Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: check that --insecure-http-parser works #31253

Closed
wants to merge 1 commit into from
Closed

test: check that --insecure-http-parser works #31253

wants to merge 1 commit into from

Conversation

sam-github
Copy link
Contributor

@sam-github sam-github commented Jan 7, 2020
edited
Loading

Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

@nodejs-github-bot nodejs-github-bot added the test Issues and PRs related to the tests. label Jan 7, 2020
This was referenced Jan 7, 2020
Closed
Closed
Closed
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/28273/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/28275/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/28281/

@sam-github
Copy link
Contributor Author

Note that the test fails when the required CLI param is not present:

% NODE_SKIP_FLAG_CHECK=y ~/.nvm/versions/node/v12.14.0/bin/node test/parallel/test-http-insecure-parser.js          
assert.js:92
  throw new AssertionError(obj);
  ^

AssertionError [ERR_ASSERTION]: Expected values to be strictly equal:
+ actual - expected

+ 'HTTP/1.1 400 Bad Request'
- 'HTTP/1.1 200 OK'
            ^
    at Socket.<anonymous> (/home/sam/w/core/node/test/parallel/test-http-insecure-parser.js:32:12)
    at Socket.<anonymous> (/home/sam/w/core/node/test/common/index.js:358:15)
    at Socket.emit (events.js:215:7)
    at endReadableNT (_stream_readable.js:1184:12)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  generatedMessage: true,
  code: 'ERR_ASSERTION',
  actual: 'HTTP/1.1 400 Bad Request',
  expected: 'HTTP/1.1 200 OK',
  operator: 'strictEqual'
}

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/28302/

@sam-github
test: check that --insecure-http-parser works
57ef733 
Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:
- nodejs#30567
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/28326/

@sam-github
Copy link
Contributor Author

@addaleax @nodejs/http

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/28328/

@BridgeAR BridgeAR added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jan 9, 2020
sam-github added a commit that referenced this pull request Jan 9, 2020
@sam-github
test: check that --insecure-http-parser works
e4bff13 
Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:
- #30567

PR-URL: #31253
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
@sam-github
Copy link
Contributor Author

Landed in e4bff13

@sam-github sam-github closed this Jan 9, 2020
@sam-github sam-github deleted the test-insecure-http-parser branch January 9, 2020 23:33
sam-github added a commit to sam-github/node that referenced this pull request Jan 10, 2020
@sam-github
test: check that --insecure-http-parser works
2e5037b 
Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:
- nodejs#30567

PR-URL: nodejs#31253
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
sam-github added a commit to sam-github/node that referenced this pull request Jan 10, 2020
@sam-github
test: check that --insecure-http-parser works
58ec670 
Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:
- nodejs#30567

PR-URL: nodejs#31253
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
targos pushed a commit that referenced this pull request Jan 14, 2020
@sam-github @targos
test: check that --insecure-http-parser works
ccf9038 
Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:
- #30567

PR-URL: #31253
Backport-PR-URL: #30473
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
@targos targos mentioned this pull request Jan 15, 2020
Closed
MylesBorins pushed a commit that referenced this pull request Jan 16, 2020
@sam-github @MylesBorins
test: check that --insecure-http-parser works
0b88c3d 
Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:
- #30567

PR-URL: #31253
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
@codebytere codebytere mentioned this pull request Jan 16, 2020
Merged
zsw007 added a commit to ibmruntimes/node that referenced this pull request Feb 11, 2020
@zsw007
test: check that --insecure-http-parser works
b696d8d 
Backport ab1fcb8

Original commit message:

    Test that using --insecure-http-parser will disable validation of
    invalid characters in HTTP headers.

    See:
    - nodejs/node#30567

    PR-URL: nodejs/node#31253
    Backport-PR-URL: nodejs/node#30473
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Ruben Bridgewater <[email protected]>
zsw007 added a commit to ibmruntimes/node that referenced this pull request Feb 12, 2020
@zsw007
test: check that --insecure-http-parser works
b9eeafe 
Backport ab1fcb8

Original commit message:

    Test that using --insecure-http-parser will disable validation of
    invalid characters in HTTP headers.

    See:
    - nodejs/node#30567

    PR-URL: nodejs/node#31253
    Backport-PR-URL: nodejs/node#30473
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Ruben Bridgewater <[email protected]>
zsw007 added a commit to ibmruntimes/node that referenced this pull request Feb 12, 2020
@zsw007
test: check that --insecure-http-parser works
ec48296 
Backport ab1fcb8

Original commit message:

    Test that using --insecure-http-parser will disable validation of
    invalid characters in HTTP headers.

