Buffer.allocUnsafe() 与 Buffer.allocUnsafeSlow() 不安全的原因


当调用 Buffer.allocUnsafe()Buffer.allocUnsafeSlow() 时,分配的内存是未初始化的(没有用 0 填充)。 虽然这样的设计使得内存的分配非常快,但分配的内存可能包含旧数据。 如果没有完全地重写内存,当读取 Buffer 时,旧数据就泄露了。

When calling Buffer.allocUnsafe() and Buffer.allocUnsafeSlow(), the segment of allocated memory is uninitialized (it is not zeroed-out). While this design makes the allocation of memory quite fast, the allocated segment of memory might contain old data that is potentially sensitive. Using a Buffer created by Buffer.allocUnsafe() without completely overwriting the memory can allow this old data to be leaked when the Buffer memory is read.

While there are clear performance advantages to using Buffer.allocUnsafe(), extra care must be taken in order to avoid introducing security vulnerabilities into an application.