-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HPE_INVALID_HEADER_TOKEN on http requests #27711
Comments
Do you have an example request that reproduces this? |
now it started working, probably an issue with the network, thanks anyway! |
I have the same problem. I'm trying to place a get request to
The error occurs only on Node 12 (v12.2.0). Downgrading Node to v11.15.0 and v10.15.3 allows the code to work properly. Upgrading to v12.2.0 gives the errors again. Running
Perhaps the headers above are malformed, but given that Node 10 and 11 can correctly handle the headers and only Node 12 has problems leads me to believe that this ticket should be reopened. |
@jd4ever That response is malformed. According to the http spec, spaces are not permitted in header field names. So this is a case of the old http parser being less strict than the new http parser that's on by default in node v12. You can still use the old http parser for now in node v12 by passing |
@mscdex thanks for looking into this! Using It does look like the new parser of Node 12 is more strict. However, since the error comes from a remote server that is entirely beyond our control, it seems that a more strict parser is a disadvantage, rather than an advantage. Do you know whether the legacy option will ever be removed in the future? I worry that it will cause a lot of problems that can't be fixed from our end. |
I am also seeing that error after moving a site behind a WAF using Incapsula. So I suspect the issue reported by jd4ever was not (or not only) the spaces in the XeHOlala header.
I have not had luck with |
@damien-git The |
Actually I was using node-fetch, which is still not supporting HTTP 2, so it was using HTTP 1.1, and these sites have a bad header with HTTP 1.1 similar to the one described by jd4ever (visible with |
Try the following, for nodemon and pm2, assuming your code resides in .lib/index.js
|
I was getting the same error. Ironically, also while getting an endpoint from Bitstamp via Axios (not sure if related). I used I don't understand what's causing the error.. after inspecting the headers from the request which is erroring out- nothing looks out of place. No spaces in the header or anything, as mentioned up-thread. |
I've just stumbled over this issue too. It looks like it's limited to the It looks like their HTTP/1.1 responses are attaching or manipulating cookies leaving some rogue formatting:
It looks like the
This is clearly an issue with Incapsula, however as someone above pointed out it's incredibly inconvenient that we're unable to parse the response. Is there any scope for dropping the invalid header and parsing the rest? How many scenarios are there whereby discarding the entire response is the desirable behaviour? What do other browsers / parsers do in these scenarios? |
i am living same problem with incapsula server, and i have no idea how to pass "--http-parser=legacy" arg to my nwjs app |
2019/10/25 Update I agree with @theninj4 . I think it would be better to add an option to determine whether parse As in RFC 7230, a user agent must replace the heading spaces with a space and concat lines.
And the RFC determines the server MUST either reject the message by sending a 400 (Bad Request) or parse correctly in the same way as user-agent.
Should I create another issue to |
Any environment variable to do this instead of node parameter? |
I don't understand the reasoning behind that decision. It makes Node v13 totally useless when trying to fetch data from a server (that is beyond your control), since you also removed --http-parser=legacy Why not just try to ignore or circumvent ill-formed header-lines by giving the developer an option to handle those headers on their own. It's like if a browser would try to parse an ill-formed HTML page and tells the user: "This page is not according to the W3-specification, bad luck!". |
At my company we just encountered this and opened a support ticket with Incapsula (we use their CDN). Here is their response:
So while they provide an option to disable this, they are not going to change it altogether, and if you are not the one in control of the endpoint you are trying to request behind their CDN, you can't upgrade to node 13+ unless something changes... |
Also the problem is not only for InCapsula, I have an app that needs comunicate to government webservices (is beyond of our control), and have the same problem with invalid HEADER. Really this restriction make node.js unusable, should be an option for ignore this error, or something similar |
Just migrated to node12, and it's really inconvenient to add |
I'd also vouch for this being addressed. The way things stand, many production systems will be stuck on node v12 (once they figure out the
|
Re-opening, it seems to have gotten closed prematurely. A work-around is mentioned, but that workaround is no longer available since the http_parser was removed in 13.x There is a lack of detail in this report about exactly what is malformed, I don't see any trace of the actual HTTP headers returned by the server. There also isn't a standalone reproduction (that would allow us to do the trace). |
