Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test: check that --insecure-http-parser works #31253

Closed

Conversation

sam-github
Copy link
Contributor

@sam-github sam-github commented Jan 7, 2020

Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

@nodejs-github-bot
Copy link
Collaborator

@sam-github sam-github force-pushed the test-insecure-http-parser branch from 3207505 to ecb644d Compare January 7, 2020 23:05
@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@sam-github sam-github force-pushed the test-insecure-http-parser branch from 38aaeb5 to 6514a0b Compare January 8, 2020 18:18
@sam-github
Copy link
Contributor Author

Note that the test fails when the required CLI param is not present:

% NODE_SKIP_FLAG_CHECK=y ~/.nvm/versions/node/v12.14.0/bin/node test/parallel/test-http-insecure-parser.js          
assert.js:92
  throw new AssertionError(obj);
  ^

AssertionError [ERR_ASSERTION]: Expected values to be strictly equal:
+ actual - expected

+ 'HTTP/1.1 400 Bad Request'
- 'HTTP/1.1 200 OK'
            ^
    at Socket.<anonymous> (/home/sam/w/core/node/test/parallel/test-http-insecure-parser.js:32:12)
    at Socket.<anonymous> (/home/sam/w/core/node/test/common/index.js:358:15)
    at Socket.emit (events.js:215:7)
    at endReadableNT (_stream_readable.js:1184:12)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  generatedMessage: true,
  code: 'ERR_ASSERTION',
  actual: 'HTTP/1.1 400 Bad Request',
  expected: 'HTTP/1.1 200 OK',
  operator: 'strictEqual'
}

@nodejs-github-bot
Copy link
Collaborator

Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:
- nodejs#30567
@sam-github sam-github force-pushed the test-insecure-http-parser branch from 6514a0b to 57ef733 Compare January 9, 2020 16:16
@nodejs-github-bot
Copy link
Collaborator

@sam-github
Copy link
Contributor Author

@addaleax @nodejs/http

@nodejs-github-bot
Copy link
Collaborator

@BridgeAR BridgeAR added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jan 9, 2020
sam-github added a commit that referenced this pull request Jan 9, 2020
Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:
- #30567

PR-URL: #31253
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
@sam-github
Copy link
Contributor Author

Landed in e4bff13

@sam-github sam-github closed this Jan 9, 2020
@sam-github sam-github deleted the test-insecure-http-parser branch January 9, 2020 23:33
sam-github added a commit to sam-github/node that referenced this pull request Jan 10, 2020
Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:
- nodejs#30567

PR-URL: nodejs#31253
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
sam-github added a commit to sam-github/node that referenced this pull request Jan 10, 2020
Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:
- nodejs#30567

PR-URL: nodejs#31253
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
targos pushed a commit that referenced this pull request Jan 14, 2020
Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:
- #30567

PR-URL: #31253
Backport-PR-URL: #30473
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
MylesBorins pushed a commit that referenced this pull request Jan 16, 2020
Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:
- #30567

PR-URL: #31253
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
@codebytere codebytere mentioned this pull request Jan 16, 2020
zsw007 added a commit to ibmruntimes/node that referenced this pull request Feb 11, 2020
Backport ab1fcb8

Original commit message:

    Test that using --insecure-http-parser will disable validation of
    invalid characters in HTTP headers.

    See:
    - nodejs/node#30567

    PR-URL: nodejs/node#31253
    Backport-PR-URL: nodejs/node#30473
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Ruben Bridgewater <[email protected]>
zsw007 added a commit to ibmruntimes/node that referenced this pull request Feb 12, 2020
Backport ab1fcb8

Original commit message:

    Test that using --insecure-http-parser will disable validation of
    invalid characters in HTTP headers.

    See:
    - nodejs/node#30567

    PR-URL: nodejs/node#31253
    Backport-PR-URL: nodejs/node#30473
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Ruben Bridgewater <[email protected]>
zsw007 added a commit to ibmruntimes/node that referenced this pull request Feb 12, 2020
Backport ab1fcb8

Original commit message:

    Test that using --insecure-http-parser will disable validation of
    invalid characters in HTTP headers.

