Uninitialized Memory Exposure vulnerability found in utile.base64 encode and decode methods.

[ronperris]

Vulnerability Description

From: https://hackerone.com/reports/321701

See https://github.com/flatiron/utile/blob/master/lib/base64.js#L19 in utile.base64.encode (and similar in utile.base64.decode below that).

The problem arises when a number is passed in, e.g. from user-submitted JSON-encoded data.
The API should not propagate the already-bad Buffer issue further.

On Node.js 6.x and below, this exposes uninitialized memory, which could contain sensitive data.

This can be also used to cause a DoS on any Node.js version by consuming the memory when large numbers are passed on input.

Steps To Reproduce:
console.log(require('utile').base64.encode(200)) (Node.js 6.x and lower — note uninitialized memory in output)

require('utile').base64.encode(1e8) (any Node.js verision — note memory usage and time)

Thoughts on Remediation

The source code in base64.js says that both encode¹ and decode² expect a string parameter. I see two obvious solutions.

1. Return null when base64.encode or base64.decode are given something other than a string.
2. Convert the parameter passed into base64.encode and base64.decode into a string before encoding or decoding.

To preserve backward compatibility with existing usage that might not be expecting null as a return value from encoding or decoding values that are not strings, I think we should covert the parameter to a string then perform that encode or decode operation.

¹ https://github.com/flatiron/utile/blob/master/lib/base64.js#L12
² https://github.com/flatiron/utile/blob/master/lib/base64.js#L30