Hardening: input validation and bounds tightening across 27 subsystems (round 6)

packages/bun-debug-adapter-protocol/src/debugger/signal.ts

@@ -1,3 +1,4 @@
+import { randomBytes } from "node:crypto";
 import { EventEmitter } from "node:events";
 import type { Server, Socket } from "node:net";
 import { createServer } from "node:net";
@@ -77,7 +78,7 @@ export class UnixSignal extends EventEmitter<UnixSignalEventMap> {
 }
 
 export function randomUnixPath(): string {
-  return join(tmpdir(), `${Math.random().toString(36).slice(2)}.sock`);
+  return join(tmpdir(), `${randomBytes(16).toString("hex")}.sock`);
 }
 
 function parseUnixPath(path: string | URL): string {

packages/bun-usockets/src/crypto/openssl.c

@@ -974,6 +974,7 @@ struct us_socket_t *us_internal_ssl_on_open(struct us_socket_t *s, int is_client
   struct us_socket_t *result = us_dispatch_open(s, is_client, ip, ip_length);
   if (!result || ssl_gone(result)) return result;
   /* Kick the handshake immediately — some peers stall waiting for ClientHello. */
+  ssl_set_loop_data(result);
   ssl_update_handshake(result);
   return result;
 }

packages/bun-vscode/src/features/diagnostics/diagnostics.ts

@@ -1,4 +1,3 @@
-import * as fs from "node:fs/promises";
 import { Socket } from "node:net";
 import * as os from "node:os";
 import { inspect } from "node:util";
@@ -11,7 +10,6 @@ import {
 } from "../../../../bun-debug-adapter-protocol";
 import type { JSC } from "../../../../bun-inspector-protocol";
 import { getConfig } from "../../extension";
-import { typedGlobalState } from "../../global-state";
 
 const output = vscode.window.createOutputChannel("Bun - Diagnostics");
 
@@ -76,48 +74,16 @@ class BunDiagnosticsManager {
     return this.signal.url;
   }
 
-  private static async getOrRecreateSignal(context: vscode.ExtensionContext) {
-    const globalState = typedGlobalState(context.globalState);
-    const existing = globalState.get("BUN_INSPECT_CONNECT_TO");
-
-    const isWin = os.platform() === "win32";
-
-    if (existing) {
-      if (existing.type === "unix") {
-        output.appendLine(`Reusing existing unix socket: ${existing.url}`);
-
-        if ("url" in existing) {
-          await fs.unlink(existing.url).catch(() => {
-            // ? lol
-          });
-        }
-
-        return new UnixSignal(existing.url);
-      } else {
-        output.appendLine(`Reusing existing tcp socket on: ${existing.port}`);
-        return new TCPSocketSignal(existing.port);
-      }
-    }
-
-    if (isWin) {
+  private static async createSignal(): Promise<UnixSignal | TCPSocketSignal> {
+    if (os.platform() === "win32") {
       const port = await getAvailablePort();
 
-      await globalState.update("BUN_INSPECT_CONNECT_TO", {
-        type: "tcp",
-        port,
-      });
-
       output.appendLine(`Created new tcp socket on: ${port}`);
 
       return new TCPSocketSignal(port);
     } else {
       const signal = new UnixSignal();
 
-      await globalState.update("BUN_INSPECT_CONNECT_TO", {
-        type: "unix",
-        url: signal.url,
-      });
-
       output.appendLine(`Created new unix socket: ${signal.url}`);
 
       return signal;
@@ -137,7 +103,15 @@ class BunDiagnosticsManager {
   // );
 
   public static async initialize(context: vscode.ExtensionContext) {
-    const signal = await BunDiagnosticsManager.getOrRecreateSignal(context);
+    const signal = await BunDiagnosticsManager.createSignal();
+
+    try {
+      await signal.ready;
+    } catch (error) {
+      signal.close();
+      signal.removeAllListeners();
+      throw error;
+    }
 
     return new BunDiagnosticsManager(context, signal);
   }
@@ -271,7 +245,13 @@ export async function registerDiagnosticsSocket(context: vscode.ExtensionContext
 
   if (!getConfig("diagnosticsSocket.enabled")) return;
 
-  const manager = await BunDiagnosticsManager.initialize(context);
+  let manager: BunDiagnosticsManager;
+  try {
+    manager = await BunDiagnosticsManager.initialize(context);
+  } catch (error) {
+    output.appendLine(`Failed to start diagnostics socket: ${error}`);
+    return;
+  }
 
   context.environmentVariableCollection.replace("BUN_INSPECT_CONNECT_TO", manager.signalUrl);
 

src/bun_core/string/immutable/escapeHTML.rs

@@ -1,7 +1,8 @@
 use bun_alloc::AllocError;
 
 use crate::string::strings::{
-    self, ASCII_U16_VECTOR_SIZE, ASCII_VECTOR_SIZE, AsciiU16Vector, AsciiVector, utf16_codepoint,
+    self, ASCII_U16_VECTOR_SIZE, ASCII_VECTOR_SIZE, AsciiU16Vector, AsciiVector,
+    utf16_codepoint_with_fffd,
 };
 use crate::string::w;
 
@@ -583,7 +584,8 @@ pub fn escape_html_for_utf16_input(utf16: &[u16]) -> Result<Escaped<u16>, AllocE
                                         break 'lazy;
                                     }
                                     128..=u16::MAX => {
-                                        let cp = utf16_codepoint(&remaining[i as usize..]);
+                                        let cp =
+                                            utf16_codepoint_with_fffd(&remaining[i as usize..]);
                                         i += u16::from(cp.len);
                                     }
                                     _ => {
@@ -621,7 +623,7 @@ pub fn escape_html_for_utf16_input(utf16: &[u16]) -> Result<Escaped<u16>, AllocE
                                     i += 1;
                                 }
                                 128..=u16::MAX => {
-                                    let cp = utf16_codepoint(&remaining[i as usize..]);
+                                    let cp = utf16_codepoint_with_fffd(&remaining[i as usize..]);
 
                                     buf.extend_from_slice(
                                         &remaining[i as usize..][..usize::from(cp.len)],
@@ -683,7 +685,8 @@ pub fn escape_html_for_utf16_input(utf16: &[u16]) -> Result<Escaped<u16>, AllocE
                                         i += 1;
                                     }
                                     128..=u16::MAX => {
-                                        let cp = utf16_codepoint(&remaining[i as usize..]);
+                                        let cp =
+                                            utf16_codepoint_with_fffd(&remaining[i as usize..]);
 
                                         buf.extend_from_slice(
                                             &remaining[i as usize..][..usize::from(cp.len)],
@@ -730,7 +733,7 @@ pub fn escape_html_for_utf16_input(utf16: &[u16]) -> Result<Escaped<u16>, AllocE
                         }
                         128..=u16::MAX => {
                             let avail = if idx + 1 == end { 1 } else { 2 };
-                            let cp = utf16_codepoint(&remaining[idx..idx + avail]);
+                            let cp = utf16_codepoint_with_fffd(&remaining[idx..idx + avail]);
 
                             idx += usize::from(cp.len);
                         }
@@ -766,7 +769,7 @@ pub fn escape_html_for_utf16_input(utf16: &[u16]) -> Result<Escaped<u16>, AllocE
                     }
                     128..=u16::MAX => {
                         let avail = if idx + 1 == end { 1 } else { 2 };
-                        let cp = utf16_codepoint(&remaining[idx..idx + avail]);
+                        let cp = utf16_codepoint_with_fffd(&remaining[idx..idx + avail]);
 
                         buf.extend_from_slice(&remaining[idx..idx + usize::from(cp.len)]);
                         idx += usize::from(cp.len);

src/cares_sys/c_ares.rs

@@ -883,6 +883,7 @@ impl Channel {
 
     pub fn resolve<T: ResolveHandler>(&mut self, name: &[u8], ctx: &mut T) {
         if name.len() >= 1023
+            || name.contains(&0)
             || (name.is_empty() && !(T::LOOKUP_NAME == b"ns" || T::LOOKUP_NAME == b"soa"))
         {
             // SAFETY: thunk handles ARES_EBADNAME path.

src/css/css_parser.rs

@@ -5446,7 +5446,7 @@ impl<'a> Tokenizer<'a> {
 
     pub fn consume_char(&mut self) -> u32 {
         let c = self.next_char();
-        let len_utf8 = len_utf8(c);
+        let len_utf8 = len_utf8(c).min(self.src.len() - self.position);
         self.position += len_utf8;
         // Note that due to the special case for the 4-byte sequence intro,
         // we must use wrapping add here.

