规则名 | 规则类型 | 深入了解 |
---|---|---|
no-buffer-constructor |
problem |
This rule was deprecated in ESLint v7.0.0. Please use the corresponding rule in eslint-plugin-node
.
In Node.js, the behavior of the Buffer
constructor is different depending on the type of its argument. Passing an argument from user input to Buffer()
without validating its type can lead to security vulnerabilities such as remote memory disclosure and denial of service. As a result, the Buffer
constructor has been deprecated and should not be used. Use the producer methods Buffer.from
, Buffer.alloc
, and Buffer.allocUnsafe
instead.
This rule disallows calling and constructing the Buffer()
constructor.
此规则的 错误 代码实例:
new Buffer(5);
new Buffer([1, 2, 3]);
Buffer(5);
Buffer([1, 2, 3]);
new Buffer(res.body.amount);
new Buffer(res.body.values);
此规则的 正确 代码实例:
::: correct
Buffer.alloc(5);
Buffer.allocUnsafe(5);
Buffer.from([1, 2, 3]);
Buffer.alloc(res.body.amount);
Buffer.from(res.body.values);
If you don't use Node.js, or you still need to support versions of Node.js that lack methods like Buffer.from
, then you should not enable this rule.