http: reject control characters in http.request() #8923
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tarqd
reviewed
Oct 5, 2016
| @@ -43,13 +43,14 @@ function ClientRequest(options, cb) { | |||
| if (self.agent && self.agent.protocol) | |||
| expectedProtocol = self.agent.protocol; | |||
|
|
|||
| if (options.path && / /.test(options.path)) { | |||
| if (options.path && /[\n\r ]/.test(options.path)) { | |||
There was a problem hiding this comment.
Does it make sense to reject tabs here as well? The logic being that when you send an unescaped tab to servers like Apache the server will interpret the request as the tab splitting the path and the HTTP version. Instead of failing silently and allowing malformed requests through, the developer will get an error thrown that clearly says "You have to escape this"
There was a problem hiding this comment.
@ilsken second commit includes the tabs.
silverwind
approved these changes
Oct 5, 2016
| // why it only scans for spaces because those are guaranteed to create | ||
| // an invalid request. | ||
| // well, and b) possibly too restrictive for real-world usage. | ||
| // Restrict the filter to control characters and spaces. | ||
| throw new TypeError('Request path contains unescaped characters'); |
There was a problem hiding this comment.
Ack, but for a different PR because people may want to be careful and consider that semver-major?
There was a problem hiding this comment.
Hmm, I think this would be a unecessary breaking change if we consider error types as API. So, LGTM as-is.
lpinca
reviewed
Oct 6, 2016
| }, /contains unescaped characters/); | ||
| function* bad() { | ||
| for (let i = 0; i <= 32; i += 1) | ||
| yield 'bad' + String.fromCharCode(i) + 'path'; |
There was a problem hiding this comment.
Nit: it doesn't add any real value but what about using a template literal?
There was a problem hiding this comment.
I initially had that but I felt it was less readable than concatenation. Consider:
yield 'bad' + String.fromCharCode(i) + 'path';Vs.
yield `bad${String.fromCharCode(i)}path`;
jasnell
added
semver-major
|
Marking semver-major |
|
@nodejs/ctc ... I'd like to include this in v7 assuming it lands in master. Need ctc approval tho as a semver-major. |
|
Mhhh, I would like to hear other opinions, but this seems like more of a security bug fix than an actual |
|
It can be viewed in both ways. There aren't any good reasons why someone would rely on the current behavior but there are examples of software using |
|
@jasnell In that case, how about considering the first commit here as a
(That’s forbidden already.) |
|
I'd say if we're going to go that route, let's just treat them both as semver-patch and document the change in the release notes. |
|
Maybe we can revisit this whole "semver majors need CTC approval to land in v7" thing. Did that even come out of the CTC or was that an LTS WG decision? |
Correct. I consider this a security/correctness fix and as such exempt from our regular semver policies. I plan on back-porting it to the release branches once it lands in master. I'll remove the semver-major label. |
bnoordhuis
added
lts-watch-v4.x
and removed
semver-major
not-an-aardvark
approved these changes
Oct 12, 2016
Unsanitized paths containing line feed characters can be used for header injection and request splitting so reject them with an exception. There seems to be no reasonable use case for allowing control characters (characters <= 31) while there are several scenarios where they can be used to exploit software bugs so reject control characters altogether. PR-URL: nodejs#8923 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Evan Lucas <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: not-an-aardvark <[email protected]>
bnoordhuis
force-pushed
the
reject-bad-http-request-chars
branch
from
a2a9168
to
4f62acd
Compare
jasnell
pushed a commit
that referenced
this pull request
Oct 14, 2016
Unsanitized paths containing line feed characters can be used for header injection and request splitting so reject them with an exception. There seems to be no reasonable use case for allowing control characters (characters <= 31) while there are several scenarios where they can be used to exploit software bugs so reject control characters altogether. PR-URL: #8923 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Evan Lucas <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: not-an-aardvark <[email protected]>
|
@bnoordhuis @jasnell I've added the v6.x watch label to this. Is this safe to land now or is it something we should let live on v7 a bit longer? Should this come in a patch release or a minor release? |
|
ping @bnoordhuis |
|
this should land with dbf4bf2 |
|
@thealphanerd See #8923 (comment), this can land in a patch release. |
MylesBorins
pushed a commit
that referenced
