From ab68df4baa5d0c9f62dcab8b55f0e9168138d456 Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Wed, 20 Nov 2019 11:48:58 -0800
Subject: [PATCH 1/2] http: llhttp opt-in insecure HTTP header parsing

Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- https://github.com/nodejs/node/pull/30553
- https://github.com/nodejs/node/issues/27711#issuecomment-556265881
- https://github.com/nodejs/node/issues/30515
---
 doc/api/cli.md          | 11 +++++++++++
 doc/node.1              |  6 ++++++
 lib/_http_client.js     |  4 +++-
 lib/_http_common.js     | 13 +++++++++++++
 lib/_http_server.js     |  4 +++-
 src/node_http_parser.cc | 12 ++++++++++--
 src/node_options.cc     |  4 ++++
 src/node_options.h      |  2 ++
 8 files changed, 52 insertions(+), 4 deletions(-)

diff --git a/doc/api/cli.md b/doc/api/cli.md
index d4b4da5249a16b..171f6b8ad29780 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -419,6 +419,16 @@ added: v9.0.0
 Specify the `module` of a custom [experimental ECMAScript Module loader][].
 `module` may be either a path to a file, or an ECMAScript Module name.
 
+### `--insecure-http-parser`
+<!-- YAML
+added: REPLACEME
+-->
+
+Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow
+interoperability with non-conformant HTTP implementations. It may also allow
+request smuggling and other HTTP attacks that rely on invalid headers being
+accepted. Avoid using this option.
+
 ### `--max-http-header-size=size`
 <!-- YAML
 added: v11.6.0
@@ -1064,6 +1074,7 @@ Node.js options that are allowed are:
 * `--http-parser`
 * `--icu-data-dir`
 * `--input-type`
+* `--insecure-http-parser`
 * `--inspect-brk`
 * `--inspect-port`, `--debug-port`
 * `--inspect-publish-uid`
diff --git a/doc/node.1 b/doc/node.1
index 5f98ba709121fd..5ea38be56e9f37 100644
--- a/doc/node.1
+++ b/doc/node.1
@@ -213,6 +213,12 @@ Specify the
 .Ar module
 to use as a custom module loader.
 .
+.It Fl -insecure-http-parser
+Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow
+interoperability with non-conformant HTTP implementations. It may also allow
+request smuggling and other HTTP attacks that rely on invalid headers being
+accepted. Avoid using this option.
+.
 .It Fl -max-http-header-size Ns = Ns Ar size
 Specify the maximum size of HTTP headers in bytes. Defaults to 8KB.
 .
diff --git a/lib/_http_client.js b/lib/_http_client.js
index ece93d14e01234..7888ce27d570ac 100644
--- a/lib/_http_client.js
+++ b/lib/_http_client.js
@@ -39,6 +39,7 @@ const {
   freeParser,
   parsers,
   HTTPParser,
+  isLenient,
   prepareError,
 } = require('_http_common');
 const { OutgoingMessage } = require('_http_outgoing');
@@ -676,7 +677,8 @@ function tickOnSocket(req, socket) {
   req.socket = socket;
   parser.initialize(HTTPParser.RESPONSE,
                     new HTTPClientAsyncResource('HTTPINCOMINGMESSAGE', req),
-                    req.maxHeaderSize || 0);
+                    req.maxHeaderSize || 0,
+                    isLenient());
   parser.socket = socket;
   parser.outgoing = req;
   req.parser = parser;
diff --git a/lib/_http_common.js b/lib/_http_common.js
index d0f07d3b69e5f5..6b795bf627a8b9 100644
--- a/lib/_http_common.js
+++ b/lib/_http_common.js
@@ -27,6 +27,8 @@ const {
 const { setImmediate } = require('timers');
 
 const { methods, HTTPParser } = internalBinding('http_parser');
+const { getOptionValue } = require('internal/options');
+const insecureHTTPParser = getOptionValue('--insecure-http-parser');
 
 const FreeList = require('internal/freelist');
 const incoming = require('_http_incoming');
@@ -236,6 +238,16 @@ function prepareError(err, parser, rawPacket) {
     err.message = `Parse Error: ${err.reason}`;
 }
 
+let warnedLenient = false;
+
+function isLenient() {
+  if (insecureHTTPParser && !warnedLenient) {
+    warnedLenient = true;
+    process.emitWarning('Using insecure HTTP parsing');
+  }
+  return insecureHTTPParser;
+}
+
 module.exports = {
   _checkInvalidHeaderChar: checkInvalidHeaderChar,
   _checkIsHttpToken: checkIsHttpToken,
@@ -248,5 +260,6 @@ module.exports = {
   parsers,
   kIncomingMessage,
   HTTPParser,
+  isLenient,
   prepareError,
 };
diff --git a/lib/_http_server.js b/lib/_http_server.js
index b967cac3ae402d..42541bf5e0963a 100644
--- a/lib/_http_server.js
+++ b/lib/_http_server.js
@@ -38,6 +38,7 @@ const {
   chunkExpression,
   kIncomingMessage,
   HTTPParser,
+  isLenient,
   _checkInvalidHeaderChar: checkInvalidHeaderChar,
   prepareError,
 } = require('_http_common');
@@ -409,7 +410,8 @@ function connectionListenerInternal(server, socket) {
   parser.initialize(
     HTTPParser.REQUEST,
     new HTTPServerAsyncResource('HTTPINCOMINGMESSAGE', socket),
-    server.maxHeaderSize || 0
+    server.maxHeaderSize || 0,
+    isLenient(),
   );
   parser.socket = socket;
 
diff --git a/src/node_http_parser.cc b/src/node_http_parser.cc
index 0328dc7c0f684a..4214a4ac407e4c 100644
--- a/src/node_http_parser.cc
+++ b/src/node_http_parser.cc
@@ -486,11 +486,13 @@ class Parser : public AsyncWrap, public StreamListener {
 
   static void Initialize(const FunctionCallbackInfo<Value>& args) {
     Environment* env = Environment::GetCurrent(args);
+    bool lenient = false;
 
     uint64_t max_http_header_size = 0;
 
     CHECK(args[0]->IsInt32());
     CHECK(args[1]->IsObject());
+
     if (args.Length() > 2) {
       CHECK(args[2]->IsNumber());
       max_http_header_size = args[2].As<Number>()->Value();
@@ -499,6 +501,11 @@ class Parser : public AsyncWrap, public StreamListener {
       max_http_header_size = env->options()->max_http_header_size;
     }
 
+    if (args.Length() > 3) {
+      CHECK(args[3]->IsBoolean());
+      lenient = args[3]->IsTrue();
+    }
+
     llhttp_type_t type =
         static_cast<llhttp_type_t>(args[0].As<Int32>()->Value());
 
@@ -515,7 +522,7 @@ class Parser : public AsyncWrap, public StreamListener {
 
     parser->set_provider_type(provider);
     parser->AsyncReset(args[1].As<Object>());
-    parser->Init(type, max_http_header_size);
+    parser->Init(type, max_http_header_size, lenient);
   }
 
   template <bool should_pause>
@@ -762,8 +769,9 @@ class Parser : public AsyncWrap, public StreamListener {
   }
 
 
-  void Init(llhttp_type_t type, uint64_t max_http_header_size) {
+  void Init(llhttp_type_t type, uint64_t max_http_header_size, bool lenient) {
     llhttp_init(&parser_, type, &settings);
+    llhttp_set_lenient(&parser_, lenient);
     header_nread_ = 0;
     url_.Reset();
     status_message_.Reset();
diff --git a/src/node_options.cc b/src/node_options.cc
index abf26fb78198e8..831540f993fcb5 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -375,6 +375,10 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
             &EnvironmentOptions::heap_snapshot_signal,
             kAllowedInEnvironment);
   AddOption("--http-parser", "", NoOp{}, kAllowedInEnvironment);
+  AddOption("--insecure-http-parser",
+            "use an insecure HTTP parser that accepts invalid HTTP headers",
+            &EnvironmentOptions::insecure_http_parser,
+            kAllowedInEnvironment);
   AddOption("--input-type",
             "set module type for string input",
             &EnvironmentOptions::module_type,
diff --git a/src/node_options.h b/src/node_options.h
index c4cb5dc04f18cb..7b3ae19fe6c8ad 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -158,6 +158,8 @@ class EnvironmentOptions : public Options {
   bool print_eval = false;
   bool force_repl = false;
 
+  bool insecure_http_parser = false;
+
   bool tls_min_v1_0 = false;
   bool tls_min_v1_1 = false;
   bool tls_min_v1_2 = false;

From ca5433464ce0ef129c205c99f91c8ad75859b5f5 Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Thu, 5 Dec 2019 15:09:29 -0800
Subject: [PATCH 2/2] fixup! http: llhttp opt-in insecure HTTP header parsing

---
 src/node_http_parser.cc | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/src/node_http_parser.cc b/src/node_http_parser.cc
index 4214a4ac407e4c..5e1da912e0c31e 100644
--- a/src/node_http_parser.cc
+++ b/src/node_http_parser.cc
@@ -486,7 +486,7 @@ class Parser : public AsyncWrap, public StreamListener {
 
   static void Initialize(const FunctionCallbackInfo<Value>& args) {
     Environment* env = Environment::GetCurrent(args);
-    bool lenient = false;
+    bool lenient = args[3]->IsTrue();
 
     uint64_t max_http_header_size = 0;
 
@@ -501,11 +501,6 @@ class Parser : public AsyncWrap, public StreamListener {
       max_http_header_size = env->options()->max_http_header_size;
     }
 
-    if (args.Length() > 3) {
-      CHECK(args[3]->IsBoolean());
-      lenient = args[3]->IsTrue();
-    }
-
     llhttp_type_t type =
         static_cast<llhttp_type_t>(args[0].As<Int32>()->Value());