crypto: fix cross-realm ArrayBuffer validation #57828

fforbeck · 2025-04-11T00:41:04Z

Problem

The Web Crypto API in Node.js v22+ fails to properly validate ArrayBuffer instances
created in different JavaScript realms. When an ArrayBuffer from a different realm
is passed to SubtleCrypto.digest(), it fails with:

TypeError: Failed to execute 'digest' on 'SubtleCrypto': 2nd argument is not instance of ArrayBuffer, Buffer, TypedArray, or DataView.

This is a common issue when:

Using TypedArray.buffer with ArrayBuffers created in worker threads
Using TypedArray.buffer with ArrayBuffers created in VM contexts
In some cases, when libraries load in different contexts in bundled applications

The problem is in isNonSharedArrayBuffer() which checks using prototype
inheritance (ObjectPrototypeIsPrototypeOf(ArrayBufferPrototype, V)) which fails
for cross-realm objects, even though structurally they are valid ArrayBuffers.

Solution

This PR modifies isNonSharedArrayBuffer() to use isArrayBuffer from internal/util/types to properly check for cross-realm objects.

Testing

Added a new test that verifies that ArrayBuffers created in different VM contexts
are correctly recognized as valid inputs to SubtleCrypto.digest().

Workaround

Until this fix is merged, users can work around this issue by wrapping cross-realm ArrayBuffers in a TypedArray view before passing them to WebCrypto functions. Here's a simple example demonstrating the workaround:

'use strict';

// Create a cross-realm ArrayBuffer
const vm = require('vm');
const context = vm.createContext({});
const crossRealmBuffer = vm.runInContext('new ArrayBuffer(16)', context);

// Fill it with some data
const view = new Uint8Array(crossRealmBuffer);
for (let i = 0; i < view.length; i++) {
  view[i] = i % 256;
}

// This will fail without the fix:
// crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, crossRealmBuffer);

// Workaround: Use the TypedArray view instead
const ciphertext = await crypto.subtle.encrypt(
  { name: 'AES-GCM', iv },
  key,
  view  // Use the view instead of the cross-realm buffer
);

Ref: storacha/w3up#1591

nodejs-github-bot · 2025-04-11T00:41:09Z

Review requested:

@nodejs/actions
@nodejs/releasers
@nodejs/tsc

lib/internal/crypto/webidl.js

legendecas · 2025-04-11T12:38:27Z

In general, a patch should land on the main branch first. The same patch can apply to the main branch:

node/lib/internal/crypto/webidl.js

Lines 196 to 198 in 795dd8e

    
           function isNonSharedArrayBuffer(V) { 
        
             return ObjectPrototypeIsPrototypeOf(ArrayBufferPrototype, V); 
        
           }

.

Would you mind re-target the PR to the main branch? Thank you

lib/internal/crypto/webidl.js

test/parallel/test-crypto-subtle-cross-realm.js

jasnell

This PR should target the main branch not the nodejs:v22.x branch.

fforbeck · 2025-04-14T14:07:31Z

Thanks for the review @jasnell, @ljharb, and @legendecas. This is ready for another round.

nodejs-github-bot · 2025-04-14T14:19:16Z

CI: https://ci.nodejs.org/job/node-test-pull-request/66261/

jasnell · 2025-04-14T14:21:17Z

lib/internal/crypto/webidl.js

@@ -194,7 +195,7 @@ converters.object = (V, opts) => {
 };

 function isNonSharedArrayBuffer(V) {
-  return ObjectPrototypeIsPrototypeOf(ArrayBufferPrototype, V);
+  return isArrayBuffer(V);


Alternatively this could be:

const isNonSharedArrayBuffer = isArrayBuffer;

Also, should isSharedArrayBuffer(...) also be similarly updated here?

I would actually just remove the method and use isArrayBuffer() directly instead. It should be clear that it's not shared.

I'm confused - a SharedArrayBuffer is also an ArrayBuffer, in terms of internal slots - what actual check does isArrayBuffer perform?

util.types.isArrayBuffer() invokes v8::Value::isArrayBuffer, which returns false if it is a SharedArrayBuffer: https://source.chromium.org/chromium/chromium/src/+/main:v8/src/api/api.cc;l=3534-3538?q=Value::IsArrayBuffer.

ljharb

(with or without "remove isNonSharedArrayBuffer and use isArrayBuffer" directly)

codecov · 2025-04-15T17:52:43Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.27%. Comparing base (29af9ce) to head (607a044).
Report is 53 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #57828      +/-   ##
==========================================
+ Coverage   90.24%   90.27%   +0.03%     
==========================================
  Files         630      630              
  Lines      185670   186140     +470     
  Branches    36405    36481      +76     
==========================================
+ Hits       167555   168045     +490     
+ Misses      10998    10971      -27     
- Partials     7117     7124       +7

Files with missing lines	Coverage Δ
lib/internal/crypto/webidl.js	`98.48% <100.00%> (-0.01%)`	⬇️

... and 75 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

aduh95 · 2025-04-15T18:13:42Z

There's a linter and a test error that would need to be adressed, let us know if you need help.

fforbeck · 2025-04-15T18:56:12Z

There's a linter and a test error that would need to be adressed, let us know if you need help.

can you point out which test it that? thank you!

aduh95 · 2025-04-15T21:11:19Z

There's a linter and a test error that would need to be adressed, let us know if you need help.

can you point out which test it that? thank you!

You can find it in the CI output, here it is:

=== release test-crypto-subtle-cross-realm ===
Path: parallel/test-crypto-subtle-cross-realm
Error: --- stderr ---
node:internal/modules/cjs/loader:1408
  throw err;
  ^

Error: Cannot find module 'internal/util/types'
Require stack:
- /home/runner/work/node/node/node/test/parallel/test-crypto-subtle-cross-realm.js
    at Function._resolveFilename (node:internal/modules/cjs/loader:1405:15)
    at defaultResolveImpl (node:internal/modules/cjs/loader:1061:19)
    at resolveForCJSWithHooks (node:internal/modules/cjs/loader:1066:22)
    at Function._load (node:internal/modules/cjs/loader:1215:37)
    at TracingChannel.traceSync (node:diagnostics_channel:322:14)
    at wrapModuleLoad (node:internal/modules/cjs/loader:235:24)
    at Module.require (node:internal/modules/cjs/loader:1491:12)
    at require (node:internal/modules/helpers:135:16)
    at Object.<anonymous> (/home/runner/work/node/node/node/test/parallel/test-crypto-subtle-cross-realm.js:10:27)
    at Module._compile (node:internal/modules/cjs/loader:1734:14) {
  code: 'MODULE_NOT_FOUND',
  requireStack: [
    '/home/runner/work/node/node/node/test/parallel/test-crypto-subtle-cross-realm.js'
  ]
}

Node.js v24.0.0-pre
Command: out/Release/node --test-reporter=./test/common/test-error-reporter.js --test-reporter-destination=stdout /home/runner/work/node/node/node/test/parallel/test-crypto-subtle-cross-realm.js

===
=== 1 tests failed
===

fforbeck · 2025-04-17T12:06:48Z

@aduh95 - I've made the change to enable the internal modules, but I can't trigger the test workflow. Can you help? Thanks

nodejs-github-bot · 2025-04-17T13:59:21Z

CI: https://ci.nodejs.org/job/node-test-pull-request/66332/

fforbeck · 2025-04-21T12:48:25Z

@aduh95 I've fixed the test and fixed the commit message. Can you approve the workflow execution again? Thank you!

This patch modifies the isNonSharedArrayBuffer function in the WebIDL implementation for the SubtleCrypto API to properly handle ArrayBuffer instances created in different JavaScript realms. Before this fix, when a TypedArray.buffer from a different realm (e.g., from a VM context or worker thread) was passed to SubtleCrypto.digest(), it would fail with: "TypeError: Failed to execute 'digest' on 'SubtleCrypto': 2nd argument is not instance of ArrayBuffer, Buffer, TypedArray, or DataView." The fix use the isArrayBuffer function from internal/util/types to detect cross-realm ArrayBuffer instances when the prototype chain check fails. This ensures compatibility with TypedArray.buffer across JavaScript realms. See storacha/w3up#1591 for more details.

nodejs-github-bot · 2025-04-22T06:42:24Z

CI: https://ci.nodejs.org/job/node-test-pull-request/66411/

aduh95 · 2025-04-22T13:01:25Z

Landed in 6bf7fd7

This patch modifies the `isNonSharedArrayBuffer` function in the WebIDL implementation for the SubtleCrypto API to properly handle `ArrayBuffer` instances created in different JavaScript realms. Before this fix, when a `TypedArray.buffer` from a different realm (e.g., from a VM context or worker thread) was passed to `SubtleCrypto.digest()`, it would fail with: > TypeError: Failed to execute 'digest' on 'SubtleCrypto': 2nd argument > is not instance of ArrayBuffer, Buffer, TypedArray, or DataView." The fix use the `isArrayBuffer` function from `internal/util/types` to detect cross-realm `ArrayBuffer` instances when the prototype chain check fails. PR-URL: #57828 Refs: storacha/w3up#1591 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Jordan Harband <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>

fforbeck requested a review from a team as a code owner April 11, 2025 00:41

nodejs-github-bot added meta Issues and PRs related to the general management of the project. tools Issues and PRs related to the tools directory. labels Apr 11, 2025

