util: adding warnings when NODE_DEBUG is set as http/http2

PR-URL: #21914 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
nodejs · Aug 6, 2018 · 980877f · 980877f
1 parent 933d8eb
commit 980877f
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 0 deletions.
diff --git a/lib/util.js b/lib/util.js
@@ -344,11 +344,23 @@ if (process.env.NODE_DEBUG) {
   debugEnvRegex = new RegExp(`^${debugEnv}$`, 'i');
 }
 
+// Emits warning when user sets
+// NODE_DEBUG=http or NODE_DEBUG=http2.
+function emitWarningIfNeeded(set) {
+  if ('HTTP' === set || 'HTTP2' === set) {
+    process.emitWarning('Setting the NODE_DEBUG environment variable ' +
+      'to \'' + set.toLowerCase() + '\' can expose sensitive ' +
+      'data (such as passwords, tokens and authentication headers) ' +
+      'in the resulting log.');
+  }
+}
+
 function debuglog(set) {
   set = set.toUpperCase();
   if (!debugs[set]) {
     if (debugEnvRegex.test(set)) {
       const pid = process.pid;
+      emitWarningIfNeeded(set);
       debugs[set] = function debug() {
         const msg = exports.format.apply(exports, arguments);
         console.error('%s %d: %s', set, pid, msg);

diff --git a/test/parallel/test-http-conn-reset.js b/test/parallel/test-http-conn-reset.js
@@ -30,6 +30,7 @@ const options = {
   port: undefined
 };
 
+process.env.NODE_DEBUG = 'http';
 // start a tcp server that closes incoming connections immediately
 const server = net.createServer(function(client) {
   client.destroy();

diff --git a/test/parallel/test-http-debug.js b/test/parallel/test-http-debug.js
@@ -0,0 +1,14 @@
+'use strict';
+
+require('../common');
+const assert = require('assert');
+const child_process = require('child_process');
+const path = require('path');
+
+process.env.NODE_DEBUG = 'http';
+const { stderr } = child_process.spawnSync(process.execPath, [
+  path.resolve(__dirname, 'test-http-conn-reset.js')
+], { encoding: 'utf8' });
+
+assert(stderr.match(/Setting the NODE_DEBUG environment variable to 'http' can expose sensitive data \(such as passwords, tokens and authentication headers\) in the resulting log\./),
+       stderr);
diff --git a/test/parallel/test-http2-debug.js b/test/parallel/test-http2-debug.js
@@ -7,10 +7,13 @@ const child_process = require('child_process');
 const path = require('path');
 
 process.env.NODE_DEBUG_NATIVE = 'http2';
+process.env.NODE_DEBUG = 'http2';
 const { stdout, stderr } = child_process.spawnSync(process.execPath, [
   path.resolve(__dirname, 'test-http2-ping.js')
 ], { encoding: 'utf8' });
 
+assert(stderr.match(/Setting the NODE_DEBUG environment variable to 'http2' can expose sensitive data \(such as passwords, tokens and authentication headers\) in the resulting log\./),
+       stderr);
 assert(stderr.match(/Http2Session client \(\d+\) handling data frame for stream \d+/),
        stderr);
 assert(stderr.match(/HttpStream \d+ \(\d+\) \[Http2Session client \(\d+\)\] reading starting/),