Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: prevent unhandled exception crashes for invalid header values #9638

Merged
merged 6 commits into from
Apr 13, 2023
Merged

fix: prevent unhandled exception crashes for invalid header values #9638

merged 6 commits into from
Apr 13, 2023

Conversation

gtm-nayan
Copy link
Contributor

@gtm-nayan gtm-nayan commented Apr 11, 2023
edited
Loading

fixes #9628

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

@changeset-bot
Copy link

changeset-bot bot commented Apr 11, 2023

🦋 Changeset detected

Latest commit: e692574

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

dummdidumm
dummdidumm reviewed Apr 11, 2023
View reviewed changes
packages/kit/src/exports/node/index.js
: value
);
} catch (error) {
res.getHeaderNames().forEach((name) => res.removeHeader(name));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure on this one - should we just remove all headers, or just the ones up until the error, or try to parse the other headers and add all but the invalid ones? Are there any security implications to this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My thinking was that it's an entirely different response because of the error and it shouldn't carry over any of the original headers.

should we just remove all headers, or just the ones up until the error

In its current state at least, those two would mean the same as all the headers haven't yet been copied over to the res object yet, in essence we're undoing earlier iterations of this loop.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would agree with @gtm-nayan's implementation and reasoning

benmccann
benmccann reviewed Apr 11, 2023
View reviewed changes
packages/kit/test/apps/basics/test/server.test.js
@@ -485,19 +494,20 @@ test.describe('setHeaders', () => {
test('allows multiple set-cookie headers with different values', async ({ page }) => {
const response = await page.goto('/headers/set-cookie/sub');
const cookies = (await response?.allHeaders())['set-cookie'];
expect(cookies.includes('cookie1=value1') && cookies.includes('cookie2=value2')).toBe(true);

expect(cookies).toMatch('cookie1=value1');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we also check that there are no unexpected values?

@dummdidumm dummdidumm merged commit a20d713 into master Apr 13, 2023
@dummdidumm dummdidumm deleted the handle-errors-in-writeHead branch April 13, 2023 08:57
@github-actions github-actions bot mentioned this pull request Apr 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benmccann benmccann benmccann left review comments

@dummdidumm dummdidumm dummdidumm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bad response headers kill node process rather than 500 error
3 participants
@gtm-nayan @benmccann @dummdidumm