    See:
    - nodejs/node#30567

    PR-URL: nodejs/node#31253
    Backport-PR-URL: nodejs/node#30473
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Ruben Bridgewater <[email protected]>
BaochengSu added a commit to BaochengSu/node that referenced this pull request Oct 21, 2020
Ported from
OpenSUSE:nodejs8-8.17.0-lp152.147.1:CVE-2019-15605.patch

Original commit message:

commit e2c8f89
Author: Sam Roberts <[email protected]>
Date:   Thu Jan 16 11:55:52 2020 -0800

    test: using TE to smuggle reqs is not possible

    See: https://hackerone.com/reports/735748

    PR-URL: https://github.com/nodejs-private/node-private/pull/192
    Reviewed-By: Beth Griggs <[email protected]>

commit 49f4220
Author: Sam Roberts <[email protected]>
Date:   Tue Feb 4 10:36:57 2020 -0800

    deps: upgrade http-parser to v2.9.3

    PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4
    Reviewed-By: Matteo Collina <[email protected]>
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Sam Roberts <[email protected]>

commit d616722
Author: Sam Roberts <[email protected]>
Date:   Tue Jan 7 14:24:54 2020 -0800

    test: check that --insecure-http-parser works

    Test that using --insecure-http-parser will disable validation of
    invalid characters in HTTP headers.

    See:
    - nodejs#30567

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#31253
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Ruben Bridgewater <[email protected]>

commit a9849c0
Author: Sam Roberts <[email protected]>
Date:   Wed Nov 20 11:48:58 2019 -0800

    http: opt-in insecure HTTP header parsing

    Allow insecure HTTP header parsing. Make clear it is insecure.

    See:
    - nodejs#30553
    - nodejs#27711 (comment)
    - nodejs#30515

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#30567
    Reviewed-By: Fedor Indutny <[email protected]>
    Reviewed-By: Anna Henningsen <[email protected]>
    Reviewed-By: Denys Otrishko <[email protected]>
    Reviewed-By: James M Snell <[email protected]>

commit a28e5cc
Author: Sam Roberts <[email protected]>
Date:   Wed Nov 13 10:05:38 2019 -0800

    deps: upgrade http-parser to v2.9.1

    PR-URL: nodejs#30471
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Jiawen Geng <[email protected]>
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Beth Griggs <[email protected]>

Signed-off-by: Su Baocheng <[email protected]>
BaochengSu added a commit to BaochengSu/node that referenced this pull request Jul 14, 2022
Ported from
OpenSUSE:nodejs8-8.17.0-lp152.147.1:CVE-2019-15605.patch

Original commit message:

commit e2c8f89
Author: Sam Roberts <[email protected]>
Date:   Thu Jan 16 11:55:52 2020 -0800

    test: using TE to smuggle reqs is not possible

    See: https://hackerone.com/reports/735748

    PR-URL: https://github.com/nodejs-private/node-private/pull/192
    Reviewed-By: Beth Griggs <[email protected]>

commit 49f4220
Author: Sam Roberts <[email protected]>
Date:   Tue Feb 4 10:36:57 2020 -0800

    deps: upgrade http-parser to v2.9.3

    PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4
    Reviewed-By: Matteo Collina <[email protected]>
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Sam Roberts <[email protected]>

commit d616722
Author: Sam Roberts <[email protected]>
Date:   Tue Jan 7 14:24:54 2020 -0800

    test: check that --insecure-http-parser works

    Test that using --insecure-http-parser will disable validation of
    invalid characters in HTTP headers.

    See:
    - nodejs#30567

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#31253
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Ruben Bridgewater <[email protected]>

commit a9849c0
Author: Sam Roberts <[email protected]>
Date:   Wed Nov 20 11:48:58 2019 -0800

    http: opt-in insecure HTTP header parsing

    Allow insecure HTTP header parsing. Make clear it is insecure.

    See:
    - nodejs#30553
    - nodejs#27711 (comment)
    - nodejs#30515

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#30567
    Reviewed-By: Fedor Indutny <[email protected]>
    Reviewed-By: Anna Henningsen <[email protected]>
    Reviewed-By: Denys Otrishko <[email protected]>
    Reviewed-By: James M Snell <[email protected]>

commit a28e5cc
Author: Sam Roberts <[email protected]>
Date:   Wed Nov 13 10:05:38 2019 -0800

    deps: upgrade http-parser to v2.9.1

    PR-URL: nodejs#30471
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Jiawen Geng <[email protected]>
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Beth Griggs <[email protected]>

Signed-off-by: Su Baocheng <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. test Issues and PRs related to the tests.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants