-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update http parser 2.9.1 v10.x #30471
Update http parser 2.9.1 v10.x #30471
Conversation
We might not want to do this, there's a reported bug against http-parser 2.9.x: #30515 |
99915bc
to
8f3b8ca
Compare
@sam-github could maybe the crypto or security team give a recommendation if this should be included in v10.x or not? Seems like not including it is not that safe? |
Should not be included until it can be released with a backport of #30567 |
d86dbab
to
27e1c28
Compare
#31253 should also be backported onto this, I'll do it once it has been approved. |
Reapplying HTTP_MAX_HEADER_SIZE=8192 to http_parser.gyp. CVE-2018-12121 PR-URL: https://github.com/nodejs-private/node-private/pull/143 Ref: https://github.com/nodejs-private/security/issues/139 Ref: https://github.com/nodejs-private/http-parser-private/pull/2 Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Anna Henningsen <anna@addaleax.net>
e9bd6b9
to
e6b0d25
Compare
Pulled in the test from #30473 (comment), but removed the test I just added for the legacy parser.... it only needs the original default test, because v10.x only has the one parser. |
Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs#30553 - nodejs#27711 (comment) - nodejs#30515 PR-URL: nodejs#30567 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs#30567 PR-URL: nodejs#31253 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
d8b167e
to
58ec670
Compare
Despited what GH shows above, the ci was green, this is ready to land on v10.x-staging: |
This is a bug in the way our builds post status to GitHub PRs -- in the case of the containered *sharedlibs builds they only post when the build fails (notice they don't show up otherwise as passing/pending) so resumes/rebuilds don't overwrite the failing status. I'll raise an issue over in build later on and see what we can do to fix it. |
@sam-github Would this be considered semver-minor because of potential breakage of apps that previously accepted invalid headers without using the new non-default flag? |
Its It could be called When the CLI option is used, it becomes I just searched our docs, and I can't find where the sec release policy is stated, though I'm pretty sure it used to be. Probably I'm just not finding it. |
Just to be clear, I'm not too hung up on the semverness of this, but would just like to make sure it has been considered. |
I'm sure you are not! :-) But we would like to do the right/documented thing, though, this won't be the last time we make a breaking change in LTS for sec purposes. @nodejs/lts please weigh in on what semver tag this should get, what has been done in the past? I poked about a bit, for example https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V010.md#2016-09-27-version-01047-maintenance-rvagg made breaking sec changes, but the PRs were private and didn't get semver tags:
So, that might be the pattern, not assign semverity/leave it at default ( |
FWIW the relevant policy is in the Release readme which says this should be
What isn't stated in the policy is whether if this is done for security purposes the release should be labelled as a security release. |
@nodejs/lts opinion on semverity? |
I would say semver minor makes sense. The next 10.x release is semver-minor so it seems reasonable |
Also from a process perspective I'm -1 on breaking changes landing as patch. We can always do an out of band semver minor if it is time sensitive. Folks shouldn't have things change from under them in a semver-patch release imho. Doing it as a minor makes it a slightly more explicit upgrade pathl. |
I think it should be labelled as a security release, but as we don't have that specific policy documented (yet) ping @nodejs/lts for opinions. If it is labelled as a security release (and includes breaking changes) - should we be adding new features in the same release? |
I'd support anything released under the policy (breaking changes as semver-minor for security reasons) to be labelled as a security release and for security releases to not contain other non-security features/fixes (other than any necessary test/build changes to ensure the builds still work). |
From the issue: > Some servers deviate from HTTP spec enougth that Node.js can't > communicate with them, but "work" when `--insecure-http-parser` > is enabled globally. It would be useful to be able to use this > mode, as a client, only when connecting to known bad servers. This is largely equivalent to nodejs#31446 in terms of code changes. Fixes: nodejs#31440 Refs: nodejs#31446 PR-URL: nodejs#31448 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
this backport also has #31500 pulled in, since it depends on it. |
Ported from OpenSUSE:nodejs8-8.17.0-lp152.147.1:CVE-2019-15605.patch Original commit message: commit e2c8f89 Author: Sam Roberts <vieuxtech@gmail.com> Date: Thu Jan 16 11:55:52 2020 -0800 test: using TE to smuggle reqs is not possible See: https://hackerone.com/reports/735748 PR-URL: https://github.com/nodejs-private/node-private/pull/192 Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> commit 49f4220 Author: Sam Roberts <vieuxtech@gmail.com> Date: Tue Feb 4 10:36:57 2020 -0800 deps: upgrade http-parser to v2.9.3 PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> commit d616722 Author: Sam Roberts <vieuxtech@gmail.com> Date: Tue Jan 7 14:24:54 2020 -0800 test: check that --insecure-http-parser works Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs#30567 Backport-PR-URL: nodejs#30471 PR-URL: nodejs#31253 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> commit a9849c0 Author: Sam Roberts <vieuxtech@gmail.com> Date: Wed Nov 20 11:48:58 2019 -0800 http: opt-in insecure HTTP header parsing Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs#30553 - nodejs#27711 (comment) - nodejs#30515 Backport-PR-URL: nodejs#30471 PR-URL: nodejs#30567 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> commit a28e5cc Author: Sam Roberts <vieuxtech@gmail.com> Date: Wed Nov 13 10:05:38 2019 -0800 deps: upgrade http-parser to v2.9.1 PR-URL: nodejs#30471 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
Ported from OpenSUSE:nodejs8-8.17.0-lp152.147.1:CVE-2019-15605.patch Original commit message: commit e2c8f89 Author: Sam Roberts <vieuxtech@gmail.com> Date: Thu Jan 16 11:55:52 2020 -0800 test: using TE to smuggle reqs is not possible See: https://hackerone.com/reports/735748 PR-URL: https://github.com/nodejs-private/node-private/pull/192 Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> commit 49f4220 Author: Sam Roberts <vieuxtech@gmail.com> Date: Tue Feb 4 10:36:57 2020 -0800 deps: upgrade http-parser to v2.9.3 PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> commit d616722 Author: Sam Roberts <vieuxtech@gmail.com> Date: Tue Jan 7 14:24:54 2020 -0800 test: check that --insecure-http-parser works Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs#30567 Backport-PR-URL: nodejs#30471 PR-URL: nodejs#31253 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> commit a9849c0 Author: Sam Roberts <vieuxtech@gmail.com> Date: Wed Nov 20 11:48:58 2019 -0800 http: opt-in insecure HTTP header parsing Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs#30553 - nodejs#27711 (comment) - nodejs#30515 Backport-PR-URL: nodejs#30471 PR-URL: nodejs#30567 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> commit a28e5cc Author: Sam Roberts <vieuxtech@gmail.com> Date: Wed Nov 13 10:05:38 2019 -0800 deps: upgrade http-parser to v2.9.1 PR-URL: nodejs#30471 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes