Add compat flag to prevent creating Blob with resizable ArrayBuffer

jasnell · jasnell · commit 50417a4800f2 · 2026-04-01T12:12:58.000-07:00
diff --git a/src/workerd/api/blob.c++ b/src/workerd/api/blob.c++
@@ -6,6 +6,7 @@
 
 #include <workerd/api/streams/readable-source.h>
 #include <workerd/api/streams/readable.h>
+#include <workerd/io/features.h>
 #include <workerd/io/observer.h>
 #include <workerd/util/mimetype.h>
 #include <workerd/util/stream-utils.h>
@@ -20,14 +21,21 @@ kj::Maybe<jsg::JsBufferSource> concat(jsg::Lock& js, jsg::Optional<Blob::Bits> m
     return kj::none;
   }
 
+  auto rejectResizable = FeatureFlags::get(js).getNoResizableArrayBufferInBlob();
   auto maxBlobSize = Worker::Isolate::from(js).getLimitEnforcer().getBlobSizeLimit();
   static constexpr int kMaxInt KJ_UNUSED = kj::maxValue;
   KJ_DASSERT(maxBlobSize <= kMaxInt, "Blob size limit exceeds int range");
   size_t size = 0;
+  kj::SmallArray<size_t, 8> cachedPartSizes(bits.size());
+  int index = 0;
   for (auto& part: bits) {
     size_t partSize = 0;
     KJ_SWITCH_ONEOF(part) {
-      KJ_CASE_ONEOF(bytes, kj::Array<const byte>) {
+      KJ_CASE_ONEOF(bytes, jsg::JsBufferSource) {
+        if (rejectResizable) {
+          JSG_REQUIRE(
+              !bytes.isResizable(), TypeError, "Cannot create a Blob with a resizable ArrayBuffer");
+        }
         partSize = bytes.size();
       }
       KJ_CASE_ONEOF(text, kj::String) {
@@ -37,6 +45,7 @@ kj::Maybe<jsg::JsBufferSource> concat(jsg::Lock& js, jsg::Optional<Blob::Bits> m
         partSize = blob->getData().size();
       }
     }
+    cachedPartSizes[index++] = partSize;
 
     // We can skip the remaining checks if the part is empty.
     if (partSize == 0) continue;
@@ -66,25 +75,34 @@ kj::Maybe<jsg::JsBufferSource> concat(jsg::Lock& js, jsg::Optional<Blob::Bits> m
 
   auto view = u8.asArrayPtr();
 
+  index = 0;
   for (auto& part: bits) {
     KJ_SWITCH_ONEOF(part) {
-      KJ_CASE_ONEOF(bytes, kj::Array<const byte>) {
-        if (bytes.size() == 0) continue;
-        KJ_ASSERT(view.size() >= bytes.size());
-        view.first(bytes.size()).copyFrom(bytes);
-        view = view.slice(bytes.size());
+      KJ_CASE_ONEOF(bytes, jsg::JsBufferSource) {
+        size_t cachedSize = cachedPartSizes[index++];
+        // If the ArrayBuffer was resized larger, we'll ignore the additional bytes.
+        // If the ArrayBuffer was resized smaller, we'll copy up the current size
+        // and the remaining bytes for this chunk will be left as zeros.
+        size_t toCopy = kj::min(bytes.size(), cachedSize);
+        if (toCopy > 0) {
+          KJ_ASSERT(view.size() >= toCopy);
+          view.first(toCopy).copyFrom(bytes.asArrayPtr().first(toCopy));
+        }
+        view = view.slice(cachedSize);
       }
       KJ_CASE_ONEOF(text, kj::String) {
         auto byteLength = text.asBytes().size();
         if (byteLength == 0) continue;
         KJ_ASSERT(view.size() >= byteLength);
+        KJ_ASSERT(byteLength == cachedPartSizes[index++]);
         view.first(byteLength).copyFrom(text.asBytes());
         view = view.slice(byteLength);
       }
       KJ_CASE_ONEOF(blob, jsg::Ref<Blob>) {
         auto data = blob->getData();
         if (data.size() == 0) continue;
         KJ_ASSERT(view.size() >= data.size());
+        KJ_ASSERT(data.size() == cachedPartSizes[index++]);
         view.first(data.size()).copyFrom(data);
         view = view.slice(data.size());
       }
@@ -129,7 +147,12 @@ Blob::Blob(kj::Array<byte> data, kj::String type)
 Blob::Blob(jsg::Lock& js, jsg::JsBufferSource data, kj::String type)
     : ownData(data.addRef(js)),
       data(data.asArrayPtr()),
-      type(kj::mv(type)) {}
+      type(kj::mv(type)) {
+  if (FeatureFlags::get(js).getNoResizableArrayBufferInBlob()) {
+    JSG_REQUIRE(
+        !data.isResizable(), TypeError, "Cannot create a Blob with a resizable ArrayBuffer");
+  }
+}
 
