node_api: add napi_fatal_exception#19337
Conversation
nodejs-github-bot
added
c++
mafintosh
force-pushed
the
napi_fatal_exception
branch
from
a5ede72 to
7829f9c
Compare
mafintosh
changed the title
|
@cjihrig ya builds on that one |
addaleax
left a comment
addaleax
left a comment
There was a problem hiding this comment.
I’m not sure – the “tests and/or benchmarks are included” checkbox shouldn’t be checked, should it?
doc/api/n-api.md
Outdated
There was a problem hiding this comment.
REPLACEME is the magic word that gets picked up by the release tooling, please change to that :)
There was a problem hiding this comment.
nice! i was offline and trying hard to remember what it was
src/node_api.h
Outdated
There was a problem hiding this comment.
I think I would prefer it if you could pass in the exception here, like the existing Node APIs do – you should be able to get a currently pending exception with napi_get_and_clear_last_exception.
Actually passing the exception along to Node’s fatal exception handling seems orthogonal to that?
There was a problem hiding this comment.
orthogonal? i'm ok with added a napi_value that is used as the exception yes
There was a problem hiding this comment.
Mh, sorry – orthogonal ~= independent … basically, I’d suggest that we provide users with the smallest pieces that make sense to be exposed in the API, rather than exposing a function that actually does two operations masquerading as one (getting the last exception + passing it to the fatal exception handler)
richardlau
left a comment
richardlau
left a comment
There was a problem hiding this comment.
For consistency, the subsystem should be n-api.
mafintosh
force-pushed
the
napi_fatal_exception
branch
from
7829f9c to
a575495
Compare
|
@richardlau fixed |
|
@addaleax fixed all your comments! :D |
src/node_api.cc
Outdated
| v8::Local<v8::Message> local_msg = v8::Exception::CreateMessage( \ | ||
| env->isolate, (local_err)); \ | ||
| node::FatalException((env)->isolate, (local_err), local_msg); \ | ||
| } while (0) |
There was a problem hiding this comment.
One final nit: We generally prefer inline functions to preprocessor macros :)
|
@addaleax using an inline fn instead of macro now |
|
This will partially help with this one as well nodejs/node-addon-api#233 |
|
There were failures in CI, I think they were unrelated so new CI here: https://ci.nodejs.org/job/node-test-pull-request/13736/ |
|
CI was good, this is ready to land. One thing I've realized is that we need to update the N-API version number, but should likely be a separate PR as it will need to be backported if any of the PRs (not that this will happen, but for example another PR with a new API could be backported and this one not be backported and the N-API version would still need to be updated) that N-API are backported to a particular version. Will update the NAPI version as a follow up PR. At a conference so can't land right now but will try to do it later unless somebody beats me to it. |
Add function to trigger and uncaught exception. Useful if an async callback throws an exception with no way to recover. PR-URL: #19337 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
tniessen
removed
the
author ready
Notable changes:
* cluster:
- Add support for `NODE_OPTIONS="--inspect"` (Sameer Srivastava)
#19165
* crypto:
- Expose the public key of a certificate (Hannes Magnusson)
#17690
* n-api:
- Add `napi_fatal_exception` to trigger an `uncaughtException` in
JavaScript (Mathias Buus)
#19337
* path:
- Fix regression in `posix.normalize` (Michaël Zasso)
#19520
* stream:
- Improve stream creation performance (Brian White)
#19401
* Added new collaborators
- [BethGriggs](https://github.com/BethGriggs) Beth Griggs
This is a security release. All Node.js users should consult the security release summary at: https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ for details on patched vulnerabilities. Fixes for the following CVEs are included in this release: * CVE-2018-7158 * CVE-2018-7159 * CVE-2018-7160 Notable changes: * Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js. * **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**: A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser `Host` value of `localhost` or `localhost6`. * **Fix for `'path'` module regular expression denial of service (CVE-2018-7158)**: A regular expression used for parsing POSIX an Windows paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted `'path'` module functions. * **Reject spaces in HTTP `Content-Length` header values (CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside `Content-Length` header values. Such values now lead to rejected connections in the same way as non-numeric values. * **Update root certificates**: 5 additional root certificates have been added to the Node.js binary and 30 have been removed. * cluster: - Add support for `NODE_OPTIONS="--inspect"` (Sameer Srivastava) #19165 * crypto: - Expose the public key of a certificate (Hannes Magnusson) #17690 * n-api: - Add `napi_fatal_exception` to trigger an `uncaughtException` in JavaScript (Mathias Buus) #19337 * path: - Fix regression in `posix.normalize` (Michaël Zasso) #19520 * stream: - Improve stream creation performance (Brian White) #19401 * Added new collaborators - [BethGriggs](https://github.com/BethGriggs) Beth Griggs PR-URL: https://github.com/nodejs-private/node-private/pull/111
Add function to trigger and uncaught exception. Useful if an async callback throws an exception with no way to recover. PR-URL: nodejs#19337 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Add function to trigger and uncaught exception. Useful if an async callback throws an exception with no way to recover. PR-URL: nodejs#19337 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Add function to trigger and uncaught exception. Useful if an async callback throws an exception with no way to recover. Backport-PR-URL: #19447 PR-URL: #19337 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Add function to trigger and uncaught exception. Useful if an async callback throws an exception with no way to recover. Backport-PR-URL: #19265 PR-URL: #19337 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Any news on the backporting? We were using |
|
Which version are you looking for a backport? I believe it should be there for latest version of current LTS versions except for 8.x which is waiting on the next 8.x release. |
It's missing in 8.11.1: https://travis-ci.org/parro-it/libui-napi/jobs/376848346
Thank you, great news! |
This is a security release. All Node.js users should consult the security release summary at: https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ for details on patched vulnerabilities. Fixes for the following CVEs are included in this release: * CVE-2018-7158 * CVE-2018-7159 * CVE-2018-7160 Notable changes: * Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js. * **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**: A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser `Host` value of `localhost` or `localhost6`. * **Fix for `'path'` module regular expression denial of service (CVE-2018-7158)**: A regular expression used for parsing POSIX an Windows paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted `'path'` module functions. * **Reject spaces in HTTP `Content-Length` header values (CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside `Content-Length` header values. Such values now lead to rejected connections in the same way as non-numeric values. * **Update root certificates**: 5 additional root certificates have been added to the Node.js binary and 30 have been removed. * cluster: - Add support for `NODE_OPTIONS="--inspect"` (Sameer Srivastava) nodejs/node#19165 * crypto: - Expose the public key of a certificate (Hannes Magnusson) nodejs/node#17690 * n-api: - Add `napi_fatal_exception` to trigger an `uncaughtException` in JavaScript (Mathias Buus) nodejs/node#19337 * path: - Fix regression in `posix.normalize` (Michaël Zasso) nodejs/node#19520 * stream: - Improve stream creation performance (Brian White) nodejs/node#19401 * Added new collaborators - [BethGriggs](https://github.com/BethGriggs) Beth Griggs PR-URL: https://github.com/nodejs-private/node-private/pull/111
9 participants
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passesAdds
void napi_fatal_exception(napi_env env)which triggers annode::FatalException.Currently there is no way of doing this when using async callbacks, which makes error handling quite tricky