feat(NODE-7315): Use BSON ByteUtils instead of Nodejs Buffer

.eslintrc.json

@@ -285,6 +285,13 @@
               }
             ]
           }
+        ],
+        "no-restricted-globals": [
+          "error",
+          {
+            "name": "Buffer",
+            "message": "Use Uin8Array instead"
+          }
         ]
       }
     },

src/bson.ts

@@ -8,6 +8,7 @@ export {
   BSONRegExp,
   BSONSymbol,
   BSONType,
+  ByteUtils,
   calculateObjectSize,
   Code,
   DBRef,
@@ -38,10 +39,56 @@ export function parseToElementsToArray(bytes: Uint8Array, offset?: number): BSON
   return Array.isArray(res) ? res : [...res];
 }
 
-export const getInt32LE = BSON.onDemand.NumberUtils.getInt32LE;
-export const getFloat64LE = BSON.onDemand.NumberUtils.getFloat64LE;
-export const getBigInt64LE = BSON.onDemand.NumberUtils.getBigInt64LE;
-export const toUTF8 = BSON.onDemand.ByteUtils.toUTF8;
+export const getInt32LE = BSON.NumberUtils.getInt32LE;
+export const getFloat64LE = BSON.NumberUtils.getFloat64LE;
+export const getBigInt64LE = BSON.NumberUtils.getBigInt64LE;
+export const toUTF8 = BSON.ByteUtils.toUTF8;
+export const fromUTF8 = BSON.ByteUtils.fromUTF8;
+export const fromBase64 = BSON.ByteUtils.fromBase64;
+export const fromNumberArray = BSON.ByteUtils.fromNumberArray;
+export const concatBuffers = BSON.ByteUtils.concat;
+export const allocateBuffer = BSON.ByteUtils.allocate;
+export const allocateUnsafeBuffer = BSON.ByteUtils.allocateUnsafe;
+
+// writeInt32LE, same order of arguments as Buffer.writeInt32LE
+export const writeInt32LE = (destination: Uint8Array, value: number, offset: number) =>
+  BSON.NumberUtils.setInt32LE(destination, offset, value);
+
+// copyBuffer: copies from source buffer to target buffer, returns number of bytes copied
+// inputs are explicitly named to avoid confusion
+export const copyBuffer = (input: {
+  source: Uint8Array;
+  target: Uint8Array;
+  targetStart?: number;
+  sourceStart?: number;
+  sourceEnd?: number;
+}): number => {
+  const { source, target, targetStart = 0, sourceStart = 0, sourceEnd } = input;
+  const sourceEndActual = sourceEnd ?? source.length;
+  const srcSlice = source.subarray(sourceStart, sourceEndActual);
+  const maxLen = Math.min(srcSlice.length, target.length - targetStart);
+  if (maxLen <= 0) {
+    return 0;
+  }
+  target.set(srcSlice.subarray(0, maxLen), targetStart);
+  return maxLen;
+};
+
+// validates buffer inputs, used for read operations
+const validateBufferInputs = (buffer: Uint8Array, offset: number, length: number) => {
+  if (offset < 0 || offset + length > buffer.length) {
+    throw new RangeError(
+      `Attempt to access memory outside buffer bounds: buffer length: ${buffer.length}, offset: ${offset}, length: ${length}`
+    );
+  }
+};
+
+// readInt32LE, reads a 32-bit integer from buffer at given offset
+// throws if offset is out of bounds
+export const readInt32LE = (buffer: Uint8Array, offset: number): number => {
+  validateBufferInputs(buffer, offset, 4);
+  return getInt32LE(buffer, offset);
+};
 
 /**
  * BSON Serialization options.

src/client-side-encryption/auto_encrypter.ts

@@ -1,7 +1,7 @@
 import { type MongoCrypt, type MongoCryptOptions } from 'mongodb-client-encryption';
 import * as net from 'net';
 
-import { deserialize, type Document, serialize } from '../bson';
+import { ByteUtils, deserialize, type Document, serialize } from '../bson';
 import { type CommandOptions, type ProxyOptions } from '../cmap/connection';
 import { kDecorateResult } from '../constants';
 import { getMongoDBClientEncryption } from '../deps';
@@ -256,20 +256,26 @@ export class AutoEncrypter {
       errorWrapper: defaultErrorWrapper
     };
     if (options.schemaMap) {
-      mongoCryptOptions.schemaMap = Buffer.isBuffer(options.schemaMap)
-        ? options.schemaMap
-        : (serialize(options.schemaMap) as Buffer);
+      if (ByteUtils.isUint8Array(options.schemaMap)) {
+        mongoCryptOptions.schemaMap = options.schemaMap;
+      } else {
+        mongoCryptOptions.schemaMap = serialize(options.schemaMap);
+      }
     }
 
     if (options.encryptedFieldsMap) {
-      mongoCryptOptions.encryptedFieldsMap = Buffer.isBuffer(options.encryptedFieldsMap)
-        ? options.encryptedFieldsMap
-        : (serialize(options.encryptedFieldsMap) as Buffer);
+      if (ByteUtils.isUint8Array(options.encryptedFieldsMap)) {
+        mongoCryptOptions.encryptedFieldsMap = options.encryptedFieldsMap;
+      } else {
+        mongoCryptOptions.encryptedFieldsMap = serialize(options.encryptedFieldsMap);
+      }
     }
 
-    mongoCryptOptions.kmsProviders = !Buffer.isBuffer(this._kmsProviders)
-      ? (serialize(this._kmsProviders) as Buffer)
-      : this._kmsProviders;
+    if (ByteUtils.isUint8Array(this._kmsProviders)) {
+      mongoCryptOptions.kmsProviders = this._kmsProviders;
+    } else {
+      mongoCryptOptions.kmsProviders = serialize(this._kmsProviders);
+    }
 
     if (options.options?.logger) {
       mongoCryptOptions.logger = options.options.logger;
@@ -396,7 +402,7 @@ export class AutoEncrypter {
       return cmd;
     }
 
-    const commandBuffer = Buffer.isBuffer(cmd) ? cmd : serialize(cmd, options);
+    const commandBuffer: Uint8Array = ByteUtils.isUint8Array(cmd) ? cmd : serialize(cmd, options);
     const context = this._mongocrypt.makeEncryptionContext(
       MongoDBCollectionNamespace.fromString(ns).db,
       commandBuffer

src/client-side-encryption/client_encryption.ts

@@ -6,6 +6,7 @@ import type {
 
 import {
   type Binary,
+  ByteUtils,
   deserialize,
   type Document,
   type Int32,
@@ -143,7 +144,7 @@ export class ClientEncryption {
 
     const mongoCryptOptions: MongoCryptOptions = {
       ...options,
-      kmsProviders: !Buffer.isBuffer(this._kmsProviders)
+      kmsProviders: !ByteUtils.isUint8Array(this._kmsProviders)
         ? (serialize(this._kmsProviders) as Buffer)
         : this._kmsProviders,
       errorWrapper: defaultErrorWrapper

src/cmap/auth/auth_provider.ts

@@ -21,7 +21,7 @@ export class AuthContext {
   /** A response from an initial auth attempt, only some mechanisms use this (e.g, SCRAM) */
   response?: Document;
   /** A random nonce generated for use in an authentication conversation */
-  nonce?: Buffer;
+  nonce?: Uint8Array;
 
   constructor(
     connection: Connection,

src/cmap/auth/aws4.ts

@@ -31,7 +31,7 @@ export type SignedHeaders = {
 const getHexSha256 = async (str: string): Promise<string> => {
   const data = stringToBuffer(str);
   const hashBuffer = await crypto.subtle.digest('SHA-256', data);
-  const hashHex = BSON.onDemand.ByteUtils.toHex(new Uint8Array(hashBuffer));
+  const hashHex = BSON.ByteUtils.toHex(new Uint8Array(hashBuffer));
   return hashHex;
 };
 
@@ -81,8 +81,8 @@ const convertHeaderValue = (value: string | number) => {
  * @returns Uint8Array containing the UTF-8 encoded string.
  */
 function stringToBuffer(str: string): Uint8Array {
-  const data = new Uint8Array(BSON.onDemand.ByteUtils.utf8ByteLength(str));
-  BSON.onDemand.ByteUtils.encodeUTF8Into(data, str, 0);
+  const data = new Uint8Array(BSON.ByteUtils.utf8ByteLength(str));
+  BSON.ByteUtils.encodeUTF8Into(data, str, 0);
   return data;
 }
 
@@ -189,7 +189,7 @@ export async function aws4Sign(
 
   // 5. Calculate the signature
   const signatureBuffer = await getHmacSha256(signingKey, stringToSign);
-  const signature = BSON.onDemand.ByteUtils.toHex(signatureBuffer);
+  const signature = BSON.ByteUtils.toHex(signatureBuffer);
 
   // 6. Add the signature to the request
   // Calculate the Authorization header

src/cmap/auth/mongodb_aws.ts

@@ -5,7 +5,7 @@ import {
   MongoMissingCredentialsError,
   MongoRuntimeError
 } from '../../error';
-import { ByteUtils, maxWireVersion, ns, randomBytes } from '../../utils';
+import { maxWireVersion, ns, randomBytes } from '../../utils';
 import { type AuthContext, AuthProvider } from './auth_provider';
 import {
   type AWSCredentialProvider,
@@ -92,7 +92,7 @@ export class MongoDBAWS extends AuthProvider {
       throw new MongoRuntimeError(`Invalid server nonce length ${serverNonce.length}, expected 64`);
     }
 
-    if (!ByteUtils.equals(serverNonce.subarray(0, nonce.byteLength), nonce)) {
+    if (!BSON.ByteUtils.equals(serverNonce.subarray(0, nonce.byteLength), nonce)) {
       // throw because the serverNonce's leading 32 bytes must equal the client nonce's 32 bytes
       // https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#conversation-5
 
@@ -115,7 +115,7 @@ export class MongoDBAWS extends AuthProvider {
         headers: {
           'Content-Type': 'application/x-www-form-urlencoded',
           'Content-Length': body.length,
-          'X-MongoDB-Server-Nonce': ByteUtils.toBase64(serverNonce),
+          'X-MongoDB-Server-Nonce': BSON.ByteUtils.toBase64(serverNonce),
           'X-MongoDB-GS2-CB-Flag': 'n'
         },
         path: '/',

src/cmap/auth/plain.ts

@@ -1,4 +1,4 @@
-import { Binary } from '../../bson';
+import { Binary, fromUTF8 } from '../../bson';
 import { MongoMissingCredentialsError } from '../../error';
 import { ns } from '../../utils';
 import { type AuthContext, AuthProvider } from './auth_provider';
@@ -12,7 +12,7 @@ export class Plain extends AuthProvider {
 
     const { username, password } = credentials;
 
-    const payload = new Binary(Buffer.from(`\x00${username}\x00${password}`));
+    const payload = new Binary(fromUTF8(`\x00${username}\x00${password}`));
     const command = {
       saslStart: 1,
       mechanism: 'PLAIN',