src/glob/GlobWalker.rs

@@ -1083,13 +1083,11 @@ impl<'a, A: Accessor, const SENTINEL: bool> Iterator<'a, A, SENTINEL> {
                                 }
 
                                 let subdir_parts: &[&[u8]] = &[dir_dir_path, entry_name];
-                                let entry_start: u32 = u32::try_from(if dir_dir_path.is_empty() {
-                                    0
-                                } else {
-                                    dir_dir_path.len() + 1
-                                })
-                                .unwrap();
                                 let subdir_entry_name = self.walker.join(subdir_parts)?;
+                                let joined = work_item_logical_path(&subdir_entry_name);
+                                let entry_start: u32 =
+                                    u32::try_from(joined.len() - strings::basename(joined).len())
+                                        .unwrap();
 
                                 self.walker.workbuf.push(WorkItem::new_symlink(
                                     subdir_entry_name,
@@ -1170,14 +1168,12 @@ impl<'a, A: Accessor, const SENTINEL: bool> Iterator<'a, A, SENTINEL> {
                                 bun_sys::FileKind::SymLink => {
                                     if self.walker.follow_symlinks {
                                         let subdir_parts: &[&[u8]] = &[dir_dir_path, entry_name];
-                                        let entry_start: u32 =
-                                            u32::try_from(if dir_dir_path.is_empty() {
-                                                0
-                                            } else {
-                                                dir_dir_path.len() + 1
-                                            })
-                                            .unwrap();
                                         let subdir_entry_name = self.walker.join(subdir_parts)?;
+                                        let joined = work_item_logical_path(&subdir_entry_name);
+                                        let entry_start: u32 = u32::try_from(
+                                            joined.len() - strings::basename(joined).len(),
+                                        )
+                                        .unwrap();
                                         self.walker.workbuf.push(WorkItem::new_symlink(
                                             subdir_entry_name,
                                             active,

src/http/lib.rs

@@ -1717,9 +1717,20 @@ impl<'a> HTTPClient<'a> {
         ) {
             return false;
         }
+        if self.has_tls_options_unsupported_by_h3() {
+            return false;
+        }
         h3_alt_svc_enabled()
     }
 
+    fn has_tls_options_unsupported_by_h3(&self) -> bool {
+        self.signals.get(signals::Field::CertErrors)
+            || self
+                .tls_props
+                .as_ref()
+                .is_some_and(|tls| tls.get().requires_custom_request_ctx)
+    }
+
     pub fn first_call<const IS_SSL: bool>(&mut self, socket: HttpSocket<IS_SSL>) {
         if FeatureFlags::IS_FETCH_PRECONNECT_SUPPORTED {
             if self.flags.is_preconnect_only {
@@ -2165,6 +2176,9 @@ impl<'a> HTTPClient<'a> {
                     }
                 }
                 h if h == hash_header_const(CHUNKED_ENCODED_HEADER.name()) => {
+                    if !self.flags.is_streaming_request_body {
+                        continue;
+                    }
                     // We don't want to override chunked encoding header if it was set by the user
                     if will_append {
                         add_transfer_encoding = false;
@@ -2504,6 +2518,11 @@ impl<'a> HTTPClient<'a> {
                 self.complete_connecting_process();
                 return;
             }
+            if self.has_tls_options_unsupported_by_h3() {
+                self.fail(err!(HTTP3Unsupported));
+                self.complete_connecting_process();
+                return;
+            }
             // SAFETY: runs on the HTTP thread after `HTTPThread::init` set
             // `uws_loop` to its live `us_loop_t`.
             let Some(ctx) = h3::ClientContext::get_or_create(unsafe {