    See:
    - nodejs/node#30567

    PR-URL: nodejs/node#31253
    Backport-PR-URL: nodejs/node#30473
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Ruben Bridgewater <[email protected]>
BaochengSu added a commit to BaochengSu/node that referenced this pull request Oct 21, 2020
@BaochengSu
CVE-2019-15605
a5c5539 
Ported from
OpenSUSE:nodejs8-8.17.0-lp152.147.1:CVE-2019-15605.patch

Original commit message:

commit e2c8f89
Author: Sam Roberts <[email protected]>
Date:   Thu Jan 16 11:55:52 2020 -0800

    test: using TE to smuggle reqs is not possible

    See: https://hackerone.com/reports/735748

    PR-URL: https://github.com/nodejs-private/node-private/pull/192
    Reviewed-By: Beth Griggs <[email protected]>

commit 49f4220
Author: Sam Roberts <[email protected]>
Date:   Tue Feb 4 10:36:57 2020 -0800

    deps: upgrade http-parser to v2.9.3

    PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4
    Reviewed-By: Matteo Collina <[email protected]>
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Sam Roberts <[email protected]>

commit d616722
Author: Sam Roberts <[email protected]>
Date:   Tue Jan 7 14:24:54 2020 -0800

    test: check that --insecure-http-parser works

    Test that using --insecure-http-parser will disable validation of
    invalid characters in HTTP headers.

    See:
    - nodejs#30567

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#31253
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Ruben Bridgewater <[email protected]>

commit a9849c0
Author: Sam Roberts <[email protected]>
Date:   Wed Nov 20 11:48:58 2019 -0800

    http: opt-in insecure HTTP header parsing

    Allow insecure HTTP header parsing. Make clear it is insecure.

    See:
    - nodejs#30553
    - nodejs#27711 (comment)
    - nodejs#30515

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#30567
    Reviewed-By: Fedor Indutny <[email protected]>
    Reviewed-By: Anna Henningsen <[email protected]>
    Reviewed-By: Denys Otrishko <[email protected]>
    Reviewed-By: James M Snell <[email protected]>

commit a28e5cc
Author: Sam Roberts <[email protected]>
Date:   Wed Nov 13 10:05:38 2019 -0800

    deps: upgrade http-parser to v2.9.1

    PR-URL: nodejs#30471
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Jiawen Geng <[email protected]>
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Beth Griggs <[email protected]>

Signed-off-by: Su Baocheng <[email protected]>
BaochengSu added a commit to BaochengSu/node that referenced this pull request Jul 14, 2022
@BaochengSu
CVE-2019-15605
65ab2f5 
Ported from
OpenSUSE:nodejs8-8.17.0-lp152.147.1:CVE-2019-15605.patch

Original commit message:

commit e2c8f89
Author: Sam Roberts <[email protected]>
Date:   Thu Jan 16 11:55:52 2020 -0800

    test: using TE to smuggle reqs is not possible

    See: https://hackerone.com/reports/735748

    PR-URL: https://github.com/nodejs-private/node-private/pull/192
    Reviewed-By: Beth Griggs <[email protected]>

commit 49f4220
Author: Sam Roberts <[email protected]>
Date:   Tue Feb 4 10:36:57 2020 -0800

    deps: upgrade http-parser to v2.9.3

    PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4
    Reviewed-By: Matteo Collina <[email protected]>
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Sam Roberts <[email protected]>

commit d616722
Author: Sam Roberts <[email protected]>
Date:   Tue Jan 7 14:24:54 2020 -0800

    test: check that --insecure-http-parser works

    Test that using --insecure-http-parser will disable validation of
    invalid characters in HTTP headers.

    See:
    - nodejs#30567

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#31253
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Ruben Bridgewater <[email protected]>

commit a9849c0
Author: Sam Roberts <[email protected]>
Date:   Wed Nov 20 11:48:58 2019 -0800

    http: opt-in insecure HTTP header parsing

    Allow insecure HTTP header parsing. Make clear it is insecure.

    See:
    - nodejs#30553
    - nodejs#27711 (comment)
    - nodejs#30515

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#30567
    Reviewed-By: Fedor Indutny <[email protected]>
    Reviewed-By: Anna Henningsen <[email protected]>
    Reviewed-By: Denys Otrishko <[email protected]>
    Reviewed-By: James M Snell <[email protected]>

commit a28e5cc
Author: Sam Roberts <[email protected]>
Date:   Wed Nov 13 10:05:38 2019 -0800

    deps: upgrade http-parser to v2.9.1

    PR-URL: nodejs#30471
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Jiawen Geng <[email protected]>
    Reviewed-By: Richard Lau <[email protected]>
    Reviewed-By: Beth Griggs <[email protected]>

Signed-off-by: Su Baocheng <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@addaleax addaleax addaleax left review comments

@richardlau richardlau richardlau approved these changes

@BridgeAR BridgeAR BridgeAR approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. test Issues and PRs related to the tests.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@sam-github @nodejs-github-bot @addaleax @richardlau @BridgeAR @targos