this pull request
Mar 7, 2017
Unsanitized paths containing line feed characters can be used for header injection and request splitting so reject them with an exception. There seems to be no reasonable use case for allowing control characters (characters <= 31) while there are several scenarios where they can be used to exploit software bugs so reject control characters altogether. PR-URL: #8923 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Evan Lucas <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: not-an-aardvark <[email protected]>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 7, 2017
Unsanitized paths containing line feed characters can be used for header injection and request splitting so reject them with an exception. There seems to be no reasonable use case for allowing control characters (characters <= 31) while there are several scenarios where they can be used to exploit software bugs so reject control characters altogether. PR-URL: #8923 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Evan Lucas <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: not-an-aardvark <[email protected]>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 9, 2017
Unsanitized paths containing line feed characters can be used for header injection and request splitting so reject them with an exception. There seems to be no reasonable use case for allowing control characters (characters <= 31) while there are several scenarios where they can be used to exploit software bugs so reject control characters altogether. PR-URL: #8923 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Evan Lucas <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: not-an-aardvark <[email protected]>
Merged
MylesBorins
pushed a commit
that referenced
this pull request
Mar 9, 2017
Unsanitized paths containing line feed characters can be used for header injection and request splitting so reject them with an exception. There seems to be no reasonable use case for allowing control characters (characters <= 31) while there are several scenarios where they can be used to exploit software bugs so reject control characters altogether. PR-URL: #8923 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Evan Lucas <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: not-an-aardvark <[email protected]>
Merged
MylesBorins
added a commit
that referenced
this pull request
Mar 21, 2017
Notable changes
* performance: The performance of several APIs has been improved.
- `Buffer.compare()` is up to 35% faster on average. (Brian White)
#10927
- `buffer.toJSON()` is up to 2859% faster on average. (Brian White)
#10895
- `fs.*statSync()` functions are now up to 9.3% faster on average.
(Brian White) #11522
- `os.loadavg` is up to 151% faster. (Brian White)
#11516
- `process.memoryUsage()` is up to 34% faster. (Brian White)
#11497
- `querystring.unescape()` for `Buffer`s is 15% faster on average.
(Brian White) #10837
- `querystring.stringify()` is up to 7.8% faster on average.
(Brian White) #10852
- `querystring.parse()` is up to 21% faster on average. (Brian White)
#10874
* IPC:
- Batched writes have been enabled for process IPC on platforms that
support Unix Domain Sockets. (Alexey Orlenko)
#10677
- Performance gains may be up to 40% for some workloads.
* child_process:
- `spawnSync` now returns a null `status` when child is terminated by
a signal. (cjihrig) #11288
- This fixes the behavior to act like `spawn()` does.
* http:
- Control characters are now always rejected when using
`http.request()`. (Ben Noordhuis)
#8923
- Debug messages have been added for cases when headers contain
invalid values. (Evan Lucas)
#9195
* node:
- Heap statistics now support values larger than 4GB. (Ben Noordhuis)
#10186
* timers:
- Timer callbacks now always maintain order when interacting with
domain error handling. (John Barboza)
#10522
PR-URL: #11759
MylesBorins
added a commit
that referenced
this pull request
Mar 21, 2017
Notable Changes:
* buffer:
- The performance of `.toJSON()` is now up to 2859% faster on average
(Brian White) #10895
* IPC:
- Batched writes have been enabled for process IPC on platforms that
support Unix Domain Sockets. (Alexey Orlenko)
#10677
- Performance gains may be up to 40% for some workloads.
* http:
- Control characters are now always rejected when using
`http.request()`. (Ben Noordhuis)
#8923
* node:
- Heap statistics now support values larger than 4GB. (Ben Noordhuis)
#10186
MylesBorins
added a commit
that referenced
this pull request
Mar 21, 2017
Notable Changes:
* buffer:
- The performance of `.toJSON()` is now up to 2859% faster on average
(Brian White) #10895
* IPC:
- Batched writes have been enabled for process IPC on platforms that
support Unix Domain Sockets. (Alexey Orlenko)
#10677
- Performance gains may be up to 40% for some workloads.
