealing the unfixed bug) or pass (revealing the fix was effective through some other mechanism). Either outcome is more informative than silently skipping the path. The PR description explicitly mentions Path 2 as something that "existed" and the coderabbitai reviewer correctly identified the exact missing test case.

Impact

The coverage gap means the described Path 2 scenario remains unverified by CI. Under an ASAN build the double-free would manifest as a use-after-poison crash if Path 2 is genuinely unfixed. The missing test would catch any regression reintroducing the bug in either path.

How to fix

Add a throwingOptions object to the test and include it as the options argument in the calls array:

const throwingOptions = { get type() { throw new Error("boom"); } }; // then add: () => Bun.S3Client.presign(Date(), throwingOptions), () => Bun.S3Client.unlink(Date(), throwingOptions), // etc.

This deterministically exercises the post-initS3() failure path on every run without requiring real S3 credentials or network access.

claude · 2026-05-06T13:49:07Z

🟡 nit: of these 7 entries, only the two presign calls actually reach the errdefer { if (path_or_blob == .path) ... } block this PR fixes. unlink/size/exists/stat/write route through executeSimpleS3Request (simple_request.zig:387-391), which converts signRequest failure into a rejected promise via callback.fail(...) and then returns void — so the outer S3File function gets back a JSValue with no Zig error and the errdefer never fires. The original Fuzzilli repro (presign) is covered, so this is fine to merge; just be aware that a tag-flip regression in unlink/write alone would not be caught by this test, and for size/exists/stat there is no user-reachable post-construct error.JSError at all (S3BlobStatTask.* returns bun.JSTerminated!JSValue), so those three lines are purely belt-and-suspenders.

Extended reasoning...

What this is about

The test's inline comment at line 31-32 says credentials are stripped "so presign fails synchronously and exercises the errdefer cleanup path" — which is accurate for presign, but the calls array also lists unlink/size/exists/stat/write (lines 14-18), and under the same no-credentials trigger those five do not reach the errdefer { if (path_or_blob == .path) path_or_blob.path.deinit() } block whose body the PR's tag-flip neutralises. They would not have crashed before the PR and would not catch a regression of the tag-flip in those functions.

Why only presign reaches the errdefer

getPresignUrlFrom (S3File.zig:489-499) calls signRequest directly and on failure does return S3.throwSignError(sign_err, globalThis), which throws a JS exception → error.JSError propagates up through try getPresignUrlFrom(&blob, ...) at S3File.zig:89 → the outer errdefer runs (and, thanks to the new tag-flip on line 87, sees .blob and correctly skips the second free).

By contrast, S3BlobStatTask.{exists,size,stat} and Store.S3.unlink (with options == null, so its internal getCredentialsWithOptions cannot throw) all reach executeSimpleS3Request (simple_request.zig:378-392). That function catches the sign error with:

}, false, null) catch |sign_err| { ... try callback.fail(error_code_and_message.code, error_code_and_message.message, callback_context); return; };

callback.fail synchronously rejects the task's promise (the S3BlobStatTask callbacks call defer this.deinit() and promise.reject(...)) and the function returns void. The caller therefore returns a rejected-promise JSValue with no Zig error. Blob.writeFileInternal similarly returns a promise for S3 destinations rather than raising synchronously.

Step-by-step trace for Bun.S3Client.exists(Date())

PathOrBlob.fromJSNoCopy → path_or_blob = .path with encoded_slice buffer A; outer errdefer armed.

constructS3FileInternalStore succeeds (no options → no fallible reads after initS3); store aliases A.

path_or_blob = .{ .blob = blob } (the new tag-flip).

S3BlobStatTask.exists → try S3.stat(...) → executeSimpleS3Request: signRequest fails (MissingCredentials/InvalidPath) → callback.fail → onS3ExistsResolved(.failure) rejects the promise and defer this.deinit() cleans up the task → executeSimpleS3Request returns void (no error).

S3BlobStatTask.exists returns the (already-rejected) promise → S3File.exists returns it → errdefer never fires.

Only defer blob.deinit() runs, freeing A once.

If the tag-flip on line 230 were reverted, the trace is identical — step 5 still returns success, the errdefer is still skipped — so the test still passes. The five non-presign entries are therefore not load-bearing for this PR's fix.

