From c05b8f8d00e8577d9a5537b5e446a10f75457604 Mon Sep 17 00:00:00 2001 From: Dorian Niemiec Date: Thu, 13 Jun 2024 15:21:02 +0200 Subject: [PATCH] Lifted PBKDF2 restrictions on Bun 1.1.13 and later. --- svr.js | 4 ++-- svrpasswd.js | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/svr.js b/svr.js index bb849f5..be8681d 100644 --- a/svr.js +++ b/svr.js @@ -5079,9 +5079,9 @@ function start(init) { if (configJSON.enableHTTP2 && !secure) serverconsole.locwarnmessage("HTTP/2 without HTTPS may not work in web browsers. Web browsers only support HTTP/2 with HTTPS!"); if (process.isBun) { serverconsole.locwarnmessage("Bun support is experimental. Some features of SVR.JS, SVR.JS mods and SVR.JS server-side JavaScript may not work as expected."); - if (users.some(function (entry) { + if (process.isBun && !(process.versions.bun && !process.versions.bun.match(/^(?:0\.|1\.0\.|1\.1\.[0-9](?![0-9])|1\.1\.1[0-2](?![0-9]))/)) && users.some(function (entry) { return entry.pbkdf2; - })) serverconsole.locwarnmessage("PBKDF2 password hashing function in Bun blocks the event loop, which may result in denial of service."); + })) serverconsole.locwarnmessage("PBKDF2 password hashing function in Bun versions older than v1.1.13 blocks the event loop, which may result in denial of service."); } if (cluster.isPrimary === undefined) serverconsole.locwarnmessage("You're running SVR.JS on single thread. Reliability may suffer, as the server is stopped after crash."); if (crypto.__disabled__ !== undefined) serverconsole.locwarnmessage("Your Node.JS version doesn't have crypto support! The 'crypto' module is essential for providing cryptographic functionality in Node.JS. Without crypto support, certain security features may be unavailable, and some functionality may not work as expected. It's recommended to use a Node.JS version that includes crypto support to ensure the security and proper functioning of your server."); diff --git a/svrpasswd.js b/svrpasswd.js index ef4d241..5a0079c 100644 --- a/svrpasswd.js +++ b/svrpasswd.js @@ -338,7 +338,7 @@ function promptAlgorithms(callback, bypass, pbkdf2, scrypt) { pbkdf2: "PBKDF2 (PBKDF2-HMAC-SHA512, 36250 iterations) - more secure and uses less memory, but slower", scrypt: "scrypt (N=2^14, r=8, p=1) - faster and more secure, but uses more memory" } - if (!crypto.pbkdf2 || process.isBun) delete algorithms.pbkdf2; + if (!crypto.pbkdf2 || (process.isBun && !(process.versions.bun && !process.versions.bun.match(/^(?:0\.|1\.0\.|1\.1\.[0-9](?![0-9])|1\.1\.1[0-2](?![0-9]))/)))) delete algorithms.pbkdf2; var algorithmNames = Object.keys(algorithms); if (algorithmNames.length < 2) callback(algorithmNames[0]); console.log("Select password hashing algorithm. Available algorithms:");