Oh, and to be clear, our intent here is to implement the same API that
Node.js currently exposes.
```
import { serialize, deserialize } from 'node:v8';
const data = serialize({ a: 'foo' });
const value = deserialize(data);
```
```
import { Serializer, Deserializer } from 'node:v8';
const ser = new Serializer();
ser.writeHeader();
ser.writeValue({ a: 'foo' });
const des = new Deserializer(ser.releaseBuffer());
des.readHeader();
console.log(des.readValue());
```
On Thursday, June 29, 2023 at 7:28:44 AM UTC-7 Kenton Varda wrote:
> Hi v8-dev,
>
> We (Cloudflare Workers team) are wondering how V8 feels about the security
> of the ValueDeserializer API. Do you believe it's safe to parse
> possibly-malicious input with this? My understanding is that Chrome does
> not provide any way to input attacker-controlled bytes to the API today, so
> wasn't sure if it's designed for that.
>
> I ask because we'd like to expose V8 serialization in Cloudflare Workers
> for compatibility with Node.js, which already exposes this. But our threat
> model is very different from Node, such that we care a lot more about the
> security of the V8 sandbox.
>
> Relatedly, is ValueDeserializer covered by fuzzing today?
>
> Thanks,
> -Kenton
>
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups
"v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/v8-dev/d468377d-1f45-40eb-ba75-06d519fbe609n%40googlegroups.com.