 Blob::Blob(jsg::Ref<Blob> parent, kj::ArrayPtr<const byte> data, kj::String type)
     : ownData(kj::mv(parent)),
diff --git a/src/workerd/api/blob.h b/src/workerd/api/blob.h
@@ -32,7 +32,8 @@ class Blob: public jsg::Object {
     JSG_STRUCT(type, endings);
   };
 
-  using Bits = kj::Array<kj::OneOf<kj::Array<const byte>, kj::String, jsg::Ref<Blob>>>;
+  using BitsValue = kj::OneOf<jsg::JsBufferSource, kj::String, jsg::Ref<Blob>>;
+  using Bits = kj::Array<BitsValue>;
 
   static jsg::Ref<Blob> constructor(
       jsg::Lock& js, jsg::Optional<Bits> bits, jsg::Optional<Options> options);
diff --git a/src/workerd/api/tests/blob-test.wd-test b/src/workerd/api/tests/blob-test.wd-test
@@ -8,7 +8,11 @@ const unitTests :Workerd.Config = (
         modules = [
           (name = "worker", esModule = embed "blob-test.js")
         ],
-        compatibilityFlags = ["nodejs_compat", "set_tostring_tag", "workers_api_getters_setters_on_prototype"],
+        compatibilityFlags = [
+          "nodejs_compat",
+          "set_tostring_tag",
+          "workers_api_getters_setters_on_prototype",
+          "resizable_array_buffer_in_blob"],
         bindings = [
           (name = "request-blob", service = "blob-test")
         ]
diff --git a/src/workerd/api/tests/blob2-test.js b/src/workerd/api/tests/blob2-test.js
@@ -2,7 +2,7 @@
 // Licensed under the Apache 2.0 license found in the LICENSE file or at:
 //     https://opensource.org/licenses/Apache-2.0
 
-import { ok, strictEqual, deepStrictEqual } from 'node:assert';
+import { ok, strictEqual, deepStrictEqual, throws } from 'node:assert';
 
 export const test = {
   async test() {
@@ -36,3 +36,13 @@ export const bytes = {
     ok(u8_2 instanceof Uint8Array);
   },
 };
+
+export const noResizable = {
+  test() {
+    const ab = new ArrayBuffer(8, { maxByteLength: 16 });
+    throws(() => new Blob([ab]), {
+      name: 'TypeError',
+      message: 'Cannot create a Blob with a resizable ArrayBuffer',
+    });
+  },
+};
diff --git a/src/workerd/api/tests/blob2-test.wd-test b/src/workerd/api/tests/blob2-test.wd-test
@@ -7,7 +7,11 @@ const unitTests :Workerd.Config = (
         modules = [
           (name = "worker", esModule = embed "blob2-test.js")
         ],
-        compatibilityFlags = ["nodejs_compat", "blob_standard_mime_type"],
+        compatibilityFlags = [
+          "nodejs_compat",
+          "blob_standard_mime_type",
+          "no_resizable_array_buffer_in_blob",
+        ],
       )
     ),
   ],
diff --git a/src/workerd/io/compatibility-date.capnp b/src/workerd/io/compatibility-date.capnp
@@ -1502,4 +1502,10 @@ struct CompatibilityFlags @0x8f8c1b68151b6cef {
   # When paired with `enable_version_api`, also exposes `ctx.version.metadata`. This is a separate
   # flag as we haven't decided on the exact behaviour of `ctx.version.metadata`, but the rest of
   # `ctx.version` is much more well defined. The behaviour of this flag will change in the future.
+
+  noResizableArrayBufferInBlob @173 :Bool
+    $compatEnableFlag("no_resizable_array_buffer_in_blob")
+    $compatDisableFlag("resizable_array_buffer_in_blob");
+  # When enabled, creating a Blob with a resizable ArrayBuffer will throw a TypeError, matching
+  # expected spec behavior.
 }
diff --git a/src/workerd/jsg/jsvalue.c++ b/src/workerd/jsg/jsvalue.c++
@@ -818,6 +818,16 @@ kj::Array<kj::byte> JsBufferSource::copy() {
   return kj::heapArray(ptr);
 }
 
+bool JsBufferSource::isResizable() const {
+  v8::Local<v8::Value> inner = *this;
+  if (inner->IsArrayBuffer()) {
+    return inner.As<v8::ArrayBuffer>()->IsResizableByUserJavaScript();
+  } else if (inner->IsArrayBufferView()) {
+    return inner.As<v8::ArrayBufferView>()->Buffer()->IsResizableByUserJavaScript();
+  }
+  return false;
+}
+
 // ======================================================================================
 // JsUint8Array
 
diff --git a/src/workerd/jsg/jsvalue.h b/src/workerd/jsg/jsvalue.h
@@ -340,6 +340,7 @@ class JsBufferSource final: public JsBase<v8::Value, JsBufferSource> {
   bool isSharedArrayBuffer() const;
   bool isArrayBuffer() const;
   bool isArrayBufferView() const;
+  bool isResizable() const;
 
   // Return a copy of this buffer's data as a kj::Array.
   kj::Array<kj::byte> copy();