fforbeck changed the base branch from main to v22.x April 11, 2025 00:41

legendecas reviewed Apr 11, 2025

View reviewed changes

lib/internal/crypto/webidl.js Outdated Show resolved Hide resolved

ljharb reviewed Apr 11, 2025

View reviewed changes

lib/internal/crypto/webidl.js Outdated Show resolved Hide resolved

lib/internal/crypto/webidl.js Outdated Show resolved Hide resolved

jasnell reviewed Apr 12, 2025

View reviewed changes

test/parallel/test-crypto-subtle-cross-realm.js Outdated Show resolved Hide resolved

jasnell reviewed Apr 12, 2025

View reviewed changes

test/parallel/test-crypto-subtle-cross-realm.js Outdated Show resolved Hide resolved

jasnell reviewed Apr 12, 2025

View reviewed changes

test/parallel/test-crypto-subtle-cross-realm.js Outdated Show resolved Hide resolved

jasnell reviewed Apr 12, 2025

View reviewed changes

test/parallel/test-crypto-subtle-cross-realm.js Outdated Show resolved Hide resolved

jasnell requested changes Apr 12, 2025

View reviewed changes

fforbeck force-pushed the fix/webcrypto-cross-realm-arraybuffer branch from 941520a to 4a2a300 Compare April 14, 2025 14:03

fforbeck changed the base branch from v22.x to main April 14, 2025 14:03

fforbeck force-pushed the fix/webcrypto-cross-realm-arraybuffer branch from 4a2a300 to 982d482 Compare April 14, 2025 14:06

fforbeck requested review from ljharb, jasnell and legendecas April 14, 2025 14:06

jasnell reviewed Apr 14, 2025

View reviewed changes

jasnell approved these changes Apr 14, 2025

View reviewed changes

legendecas removed the request for review from a team April 15, 2025 09:30

ljharb approved these changes Apr 15, 2025

View reviewed changes

fforbeck force-pushed the fix/webcrypto-cross-realm-arraybuffer branch from 32bd471 to 3f31959 Compare April 21, 2025 12:33

fforbeck changed the title ~~crypto: fix cross-realm ArrayBuffer validation in WebCrypto~~ crypto: fix cross-realm ArrayBuffer validation Apr 21, 2025

fforbeck force-pushed the fix/webcrypto-cross-realm-arraybuffer branch from 3f31959 to 607a044 Compare April 21, 2025 12:50

aduh95 approved these changes Apr 22, 2025

View reviewed changes

aduh95 added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. request-ci Add this label to start a Jenkins CI on a PR. labels Apr 22, 2025

github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Apr 22, 2025

aduh95 merged commit 6bf7fd7 into nodejs:main Apr 22, 2025
58 of 59 checks passed

aduh95 mentioned this pull request Apr 22, 2025

crypto: fix cross-realm SharedArrayBuffer validation #57974

Merged

RafaelGSS mentioned this pull request May 1, 2025

2025-05-06, Version 24.0.0 (Current) #57609

Merged

github-actions bot mentioned this pull request May 19, 2025

2025-05-21, Version 22.16.0 'Jod' (LTS) #58388

Merged

AuntyEms mentioned this pull request Jun 8, 2025

### Notable Changes autofix-ci/action#28

Closed

Uh oh!

crypto: fix cross-realm ArrayBuffer validation #57828

crypto: fix cross-realm ArrayBuffer validation #57828

Uh oh!

Conversation

fforbeck commented Apr 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Problem

Solution

Testing

Workaround

Uh oh!

nodejs-github-bot commented Apr 11, 2025

Uh oh!

Uh oh!

legendecas commented Apr 11, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

jasnell left a comment

Choose a reason for hiding this comment

Uh oh!

fforbeck commented Apr 14, 2025

Uh oh!

nodejs-github-bot commented Apr 14, 2025

Uh oh!

jasnell Apr 14, 2025

Choose a reason for hiding this comment

Uh oh!

BridgeAR Apr 15, 2025

Choose a reason for hiding this comment

Uh oh!

ljharb Apr 15, 2025

Choose a reason for hiding this comment

Uh oh!

legendecas Apr 15, 2025

Choose a reason for hiding this comment

Uh oh!

ljharb left a comment

Choose a reason for hiding this comment

Uh oh!

codecov bot commented Apr 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

aduh95 commented Apr 15, 2025

Uh oh!

fforbeck commented Apr 15, 2025

Uh oh!

aduh95 commented Apr 15, 2025

Uh oh!

fforbeck commented Apr 17, 2025

Uh oh!

nodejs-github-bot commented Apr 17, 2025

Uh oh!

fforbeck commented Apr 21, 2025

Uh oh!

nodejs-github-bot commented Apr 22, 2025

Uh oh!

Uh oh!

aduh95 commented Apr 22, 2025

Uh oh!

Uh oh!

fforbeck commented Apr 11, 2025 •

edited

Loading

codecov bot commented Apr 15, 2025 •

edited

Loading