-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: prevent unhandled exception crashes for invalid header values #9638
Merged
Merged
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
--- | ||
'@sveltejs/kit': patch | ||
--- | ||
|
||
fix: prevent unhandled exceptions for invalid header values |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 10 additions & 0 deletions
10
packages/kit/test/apps/basics/src/routes/endpoint-output/head-write-error/+server.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
import { json } from '@sveltejs/kit'; | ||
|
||
/** @type {import('@sveltejs/kit').RequestHandler} */ | ||
export function GET({ setHeaders }) { | ||
setHeaders({ | ||
'x-test': '\u001f' | ||
}); | ||
|
||
return json({}); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -177,6 +177,15 @@ test.describe('Endpoints', () => { | |
expect(await response.text()).toEqual(digest); | ||
}); | ||
|
||
// TODO see above | ||
test('invalid headers return a 500', async ({ request }) => { | ||
const response = await request.get('/endpoint-output/head-write-error'); | ||
expect(response.status()).toBe(500); | ||
expect(await response.text()).toMatch( | ||
'TypeError [ERR_INVALID_CHAR]: Invalid character in header content ["x-test"]' | ||
); | ||
}); | ||
|
||
test('OPTIONS handler', async ({ request }) => { | ||
const url = '/endpoint-output/options'; | ||
|
||
|
@@ -485,19 +494,20 @@ test.describe('setHeaders', () => { | |
test('allows multiple set-cookie headers with different values', async ({ page }) => { | ||
const response = await page.goto('/headers/set-cookie/sub'); | ||
const cookies = (await response?.allHeaders())['set-cookie']; | ||
expect(cookies.includes('cookie1=value1') && cookies.includes('cookie2=value2')).toBe(true); | ||
|
||
expect(cookies).toMatch('cookie1=value1'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. should we also check that there are no unexpected values? |
||
expect(cookies).toMatch('cookie2=value2'); | ||
}); | ||
}); | ||
|
||
test.describe('cookies', () => { | ||
test('cookie.serialize created correct cookie header string', async ({ page }) => { | ||
const response = await page.goto('/cookies/serialize'); | ||
const cookies = await response.headerValue('set-cookie'); | ||
expect( | ||
cookies.includes('before=before') && | ||
cookies.includes('after=after') && | ||
cookies.includes('endpoint=endpoint') | ||
).toBe(true); | ||
|
||
expect(cookies).toMatch('before=before'); | ||
expect(cookies).toMatch('after=after'); | ||
expect(cookies).toMatch('endpoint=endpoint'); | ||
}); | ||
}); | ||
|
||
|
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure on this one - should we just remove all headers, or just the ones up until the error, or try to parse the other headers and add all but the invalid ones? Are there any security implications to this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My thinking was that it's an entirely different response because of the error and it shouldn't carry over any of the original headers.
In its current state at least, those two would mean the same as all the headers haven't yet been copied over to the
res
object yet, in essence we're undoing earlier iterations of this loop.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would agree with @gtm-nayan's implementation and reasoning