Skip to content

Commit

Permalink
http: llhttp opt-in insecure HTTP header parsing
Browse files Browse the repository at this point in the history
Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- #30553
- #27711 (comment)
- #30515

PR-URL: #30567
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information
sam-github committed Dec 9, 2019
1 parent d7b8ae7 commit 02a0c74
Show file tree
Hide file tree
Showing 8 changed files with 47 additions and 4 deletions.
11 changes: 11 additions & 0 deletions doc/api/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -419,6 +419,16 @@ added: v9.0.0
Specify the `module` of a custom [experimental ECMAScript Module loader][].
`module` may be either a path to a file, or an ECMAScript Module name.

### `--insecure-http-parser`
<!-- YAML
added: REPLACEME
-->

Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow
interoperability with non-conformant HTTP implementations. It may also allow
request smuggling and other HTTP attacks that rely on invalid headers being
accepted. Avoid using this option.

### `--max-http-header-size=size`
<!-- YAML
added: v11.6.0
Expand Down Expand Up @@ -1064,6 +1074,7 @@ Node.js options that are allowed are:
* `--http-parser`
* `--icu-data-dir`
* `--input-type`
* `--insecure-http-parser`
* `--inspect-brk`
* `--inspect-port`, `--debug-port`
* `--inspect-publish-uid`
Expand Down
6 changes: 6 additions & 0 deletions doc/node.1
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,12 @@ Specify the
.Ar module
to use as a custom module loader.
.
.It Fl -insecure-http-parser
Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow
interoperability with non-conformant HTTP implementations. It may also allow
request smuggling and other HTTP attacks that rely on invalid headers being
accepted. Avoid using this option.
.
.It Fl -max-http-header-size Ns = Ns Ar size
Specify the maximum size of HTTP headers in bytes. Defaults to 8KB.
.
Expand Down
4 changes: 3 additions & 1 deletion lib/_http_client.js
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ const {
freeParser,
parsers,
HTTPParser,
isLenient,
prepareError,
} = require('_http_common');
const { OutgoingMessage } = require('_http_outgoing');
Expand Down Expand Up @@ -676,7 +677,8 @@ function tickOnSocket(req, socket) {
req.socket = socket;
parser.initialize(HTTPParser.RESPONSE,
new HTTPClientAsyncResource('HTTPINCOMINGMESSAGE', req),
req.maxHeaderSize || 0);
req.maxHeaderSize || 0,
isLenient());
parser.socket = socket;
parser.outgoing = req;
req.parser = parser;
Expand Down
13 changes: 13 additions & 0 deletions lib/_http_common.js
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ const {
const { setImmediate } = require('timers');

const { methods, HTTPParser } = internalBinding('http_parser');
const { getOptionValue } = require('internal/options');
const insecureHTTPParser = getOptionValue('--insecure-http-parser');

const FreeList = require('internal/freelist');
const incoming = require('_http_incoming');
Expand Down Expand Up @@ -237,6 +239,16 @@ function prepareError(err, parser, rawPacket) {
err.message = `Parse Error: ${err.reason}`;
}

let warnedLenient = false;

function isLenient() {
if (insecureHTTPParser && !warnedLenient) {
warnedLenient = true;
process.emitWarning('Using insecure HTTP parsing');
}
return insecureHTTPParser;
}

module.exports = {
_checkInvalidHeaderChar: checkInvalidHeaderChar,
_checkIsHttpToken: checkIsHttpToken,
Expand All @@ -249,5 +261,6 @@ module.exports = {
parsers,
kIncomingMessage,
HTTPParser,
isLenient,
prepareError,
};
4 changes: 3 additions & 1 deletion lib/_http_server.js
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ const {
chunkExpression,
kIncomingMessage,
HTTPParser,
isLenient,
_checkInvalidHeaderChar: checkInvalidHeaderChar,
prepareError,
} = require('_http_common');
Expand Down Expand Up @@ -410,7 +411,8 @@ function connectionListenerInternal(server, socket) {
parser.initialize(
HTTPParser.REQUEST,
new HTTPServerAsyncResource('HTTPINCOMINGMESSAGE', socket),
server.maxHeaderSize || 0
server.maxHeaderSize || 0,
isLenient(),
);
parser.socket = socket;

Expand Down
7 changes: 5 additions & 2 deletions src/node_http_parser.cc
Original file line number Diff line number Diff line change
Expand Up @@ -486,11 +486,13 @@ class Parser : public AsyncWrap, public StreamListener {

static void Initialize(const FunctionCallbackInfo<Value>& args) {
Environment* env = Environment::GetCurrent(args);
bool lenient = args[3]->IsTrue();

uint64_t max_http_header_size = 0;

CHECK(args[0]->IsInt32());
CHECK(args[1]->IsObject());

if (args.Length() > 2) {
CHECK(args[2]->IsNumber());
max_http_header_size = args[2].As<Number>()->Value();
Expand All @@ -515,7 +517,7 @@ class Parser : public AsyncWrap, public StreamListener {

parser->set_provider_type(provider);
parser->AsyncReset(args[1].As<Object>());
parser->Init(type, max_http_header_size);
parser->Init(type, max_http_header_size, lenient);
}

template <bool should_pause>
Expand Down Expand Up @@ -762,8 +764,9 @@ class Parser : public AsyncWrap, public StreamListener {
}


void Init(llhttp_type_t type, uint64_t max_http_header_size) {
void Init(llhttp_type_t type, uint64_t max_http_header_size, bool lenient) {
llhttp_init(&parser_, type, &settings);
llhttp_set_lenient(&parser_, lenient);
header_nread_ = 0;
url_.Reset();
status_message_.Reset();
Expand Down
4 changes: 4 additions & 0 deletions src/node_options.cc
Original file line number Diff line number Diff line change
Expand Up @@ -375,6 +375,10 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
&EnvironmentOptions::heap_snapshot_signal,
kAllowedInEnvironment);
AddOption("--http-parser", "", NoOp{}, kAllowedInEnvironment);
AddOption("--insecure-http-parser",
"use an insecure HTTP parser that accepts invalid HTTP headers",
&EnvironmentOptions::insecure_http_parser,
kAllowedInEnvironment);
AddOption("--input-type",
"set module type for string input",
&EnvironmentOptions::module_type,
Expand Down
2 changes: 2 additions & 0 deletions src/node_options.h
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,8 @@ class EnvironmentOptions : public Options {
bool print_eval = false;
bool force_repl = false;

bool insecure_http_parser = false;

bool tls_min_v1_0 = false;
bool tls_min_v1_1 = false;
bool tls_min_v1_2 = false;
Expand Down

0 comments on commit 02a0c74

Please sign in to comment.