-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix flaky test test-http-pipeline-flood #2862
Conversation
This test is there to confirm that CVE-2013-4450 is addressed, see https://nodejs.org/en/blog/vulnerability/http-server-pipeline-flood-dos/ for some details. Could you confirm that the test correctly identifies the issue (a) exists in older code and (b) is fixed in newer code. Perhaps by trying it against a v0.10.20 build to see it fail and v0.10.21 to see it pass. |
I had to make a few small changes to the test to be able to try it under v0.10.20 and v0.10.21, but it seems to work as expected. (That is, it fails with 0.10.20 and passes with 0.10.21.) Changes required to get it to run in those older versions of Node:
Other than that, the test I ran is identical to what @dnakamura submitted in this PR. Here are the results:
Note that because I added an extra line, that assertion failure on line 69 is /cc @rvagg |
@dnakamura Some little style issues in the test file if you run
|
test-http-pipeline-flood has been flaky on Windows for some time. Hopefully, nodejs#2862 fixes it and lands soon, but until then, let's mark it as flaky.
I rebased against current master, fixed the linting issues, and did some additional refactoring. Pull request is #3636. |
It looks like this does not in fact solve the pipeflood flakiness for Windows: https://ci.nodejs.org/job/node-test-binary-windows/189/RUN_SUBSET=1,VS_VERSION=vs2015,label=win2012r2/tapTestReport/test.tap-228/ |
Although it's failing differently, I think, so maybe it can be tweaked... |
Closing in favor of #3636 |
test-http-pipeline-flood has been flaky on Windows for some time. Hopefully, nodejs#2862 fixes it and lands soon, but until then, let's mark it as flaky. PR-URL: nodejs#3616 Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
rebase of nodejs/node-v0.x-archive#25870
Fixes nodejs/node-v0.x-archive#25732 and nodejs/node-v0.x-archive#25709
So, some background. This test looks to test a feature to prevent a DoS vulnerability. Essentially once native socket write buffers have filled up, the http parser should cork the read stream. (requests in data which has already been read will still be processed)
Current test
Issues:
New test