-
Notifications
You must be signed in to change notification settings - Fork 30.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http: disallow sending obviously invalid status codes #6291
Conversation
/cc @nodejs/http |
8406b4d
to
3e01bad
Compare
This should likely also catch anything less than |
@jasnell True, but I was aiming to be as backwards compatible as possible with this. Who knows if anyone out there is using custom/unofficial status codes. |
Tagging this for possible backporting to v4.x, feel free to remove if you think it shouldn't be. I see this as a bug fix though. |
Anyone using anything less than 100 likely has other problems to deal with
|
If we're going to validate the numerical value, I would lean more towards a 3-digit check. What do other @nodejs/collaborators think? |
What's the reason for introduction of this patch at this point? Is there any open issue about it? |
Alright, thank you! |
@@ -187,6 +187,10 @@ ServerResponse.prototype.writeHead = function(statusCode, reason, obj) { | |||
headers = obj; | |||
} | |||
|
|||
const statusCode_ = +statusCode; | |||
if (statusCode_ < 0 || !isFinite(statusCode_)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not Number.isInteger
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Number.isInteger()
would return false for strings of valid numbers.
3e01bad
to
f9063c7
Compare
Ok, I've modified it to check the number of digits now.
|
f9063c7
to
dcda312
Compare
LGTM if CI is green |
I am okay with this. LGTM. semver major? |
@thefourtheye Possibly, but it is a bug fix shrug. |
@@ -187,6 +187,10 @@ ServerResponse.prototype.writeHead = function(statusCode, reason, obj) { | |||
headers = obj; | |||
} | |||
|
|||
statusCode |= 0; | |||
if (statusCode < 100 || statusCode > 999) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I am not sure if this really matters but the expected port range is just 100-599 http://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, @jasnell mentioned this already. However I think it might be better to be a bit more lenient in case of custom/unofficial/whatever status codes out in the wild.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, sorry. I didn't read the comments completely.
I think if we keep it at any three digit code we can easily justify landing
|
LGTM |
break; | ||
case 5: | ||
assert.throws(common.mustCall(() => { | ||
res.writeHead(1000); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps also have a case for a non-numeric string?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 ... null
, 'this is not invalid
, []
, true
, etc could all be included in the tests here, just to be overly careful ;-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggested tests added.
LGTM |
LGTM, I like this change. |
@@ -187,6 +187,10 @@ ServerResponse.prototype.writeHead = function(statusCode, reason, obj) { | |||
headers = obj; | |||
} | |||
|
|||
statusCode |= 0; | |||
if (statusCode < 100 || statusCode > 999) | |||
throw new Error(`Invalid status code: ${statusCode}`); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be a RangeError
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should passing 'NotAStatusCode'
cause a RangeError
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ChALkeR It's debatable, but since statusCode
is ultimately coerced to an integer value (e.g. 0 for non-numeric values) I thought maybe RangeError
would fit better since 0 < 100
. shrug
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, that works for me =).
LGTM with a comment. |
dcda312
to
ec50170
Compare
Just one additional minor comment on the tests. Otherwise still LGTM |
ec50170
to
35b4f99
Compare
PR-URL: #6291 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>
PR-URL: #6291 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>
PR-URL: nodejs#6291 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>
PR-URL: #6291 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>
I'm adding this to v4.x-staging and to the v4.4.5 release candidate. if anyone objects or if we see any weird regressions I will back it out |
PR-URL: #6291 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>
PR-URL: #6291 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>
Notable changes: * **buffer**: * Buffer no longer errors if you call lastIndexOf with a search term longer than the buffer (Anna Henningsen) #6511 * deps: * update npm to 2.15.5 (Rebecca Turner) #6663 * http: * Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999 (Brian White) #6291
Notable changes: * **buffer**: * Buffer no longer errors if you call lastIndexOf with a search term longer than the buffer (Anna Henningsen) #6511 * contextify: * Context objects are now properly garbage collected, this solves a problem some individuals were experiencing with extreme memory growth (Ali Ijaz Sheikh) #6871 * deps: * update npm to 2.15.5 (Rebecca Turner) #6663 * http: * Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999 (Brian White) #6291
Notable changes: * **buffer**: * Buffer no longer errors if you call lastIndexOf with a search term longer than the buffer (Anna Henningsen) #6511 * contextify: * Context objects are now properly garbage collected, this solves a problem some individuals were experiencing with extreme memory growth (Ali Ijaz Sheikh) #6871 * deps: * update npm to 2.15.5 (Rebecca Turner) #6663 * http: * Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999 (Brian White) #6291
Notable changes: * **buffer**: * Buffer no longer errors if you call lastIndexOf with a search term longer than the buffer (Anna Henningsen) #6511 * contextify: * Context objects are now properly garbage collected, this solves a problem some individuals were experiencing with extreme memory growth (Ali Ijaz Sheikh) #6871 * deps: * update npm to 2.15.5 (Rebecca Turner) #6663 * http: * Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999 (Brian White) #6291
Notable changes: * **buffer**: * Buffer no longer errors if you call lastIndexOf with a search term longer than the buffer (Anna Henningsen) #6511 * contextify: * Context objects are now properly garbage collected, this solves a problem some individuals were experiencing with extreme memory growth (Ali Ijaz Sheikh) #6871 * deps: * update npm to 2.15.5 (Rebecca Turner) #6663 * http: * Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999 (Brian White) #6291
Code that would previously run and happily dish out invalid status codes will now die from unhandled exceptions. Isn't that sort of the definition of a breaking change? Upgrading from v4.4.4 to v4.4.5 shouldn't require people to modify their code. |
It's too late now, and that I have the advantage of hindsight... If this PR was 2 commits, with the first one adding the (semver-patch) |
I was also quite surprised to see this backported. |
case 0: | ||
assert.throws(common.mustCall(() => { | ||
res.writeHead(-1); | ||
}, /invalid status code/i)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The closing parenthesis for common.mustCall()
is misplaced here and on the other lines. It should read:
}), /invalid status code/i);
With the current code, the RegExp is passed to mustCall
as the expected
paramater, and then silently replaced with 1
because it's non-numeric. Then the assert.throws
call doesn't validate the error message and passes the test as long as any error is thrown.
I'll fix this along with my patch for #9027 unless you'd prefer to see it in a separate PR.
Thank you, guys, we got broken app after patch-upgrade👏 FYI, http://semver.org/
|
Checklist
Affected core subsystem(s)
Description of change
Disallows sending of invalid status codes.