Reachability of the post-construct error path, per function

size/exists/stat: S3BlobStatTask.{size,exists,stat} have return type bun.JSTerminated!JSValue (S3File.zig:418/434/450) and do not call getCredentialsWithOptions — they go straight to S3.stat with the store's existing credentials. The only error they can propagate is error.JSTerminated (engine teardown). There is no user-controllable input that makes these three raise error.JSError after the constructor succeeds, so the tag-flip in those functions is effectively defensive-only and not testable via the no-credentials approach (or any other JS-driven approach). Listing them is harmless but inert.

unlink/write: these do have user-reachable post-construct throw points (Store.S3.unlink's getCredentialsWithOptions at Store.zig:361; writeFileInternal's data/options handling), but the no-credentials trigger does not reach them. To exercise the tag-flip in unlink you would need an options object whose credential getter succeeds on the first read (inside constructS3FileWithS3Credentials → getCredentialsWithOptions, which runs before initS3) and throws on the second read (inside Store.S3.unlink's own getCredentialsWithOptions) — e.g. let n=0; const opts={get accessKeyId(){if(n++)throw 0;return "x"}}. A plain throwing getter would fail during construction, before the store exists, and so would not exercise the tag-flip.

Relationship to existing comments / addressing the "4th nit" objection

This is the fourth coverage note on this file, and the actionable advice (add throwing-getter cases) partly converges with #2997368696. It is nonetheless a distinct observation: #2997368696 is about the Path-2 gap (constructor throws inside constructS3FileWithS3Credentials after initS3 via a throwing type getter — i.e. failure before the tag-flip line is reached), whereas this note is about Path-1 reachability after the tag-flip — that under the chosen trigger, five of the seven listed calls return normally and never enter the errdefer at all. #2996021203 (stderr assertion) and the now-resolved env-hermeticity comment cover unrelated aspects. None of them state that the non-presign Path-1 entries are no-ops with respect to the fix.

Given the marginal value, I'd suggest either dropping the five non-presign entries (keeping the test honest about what it covers) or, if you adopt #2997368696's throwing-type-getter cases anyway, adding a counter-based-getter unlink case alongside them so at least one non-presign function's tag-flip is actually exercised. Neither blocks the merge — the file already regression-tests the original crash.

-Original file line number
+Diff line change
@@ Expand Up @@
                 }
                 const options = args.nextEat();
                 var blob = try constructS3FileInternalStore(globalThis, path.path, options);
+                path_or_blob = .{ .blob = blob }; // path ownership transferred to store
                 defer blob.deinit();
                 return try getPresignUrlFrom(&blob, globalThis, options);
             },
@@ Expand Down Expand Up @@
                 }
                 const options = args.nextEat();
                 var blob = try constructS3FileInternalStore(globalThis, path.path, options);
+                path_or_blob = .{ .blob = blob }; // path ownership transferred to store
                 defer blob.deinit();
                 return try blob.store.?.data.s3.unlink(blob.store.?, globalThis, options);
             },
@@ Expand Down Expand Up @@
                     return globalThis.throwInvalidArguments("Expected a S3 or path to upload", .{});
                 }
                 var blob = try constructS3FileInternalStore(globalThis, path.path, options);
+                path_or_blob = .{ .blob = blob }; // path ownership transferred to store
                 defer blob.deinit();
                 var blob_internal: PathOrBlob = .{ .blob = blob };
@@ Expand Down Expand Up @@
                     return globalThis.throwInvalidArguments("Expected a S3 or path to get size", .{});
                 }
                 var blob = try constructS3FileInternalStore(globalThis, path.path, options);
+                path_or_blob = .{ .blob = blob }; // path ownership transferred to store
                 defer blob.deinit();
                 return S3BlobStatTask.size(globalThis, &blob);
@@ Expand Down Expand Up @@
                     return globalThis.throwInvalidArguments("Expected a S3 or path to check if it exists", .{});
                 }
                 var blob = try constructS3FileInternalStore(globalThis, path.path, options);
+                path_or_blob = .{ .blob = blob }; // path ownership transferred to store
                 defer blob.deinit();
                 return S3BlobStatTask.exists(globalThis, &blob);
@@ Expand Down Expand Up @@
                     return globalThis.throwInvalidArguments("Expected a S3 or path to get size", .{});
                 }
                 var blob = try constructS3FileInternalStore(globalThis, path.path, options);
+                path_or_blob = .{ .blob = blob }; // path ownership transferred to store
                 defer blob.deinit();
                 return S3BlobStatTask.stat(globalThis, &blob);
@@ Expand Down @@

-Original file line number
+Diff line change
@@ -0,0 +1,53 @@
+    import { expect, test } from "bun:test";
+    import { bunEnv, bunExe } from "harness";
+    test("S3Client static methods should not crash with string path arguments", async () => {
+      await using proc = Bun.spawn({
+        cmd: [
+          bunExe(),
+          "-e",
+          `
+          async function main() {
+            const calls = [
+              () => Bun.S3Client.presign(Date()),
+              () => Bun.S3Client.presign(Date(), Date()),
+              () => Bun.S3Client.unlink(Date()),
+              () => Bun.S3Client.size(Date()),
+              () => Bun.S3Client.exists(Date()),
+              () => Bun.S3Client.stat(Date()),
+              () => Bun.S3Client.write(Date(), "data"),
+            ];
+            for (const call of calls) {
+              try { await call(); } catch(e) {}
+            }
+            Bun.gc(true);
+            console.log("OK");
+          }
+          main();
+        `,
+        ],
+        env: {
+          ...bunEnv,
+          // Strip any ambient S3/AWS credentials so presign fails synchronously
+          // and exercises the errdefer cleanup path.
+          AWS_ACCESS_KEY_ID: undefined,
+          AWS_SECRET_ACCESS_KEY: undefined,
+          AWS_SESSION_TOKEN: undefined,
+          AWS_REGION: undefined,
+          AWS_BUCKET: undefined,
+          AWS_ENDPOINT: undefined,
+          S3_ACCESS_KEY_ID: undefined,
+          S3_SECRET_ACCESS_KEY: undefined,
+          S3_SESSION_TOKEN: undefined,
+          S3_REGION: undefined,
+          S3_BUCKET: undefined,
+          S3_ENDPOINT: undefined,
+        },
+        stderr: "pipe",
+      });
+      const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
+      expect(stdout).toBe("OK\n");
+      expect(exitCode).toBe(0);
+    });

Fix double-free in S3 static methods when path is passed as string #28592

Uh oh!

Fix double-free in S3 static methods when path is passed as string #28592

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

claude Bot May 5, 2026

Choose a reason for hiding this comment

What the bug is

Concrete consequence: the Path-2 double-free is back

Why the existing change does not prevent it

Secondary consequence: stale review comments now give dangerous advice

Addressing the "duplicate" objection

How to fix

Uh oh!

claude Bot May 6, 2026

Choose a reason for hiding this comment

What the bug is

Reachability from the PR-modified code

Why existing safeguards do not prevent it

Step-by-step proof — Bun.S3Client.presign(Buffer.from("k"))

Impact

How to fix

Relationship to this PR / not a duplicate

Uh oh!

claude Bot May 7, 2026

Choose a reason for hiding this comment

What the bug is and how it manifests

Reachability from the PR-modified code

Why existing safeguards do not prevent it

Impact

Step-by-step proof

How to fix

Relationship to this PR / not a duplicate

Uh oh!

claude Bot May 7, 2026

Choose a reason for hiding this comment

What the bug is

How the variant is reached

Why toThreadSafe() transfers, not refs

Consequence for the v2 restoration #3189832498 describes

Step-by-step refcount proof — Bun.S3Client.presign(Date()) under restored v2

Consequence for the current diff (tag-flip only)

How to fix

Relationship to this PR / not a duplicate

Uh oh!

claude Bot May 7, 2026

Choose a reason for hiding this comment

What the bug is

Concrete consequences

Reachability

Why existing safeguards don't prevent it

Step-by-step proof (Case A, heap overflow)

How to fix

Relationship to this PR / not a duplicate

Uh oh!

claude Bot May 7, 2026

Choose a reason for hiding this comment

What the bug is

Where the bytes come from and why nothing frees them

Why .clone leaks for every consumer

Impact

Step-by-step proof — await Bun.s3('bucket/key').arrayBuffer() (1 MB object)

How to fix

Relationship to this PR / not a duplicate

Uh oh!

claude Bot May 8, 2026

Choose a reason for hiding this comment

What the bug is

The deserialize side

Why nothing prevents it

Impact

Step-by-step proof — structuredClone(Bun.s3("b/k"))

How to fix

Relationship to this PR / not a duplicate

Uh oh!

claude Bot May 6, 2026

Choose a reason for hiding this comment

Step-by-step proof — `Bun.S3Client.presign(Buffer.from("k"))`

Why `toThreadSafe()` transfers, not refs

Step-by-step refcount proof — `Bun.S3Client.presign(Date())` under restored v2

Why `.clone` leaks for every consumer

Step-by-step proof — `await Bun.s3('bucket/key').arrayBuffer()` (1 MB object)

Step-by-step proof — `structuredClone(Bun.s3("b/k"))`

Step-by-step proof — `Bun.S3Client.presign('key', { contentEncoding: 'gzip', bucket: 'b', accessKeyId: 'x', secretAccessKey: 'y' })`

(1) `tmp_buffer` is overwritten between cache `get` and `set` — credentials.zig:484-495

(2) `AWSSignatureCache.get` returns the stored key, not the value — rare_data.zig:273

(3) `set` leaks the duped key on duplicate `put` — rare_data.zig:290