* http:
- Control characters are now always rejected when using
`http.request()`. (Ben Noordhuis)
#8923
* node:
- Heap statistics now support values larger than 4GB. (Ben Noordhuis)
#10186
PR-URL: #11760
MylesBorins
added a commit
that referenced
this pull request
Mar 21, 2017
Notable changes
* performance: The performance of several APIs has been improved.
- `Buffer.compare()` is up to 35% faster on average. (Brian White)
#10927
- `buffer.toJSON()` is up to 2859% faster on average. (Brian White)
#10895
- `fs.*statSync()` functions are now up to 9.3% faster on average.
(Brian White) #11522
- `os.loadavg` is up to 151% faster. (Brian White)
#11516
- `process.memoryUsage()` is up to 34% faster. (Brian White)
#11497
- `querystring.unescape()` for `Buffer`s is 15% faster on average.
(Brian White) #10837
- `querystring.stringify()` is up to 7.8% faster on average.
(Brian White) #10852
- `querystring.parse()` is up to 21% faster on average. (Brian White)
#10874
* IPC:
- Batched writes have been enabled for process IPC on platforms that
support Unix Domain Sockets. (Alexey Orlenko)
#10677
- Performance gains may be up to 40% for some workloads.
* child_process:
- `spawnSync` now returns a null `status` when child is terminated by
a signal. (cjihrig) #11288
- This fixes the behavior to act like `spawn()` does.
* http:
- Control characters are now always rejected when using
`http.request()`. (Ben Noordhuis)
#8923
- Debug messages have been added for cases when headers contain
invalid values. (Evan Lucas)
#9195
* node:
- Heap statistics now support values larger than 4GB. (Ben Noordhuis)
#10186
* timers:
- Timer callbacks now always maintain order when interacting with
domain error handling. (John Barboza)
#10522
PR-URL: #11759
imyller
added a commit
to imyller/meta-nodejs
that referenced
this pull request
Apr 20, 2017
Notable Changes:
* buffer:
- The performance of `.toJSON()` is now up to 2859% faster on average
(Brian White) nodejs/node#10895
* IPC:
- Batched writes have been enabled for process IPC on platforms that
support Unix Domain Sockets. (Alexey Orlenko)
nodejs/node#10677
- Performance gains may be up to 40% for some workloads.
* http:
- Control characters are now always rejected when using
`http.request()`. (Ben Noordhuis)
nodejs/node#8923
* node:
- Heap statistics now support values larger than 4GB. (Ben Noordhuis)
nodejs/node#10186
Signed-off-by: Ilkka Myller <[email protected]>
imyller
added a commit
to imyller/meta-nodejs
that referenced
this pull request
Apr 20, 2017
Notable changes
* performance: The performance of several APIs has been improved.
- `Buffer.compare()` is up to 35% faster on average. (Brian White)
nodejs/node#10927
- `buffer.toJSON()` is up to 2859% faster on average. (Brian White)
nodejs/node#10895
- `fs.*statSync()` functions are now up to 9.3% faster on average.
(Brian White) nodejs/node#11522
- `os.loadavg` is up to 151% faster. (Brian White)
nodejs/node#11516
- `process.memoryUsage()` is up to 34% faster. (Brian White)
nodejs/node#11497
- `querystring.unescape()` for `Buffer`s is 15% faster on average.
(Brian White) nodejs/node#10837
- `querystring.stringify()` is up to 7.8% faster on average.
(Brian White) nodejs/node#10852
- `querystring.parse()` is up to 21% faster on average. (Brian White)
nodejs/node#10874
* IPC:
- Batched writes have been enabled for process IPC on platforms that
support Unix Domain Sockets. (Alexey Orlenko)
nodejs/node#10677
- Performance gains may be up to 40% for some workloads.
