-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Increase HTTP_MAX_HEADER_SIZE to 16kb #27645
Comments
@nodejs/http @nodejs/security @nodejs/security-wg |
I fixed a typo in the CLI flag name in the description. Wrt.
It is hard to find a reasonable default, some kind of argument best on common secure practice would be convincing for me. I notice NGINX isn't in the list you linked to, would be interesting to know what its limit is. Also, its conclusion was:
Of course, that's the send limit, it doesn't mean that should be the receive limit. |
nginx: 8K -- http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers anyone have the energy to look up the PAAS provider's defaults? :-) |
The argument is convincing for me, and we picked NGINX default. I'll test a value of 16KB with the actual exploit for this DoS attack. Based on my previous analysis, I think it's not going to be problematic, but it's better to check. |
According to this, IIS only occupies 8.5% of the market. |
I'm sorry it took a long time for doing the due diligence on my side. 8 KB -> peak RSS is 400MB The server does not crash for any of those values. Keeping 8 KB is safer, however 16KB might provide a good default as well. cc @nodejs/tsc. |
I would be OK with moving to 16K as the default. Safest is to explicitly set the limit to your application's needs, which we support. For default, don't we need safest, just reasonable. There is a wide range of reasonable, 8K is reasonable, but bumping up to IIS's default seems like it will reduce pain, with not so much extra exposure to DoS. |
And Apache and Nginx both have the default maximum at 8k, and they occupy 85% of the market, according to the link above. I don't think that we should increase the default over 8k, though I am not going to block it. @southpolesteve Am I correct that the problem is caused by inability to configure the default parameter? Do those systems allow passing in |
The 8.5% number linked applies only to websites. I don't think it should have much weight here. This issue is more likely to be encountered accessing an API that passes lots of data via headers. IIS fronts a significant portion of Microsoft and Azure APIs, those of our customers, and transitively our customer's customers.
Inability, yes. In Functions-as-a-service environments, this is sometimes not possible. Our customers have figured out some workarounds for Azure App Service (linked in the issue body above), but I am unsure if those also work for Azure Functions. A runtime API is interesting. I could increase it in our SDK, but that would bring new security issues? A package could set it arbitrarily high and expose users to the CVE. I'm not sure if that is in scope for the node.js project. Certainly possible to do plenty of nasty things now in npm packages. Unwillingness to set the flag is also an issue. I have a major customer who has the technical ability to set --max-http-header-size but is unwilling to due to the linked CVE. I can't go into much detail, but you can imagine that setting a flag associated with a CVE is not an easy sell to an enterprise security team. To be clear, they bear some responsibility for that situation! But it would be nice if node helped by changing the default. |
Ehm... I can't get your point. You say that one doesn't want to set an obvious run-time parameter to some value but will accept if default setting would be changed to that value? |
@Antonius-S Your summary makes sense to me! If we are comfortable with a value being the default, they are comfortable, but they don't want to override our opinion and be responsible for their decision to override our opinion. |
@sam-github sounds reasonable. And there's really no way to conveniently redefine the limit in runtime. Probably adding appropriate parameter to |
@Antonius-S @sam-github you have it correct. Node blessing a default has a significant benefit over a user override of the same value. I've opened a PR over in http_parser as it looks like this default is set there. |
It's possible to provide a way to change this value via an API in Node 12: as you can see in node/src/node_http_parser_impl.h Line 821 in 39a9358
The best solution should be to add an option to set this behavior for each connection/server via an option in the server and client. @southpolesteve would you like to give that a shot? |
Yes, please let us programatically configure the header size! Node.js's runtime should not be imposing arbitrary limits that aren't able to be changed by configuration options. Its really annoying to have to pass in a special flag in order to make my program work. I'm not able to control the header size on my end. |
I think the solution suggested by @mcollina should be quite a bit easier to implement now that we’ve removed the legacy HTTP parser in Node.js 13 :) |
@addaleax I found this issue from the Node Todo page, is this something I could help with? My understanding is that the solution is to not change the default in Edit: |
@southpolesteve I will like to work on this issue can you please mentor or else give me some other issue to kick start my contribution in NODE core. |
@addaleax @southpolesteve Well that's time I wasted I won't be getting back... Would have appreciated the feedback that all you wanted to change was the default, and not extend the CLI option. |
@shastriUF I’m sorry nobody replied to your comment (neither me nor somebody else), in a project as big as Node.js sometimes these things simply get lost. Pings and bumping a thread are appreciated in those cases. That being said, the issue description mentions that using CLI options is part of the issue here. |
@addaleax Thanks for the explanation, I'll try to follow up more frequently in the future. |
Fixes: #27645 PR-URL: #32520 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: David Carlier <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Jiawen Geng <[email protected]>
Is your feature request related to a problem? Please describe.
Node recently introduced a security fix that decreased the max header size to 8kb 1860352. This has caused problems for users who are using APIs that pass large amounts of data via headers. One example: Azure/azure-cosmos-js#221. Node users running in managed environments like FaaS cloud services are unable to set the
--max-http-header-size
CLI flag. More examples in #24692Describe the solution you'd like
Increase the max header size to 16kb. This StackOverflow issue outlines the max header size for various web servers and 16kb is the maximum for IIS which is used in many of our APIs. It seems to me that 16kb is a more reasonable default with the widespread usage of IIS. Assuming of course that 16kb is still secure given the vulnerability present when the default value was 80kb.
Describe alternatives you've considered
In our case, I am also working to solve this issue on the API side, but in some cases, for legacy production APIs it is just not possible to decrease our header usage.
@mcollina @bnb
The text was updated successfully, but these errors were encountered: