Skip to content

Commit 7fd2181

Browse files
committed
http: validate non-link headers in writeEarlyHints
Validate header names and values for non-link hints passed to writeEarlyHints() using validateHeaderName/validateHeaderValue, consistent with all other header-writing paths in the HTTP stack. Previously, only the `link` hint was validated via validateLinkHeaderValue(), while all other hints were concatenated directly into the response without any character validation. Also add assertValidHeader() to the HTTP/2 compat layer for defense in depth.
1 parent 38a6da5 commit 7fd2181

File tree

4 files changed

+79
-0
lines changed

4 files changed

+79
-0
lines changed

lib/_http_server.js

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,8 @@ const {
5555
kUniqueHeaders,
5656
parseUniqueHeadersOption,
5757
OutgoingMessage,
58+
validateHeaderName,
59+
validateHeaderValue,
5860
} = require('_http_outgoing');
5961
const {
6062
kOutHeaders,
@@ -339,6 +341,8 @@ ServerResponse.prototype.writeEarlyHints = function writeEarlyHints(hints, cb) {
339341
for (let i = 0; i < keys.length; i++) {
340342
const key = keys[i];
341343
if (key !== 'link') {
344+
validateHeaderName(key);
345+
validateHeaderValue(key, hints[key]);
342346
head += key + ': ' + hints[key] + '\r\n';
343347
}
344348
}

lib/internal/http2/compat.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -913,6 +913,7 @@ class Http2ServerResponse extends Stream {
913913

914914
for (const key of ObjectKeys(hints)) {
915915
if (key !== 'link') {
916+
assertValidHeader(key, hints[key]);
916917
headers[key] = hints[key];
917918
}
918919
}

test/parallel/test-http-early-hints-invalid-argument.js

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,20 @@ const testResBody = 'response content\n';
3131
});
3232
}, (err) => err.code === 'ERR_INVALID_ARG_VALUE');
3333

34+
assert.throws(() => {
35+
res.writeEarlyHints({
36+
'link': '</styles.css>; rel=preload; as=style',
37+
'x-bad\r\n': 'value',
38+
});
39+
}, (err) => err.code === 'ERR_INVALID_HTTP_TOKEN');
40+
41+
assert.throws(() => {
42+
res.writeEarlyHints({
43+
'link': '</styles.css>; rel=preload; as=style',
44+
'x-custom': 'bad\r\nvalue',
45+
});
46+
}, (err) => err.code === 'ERR_INVALID_CHAR');
47+
3448
debug('Server sending full response...');
3549
res.end(testResBody);
3650
server.close();
Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
'use strict';
2+
3+
const common = require('../common');
4+
if (!common.hasCrypto) common.skip('missing crypto');
5+
6+
const assert = require('node:assert');
7+
const http2 = require('node:http2');
8+
const debug = require('node:util').debuglog('test');
9+
10+
const testResBody = 'response content';
11+
12+
{
13+
const server = http2.createServer();
14+
15+
server.on('request', common.mustCall((req, res) => {
16+
debug('Server sending early hints...');
17+
18+
assert.throws(() => {
19+
res.writeEarlyHints({
20+
'link': '</styles.css>; rel=preload; as=style',
21+
'x-bad\r\n': 'value',
22+
});
23+
}, (err) => err.code === 'ERR_INVALID_HTTP_TOKEN');
24+
25+
assert.throws(() => {
26+
res.writeEarlyHints({
27+
'link': '</styles.css>; rel=preload; as=style',
28+
'x-custom': undefined,
29+
});
30+
}, (err) => err.code === 'ERR_HTTP2_INVALID_HEADER_VALUE');
31+
32+
debug('Server sending full response...');
33+
res.end(testResBody);
34+
}));
35+
36+
server.listen(0);
37+
38+
server.on('listening', common.mustCall(() => {
39+
const client = http2.connect(`http://localhost:${server.address().port}`);
40+
const req = client.request();
41+
42+
debug('Client sending request...');
43+
44+
req.on('headers', common.mustNotCall());
45+
46+
req.on('response', common.mustCall((headers) => {
47+
assert.strictEqual(headers[':status'], 200);
48+
}));
49+
50+
let data = '';
51+
req.on('data', common.mustCallAtLeast((d) => data += d));
52+
53+
req.on('end', common.mustCall(() => {
54+
debug('Got full response.');
55+
assert.strictEqual(data, testResBody);
56+
client.close();
57+
server.close();
58+
}));
59+
}));
60+
}

0 commit comments

Comments
 (0)