* child_process:
- `spawnSync` now returns a null `status` when child is terminated by
a signal. (cjihrig) nodejs/node#11288
- This fixes the behavior to act like `spawn()` does.
* http:
- Control characters are now always rejected when using
`http.request()`. (Ben Noordhuis)
nodejs/node#8923
- Debug messages have been added for cases when headers contain
invalid values. (Evan Lucas)
nodejs/node#9195
* node:
- Heap statistics now support values larger than 4GB. (Ben Noordhuis)
nodejs/node#10186
* timers:
- Timer callbacks now always maintain order when interacting with
domain error handling. (John Barboza)
nodejs/node#10522
PR-URL: nodejs/node#11759
Signed-off-by: Ilkka Myller <[email protected]>
imyller
added a commit
to imyller/meta-nodejs
that referenced
this pull request
Apr 20, 2017
Notable Changes:
* buffer:
- The performance of `.toJSON()` is now up to 2859% faster on average
(Brian White) nodejs/node#10895
* IPC:
- Batched writes have been enabled for process IPC on platforms that
support Unix Domain Sockets. (Alexey Orlenko)
nodejs/node#10677
- Performance gains may be up to 40% for some workloads.
* http:
- Control characters are now always rejected when using
`http.request()`. (Ben Noordhuis)
nodejs/node#8923
* node:
- Heap statistics now support values larger than 4GB. (Ben Noordhuis)
nodejs/node#10186
Signed-off-by: Ilkka Myller <[email protected]>
imyller
added a commit
to imyller/meta-nodejs
that referenced
this pull request
Apr 20, 2017
Notable changes
* performance: The performance of several APIs has been improved.
- `Buffer.compare()` is up to 35% faster on average. (Brian White)
nodejs/node#10927
- `buffer.toJSON()` is up to 2859% faster on average. (Brian White)
nodejs/node#10895
- `fs.*statSync()` functions are now up to 9.3% faster on average.
(Brian White) nodejs/node#11522
- `os.loadavg` is up to 151% faster. (Brian White)
nodejs/node#11516
- `process.memoryUsage()` is up to 34% faster. (Brian White)
nodejs/node#11497
- `querystring.unescape()` for `Buffer`s is 15% faster on average.
(Brian White) nodejs/node#10837
- `querystring.stringify()` is up to 7.8% faster on average.
(Brian White) nodejs/node#10852
- `querystring.parse()` is up to 21% faster on average. (Brian White)
nodejs/node#10874
* IPC:
- Batched writes have been enabled for process IPC on platforms that
support Unix Domain Sockets. (Alexey Orlenko)
nodejs/node#10677
- Performance gains may be up to 40% for some workloads.
* child_process:
- `spawnSync` now returns a null `status` when child is terminated by
a signal. (cjihrig) nodejs/node#11288
- This fixes the behavior to act like `spawn()` does.
* http:
- Control characters are now always rejected when using
`http.request()`. (Ben Noordhuis)
nodejs/node#8923
- Debug messages have been added for cases when headers contain
invalid values. (Evan Lucas)
nodejs/node#9195
* node:
- Heap statistics now support values larger than 4GB. (Ben Noordhuis)
nodejs/node#10186
* timers:
- Timer callbacks now always maintain order when interacting with
domain error handling. (John Barboza)
nodejs/node#10522
PR-URL: nodejs/node#11759
Signed-off-by: Ilkka Myller <[email protected]>
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
First commit:
Unsanitized paths containing line feed characters can be used for header injection and request splitting so reject them with an exception.
Second commit:
The first commit is the result of nodejs-security@ discussion but I had a change of heart. I can't see any reasonable use case for allowing control characters (characters <= 31) but I can think of several scenarios where they can be used to exploit software bugs so let's ban them altogether.
There is a a potential compatibility issue in that tabs in paths have been observed in the wild, but, to the best of my knowledge, only in requests from buggy HTTP clients. Here too I don't see a reason to allow them in requests that node.js initiates.
@nodejs/http @nodejs/security