Remove forge.debug API.

The API has the potential for prototype pollution. This API was only
briefly used by the maintainers for internal project debug purposes and
was never inteneded to be used with untrusted user intputs. This API was
not documented or advertised and is being removed rather than fixed.

Author: davidlehn

CHANGELOG.md

@@ -4,6 +4,11 @@ Forge ChangeLog
 ## 0.11.0 - 2021-xx-xx
 
 ### Removed
+- **SECURITY**, **BREAKING**: Remove `forge.debug` API. The API has the
+  potential for prototype pollution. This API was only briefly used by the
+  maintainers for internal project debug purposes and was never inteneded to be
+  used with untrusted user intputs. This API was not documented or advertised
+  and is being removed rather than fixed.
 - **BREAKING**: Remove `forge.task` API. This API was never used, documented,
   or advertised by the maintainers. If anyone was using this API and wishes to
   continue development it in other project, please let the maintainers know.

README.md

@@ -80,7 +80,6 @@ Documentation
 * [Tasks](#task)
 * [Utilities](#util)
 * [Logging](#log)
-* [Debugging](#debug)
 * [Flash Networking Support](#flash)
 
 ### Other
@@ -1988,19 +1987,6 @@ __Examples__
 // TODO
 ```
 
-<a name="debug" />
-
-### Debugging
-
-Provides storage of debugging information normally inaccessible in
-closures for viewing/investigation.
-
-__Examples__
-
-```js
-// TODO
-```
-
 <a name="flash" />
 
 ### Flash Networking Support

lib/debug.js

@@ -6,7 +6,6 @@
  * Copyright (c) 2010-2014 Digital Bazaar, Inc. All rights reserved.
  */
 var forge = require('./forge');
-require('./debug');
 require('./tls');
 require('./util');
 
@@ -16,11 +15,6 @@ var http = module.exports = forge.http = forge.http || {};
 // logging category
 var cat = 'forge.http';
 
-// add array of clients to debug storage
-if(forge.debug) {
-  forge.debug.set('forge.http', 'clients', []);
-}
-
 // normalizes an http header field name
 var _normalize = function(name) {
   return name.toLowerCase().replace(/(^.)|(-.)/g,
@@ -484,11 +478,6 @@ http.createClient = function(options) {
       true : options.persistCookies
   };
 
-  // add client to debug storage
-  if(forge.debug) {
-    forge.debug.get('forge.http', 'clients').push(client);
-  }
-
   // load cookies from disk
   _loadCookies(client);
 

lib/http.js

@@ -10,7 +10,6 @@ require('./aes');
 require('./aesCipherSuites');
 require('./asn1');
 require('./cipher');
-require('./debug');
 require('./des');
 require('./ed25519');
 require('./hmac');

lib/index.js

@@ -24,13 +24,9 @@ var sVL = 0;
 // track tasks for debugging
 var sTasks = {};
 var sNextTaskId = 0;
-// debug access
-forge.debug.set(cat, 'tasks', sTasks);
 
 // a map of task type to task queue
 var sTaskQueues = {};
-// debug access
-forge.debug.set(cat, 'queues', sTaskQueues);
 
 // name for unnamed tasks
 var sNoTaskName = '?';