src/install/PackageInstaller.rs

@@ -1382,6 +1382,24 @@ impl<'a> PackageInstaller<'a> {
                     installer.cache_dir = Fd::cwd();
                 } else {
                     // transitive folder dependencies are relative to their parent. they are not hoisted
+                    if folder.len() >= self.folder_path_buf.len()
+                        || bin::bin_target_escapes_package_dir(folder)
+                    {
+                        if log_level != Options::LogLevel::Silent {
+                            Output::pretty_errorln(format_args!(
+                                "<r><red>error<r>: refusing to install dependency <b>{}<r> with unsafe folder path \"{}\"",
+                                bstr::BStr::new(pkg_name.slice(string_buf!())),
+                                bstr::BStr::new(folder),
+                            ));
+                        }
+                        self.summary.fail += 1;
+                        self.increment_tree_install_count(
+                            !IS_PENDING_PACKAGE_INSTALL,
+                            self.current_tree_id,
+                            log_level,
+                        );
+                        return;
+                    }
                     self.folder_path_buf[..folder.len()].copy_from_slice(folder);
                     self.folder_path_buf[folder.len()] = 0;
                     // SAFETY: buf[folder.len()] == 0 written above

src/install/PackageManager/PackageManagerDirectories.rs

@@ -581,10 +581,7 @@ impl<'a> ByteCursor<'a> {
     #[inline(always)]
     fn finish_z(self) -> &'a ZStr {
         let at = self.at;
-        debug_assert!(at < self.buf.len());
-        // SAFETY: see `put`; one byte of headroom for the NUL is part of the
-        // PathBuffer-size invariant.
-        unsafe { *self.buf.as_mut_ptr().add(at) = 0 };
+        self.buf[at] = 0;
         ZStr::from_buf(self.buf, at)
     }
 }

src/install/PackageManager/PackageManagerEnqueue.rs

@@ -2628,6 +2628,10 @@ fn get_or_put_resolved_package(
                 }
 
                 // transitive folder dependencies do not have their dependencies resolved
+                if crate::bin::bin_target_escapes_package_dir(this.lockfile.str(&folder)) {
+                    break 'res FolderResolutionValue::Err(bun_core::err!("MissingPackageJSON"));
+                }
+
                 let mut package = Package::default();
 
                 {

src/install/TarballStream.rs

@@ -154,6 +154,7 @@ pub struct TarballStream {
     bytes_received: usize,
     entry_count: u32,
     fail: Option<bun_core::Error>,
+    invalid_name: bool,
 
     /// Thread-pool task that runs `drain`. Re-enqueued whenever new data
     /// arrives and no drain is currently in flight.
@@ -249,6 +250,7 @@ impl TarballStream {
             bytes_received: 0,
             entry_count: 0,
             fail: None,
+            invalid_name: false,
             drain_task: thread_pool::Task {
                 node: thread_pool::Node::default(),
                 callback: drain_callback,
@@ -663,6 +665,13 @@ impl TarballStream {
         // Tag::Extract` for streaming tarballs).
         let tarball = &self.extract_task.request_extract().tarball;
         let (_, basename) = tarball.name_and_basename();
+        if !tarball.resolution.tag.is_git()
+            && tarball.resolution.tag != ResolutionTag::LocalTarball
+            && !crate::dependency::is_safe_install_folder_name(&basename[0..basename.len().min(32)])
+        {
+            self.invalid_name = true;
+            return Err(bun_core::err!("InstallFailed"));
+        }
         let mut buf = PathBuffer::uninit();
         let tmpname = FileSystem::tmpname(
             &basename[0..basename.len().min(32)],
@@ -1052,15 +1061,26 @@ impl TarballStream {
             };
 
             if let Some(err) = self.fail {
-                (*task).log.add_error_fmt(
-                    None,
-                    bun_ast::Loc::EMPTY,
-                    format_args!(
-                        "{} extracting tarball for \"{}\"",
-                        err.name(),
-                        bstr::BStr::new(tarball.name.slice()),
-                    ),
-                );
+                if self.invalid_name {
+                    (*task).log.add_error_fmt(
+                        None,
+                        bun_ast::Loc::EMPTY,
+                        format_args!(
+                            "Refusing to install package with invalid name \"{}\"",
+                            bun_fmt::s(tarball.name_and_basename().0),
+                        ),
+                    );
+                } else {
+                    (*task).log.add_error_fmt(
+                        None,
+                        bun_ast::Loc::EMPTY,
+                        format_args!(
+                            "{} extracting tarball for \"{}\"",
+                            err.name(),
+                            bstr::BStr::new(tarball.name.slice()),
+                        ),
+                    );
+                }
                 (*task).err = Some(err);
                 (*task).status = TaskStatus::Fail;
                 return;