Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing API docs for recent changes in HTTP module #24693

Closed
lirantal opened this issue Nov 28, 2018 · 6 comments
Closed

Missing API docs for recent changes in HTTP module #24693

lirantal opened this issue Nov 28, 2018 · 6 comments
Labels
http_parser Issues and PRs related to the HTTP Parser dependency or the http_parser binding. http Issues or PRs related to the http subsystem.

Comments

@lirantal
Copy link
Member

Updates to the HTTP module that landed in recent Node.js releases in an attempt to mitigate several CVEs may cause braking changes on users and teams which make use of large headers due to reasons such as bulk APIs that will employ a large string in the query param.

  • Version: v6.15.0, v8.14.0, v10.14.0, v11.3.0.
  • Subsystem: http

It seems that:

  1. The current limitation of 8kb (instead of previously) 80kb is a hard limit and is not configurable.
  2. There may be an escape hatch which is to re-compile node with a higher limit.

At the very least, I'm proposing to update the HTTP API docs with the above details to convey this information.

I will follow-up with a PR to the docs.

--

Reference: https://www.nearform.com/blog/protecting-node-js-from-uncontrolled-resource-consumption-headers-attacks

Related issues: #24692
@vsemozhetbyt vsemozhetbyt added http Issues or PRs related to the http subsystem. http_parser Issues and PRs related to the HTTP Parser dependency or the http_parser binding. labels Nov 28, 2018
@lirantal lirantal mentioned this issue Nov 28, 2018
Closed
4 tasks
@mcollina
Copy link
Member

We picked 8KB as its the default of NGINX to protect from the same type of attack. Unfortunately making this configurable is not an easy feat, as it is a build-time configuration, unfortunately http_parser does this check via a macro. We deemed this as a good solution. I would suggest that if we want to make this a runtime configuration, a serious refactoring of http_parser is necessary. I would recommend this to happen in llhttp instead.

It is possible to change the max size by changing this define directive: HTTP_MAX_HEADER_SIZE=8192 in our gyp configs. See 1860352 for more details.
We should probably adding this settings into some docs. I'm sorry about not including this in the release.

@elmarx
Copy link

elmarx commented Nov 28, 2018

@mcollina thanks for the info.

Is there a way to set HTTP_MAX_HEADER_SIZE via the usual ./configure && make steps? Or does it require prior editing/patching of "deps/http_parser/http_parser.gyp"?

@mcollina
Copy link
Member

@zauberpony I thought so, but after some investigation, it seem we need to add an option to ./configure. I'll see if I can prepare a PR asap.

@sam-github sam-github mentioned this issue Nov 28, 2018
Closed
4 tasks
@richardlau
Copy link
Member

I think you could set the CFLAGS environment variable, e.g. CFLAGS=-DHTTP_MAX_HEADER_SIZE=10000 but I don't know what order gyp will put the arguments to the C compiler when combined with the definition in the http_parser gyp file.

@elmarx
Copy link

elmarx commented Nov 28, 2018

OK, for now I simply patched http_parser.gyp, which works (so no need to rush), but of course a flag or env-variable (I did not yet test @richardlau's suggestion) would be cleaner in the long run.

sam-github added a commit to sam-github/node that referenced this issue Nov 28, 2018
@sam-github
doc: describe current HTTP header size limit
19cdee8 
Document that the limit was changed from 80KB to 8KB in 1860352.

Fixes: nodejs#24693
Trott pushed a commit to Trott/io.js that referenced this issue Nov 28, 2018
@sam-github @Trott
doc: describe current HTTP header size limit
063e8fb 
Document that the limit was changed from 80KB to 8KB in 1860352.

Fixes: nodejs#24693

PR-URL: nodejs#24700
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
@Trott
Copy link
Member

Trott commented Nov 28, 2018

Fixed in 063e8fb

@Trott Trott closed this as completed Nov 28, 2018
@mcollina mcollina mentioned this issue Nov 29, 2018
Closed
2 tasks
@bnoordhuis bnoordhuis mentioned this issue Nov 29, 2018
Closed
targos pushed a commit that referenced this issue Nov 29, 2018
@sam-github @targos
doc: describe current HTTP header size limit
68dc100 
Document that the limit was changed from 80KB to 8KB in 1860352.

Fixes: #24693

PR-URL: #24700
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
mcollina added a commit to mcollina/node that referenced this issue Nov 30, 2018
@mcollina
build: make HTTP_MAX_HEADER_SIZE configurable
8311677 
The maximum size of headers introduced in the security release of
2018/11/27 is not configurable. This change adds a
--http-max-header-size option to ./configure.

See: nodejs#24693
MylesBorins pushed a commit that referenced this issue Dec 25, 2018
@sam-github @MylesBorins
doc: describe current HTTP header size limit
f30d169 
Document that the limit was changed from 80KB to 8KB in 1860352.

Fixes: #24693

PR-URL: #24700
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
MylesBorins pushed a commit that referenced this issue Dec 25, 2018
@sam-github @MylesBorins
doc: describe current HTTP header size limit
e669733 
Document that the limit was changed from 80KB to 8KB in 1860352.

Fixes: #24693

PR-URL: #24700
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
refack pushed a commit to refack/node that referenced this issue Jan 14, 2019
@sam-github @refack
doc: describe current HTTP header size limit
f045f1b 
Document that the limit was changed from 80KB to 8KB in 1860352.

Fixes: nodejs#24693

PR-URL: nodejs#24700
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
@stulnikov-roud stulnikov-roud mentioned this issue Sep 23, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
http_parser Issues and PRs related to the HTTP Parser dependency or the http_parser binding. http Issues or PRs related to the http subsystem.
Projects
None yet
Milestone
No milestone
6 participants
@mcollina @elmarx @lirantal @Trott @richardlau @vsemozhetbyt