Here's an example for how to see a malformed
Running this on the Node.js repl shows the issue we're facing: require('https').get('https://www.dezeen.com/robots.txt', (res) => {
console.log('yay')
}).on('error', (e) => {
console.error(e)
})
|
I'm getting this error trying to parse a filename in a |
Any way to set insecureHTTPParser option as global? |
Can any one provide the steps to reproduce it. I have tried with request module on node v8.14.0 and v10.14.2 but it doesn't give the error |
on
With
With
However, by adding
with all |
I should add that the raw packet above is
|
Ported from OpenSUSE:nodejs8-8.17.0-lp152.147.1:CVE-2019-15605.patch Original commit message: commit e2c8f89 Author: Sam Roberts <vieuxtech@gmail.com> Date: Thu Jan 16 11:55:52 2020 -0800 test: using TE to smuggle reqs is not possible See: https://hackerone.com/reports/735748 PR-URL: https://github.com/nodejs-private/node-private/pull/192 Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> commit 49f4220 Author: Sam Roberts <vieuxtech@gmail.com> Date: Tue Feb 4 10:36:57 2020 -0800 deps: upgrade http-parser to v2.9.3 PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> commit d616722 Author: Sam Roberts <vieuxtech@gmail.com> Date: Tue Jan 7 14:24:54 2020 -0800 test: check that --insecure-http-parser works Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs#30567 Backport-PR-URL: nodejs#30471 PR-URL: nodejs#31253 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> commit a9849c0 Author: Sam Roberts <vieuxtech@gmail.com> Date: Wed Nov 20 11:48:58 2019 -0800 http: opt-in insecure HTTP header parsing Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs#30553 - nodejs#27711 (comment) - nodejs#30515 Backport-PR-URL: nodejs#30471 PR-URL: nodejs#30567 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> commit a28e5cc Author: Sam Roberts <vieuxtech@gmail.com> Date: Wed Nov 13 10:05:38 2019 -0800 deps: upgrade http-parser to v2.9.1 PR-URL: nodejs#30471 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
I am getting this error from axios rest api call in nodejs application. I have tried all the mentioned work arounds but didn't work though. Can someone help me out here. And the other thing is, I keep getting this intermittently blocking me for hours. Parse Error: Invalid header value char |
Node: 10.21.0
same applies to axios. Same problem applies with node v14.15.4 on same MACOS. i believe the '42' after the headers might be a compliance issue. |
I think it's the spaces before XGVORalE and X-CDN |
@7c this seems to be working just fine with v15.7.0 . Have you checked it? |
no but really, i do not want to switch to higher version if it is not a necessity. This might be an issue with the server and backend these servers are using, they might not comply with standards. nodejs probably does. |
@7c Yes, the first raw response is definitely not valid because of the '42'. Are you saying the second raw response results in a parse error as well? |
Hitting similar issues with nodejs & stupid Imperva WAF now. @mscdex |
Ported from OpenSUSE:nodejs8-8.17.0-lp152.147.1:CVE-2019-15605.patch Original commit message: commit e2c8f89 Author: Sam Roberts <vieuxtech@gmail.com> Date: Thu Jan 16 11:55:52 2020 -0800 test: using TE to smuggle reqs is not possible See: https://hackerone.com/reports/735748 PR-URL: https://github.com/nodejs-private/node-private/pull/192 Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> commit 49f4220 Author: Sam Roberts <vieuxtech@gmail.com> Date: Tue Feb 4 10:36:57 2020 -0800 deps: upgrade http-parser to v2.9.3 PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> commit d616722 Author: Sam Roberts <vieuxtech@gmail.com> Date: Tue Jan 7 14:24:54 2020 -0800 test: check that --insecure-http-parser works Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs#30567 Backport-PR-URL: nodejs#30471 PR-URL: nodejs#31253 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> commit a9849c0 Author: Sam Roberts <vieuxtech@gmail.com> Date: Wed Nov 20 11:48:58 2019 -0800 http: opt-in insecure HTTP header parsing Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs#30553 - nodejs#27711 (comment) - nodejs#30515 Backport-PR-URL: nodejs#30471 PR-URL: nodejs#30567 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> commit a28e5cc Author: Sam Roberts <vieuxtech@gmail.com> Date: Wed Nov 13 10:05:38 2019 -0800 deps: upgrade http-parser to v2.9.1 PR-URL: nodejs#30471 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
For anyone coming here for spring boot app and Istio service mesh, check your headers where there was a trailing space to the header like "application-name ". Rename the header to "application-name" and it will work. |
Upgrading to 12.2.0 broke several http calls with a parse error
HPE_INVALID_HEADER_TOKEN
, all requests were working fine with version 11.10.0 I had before the upgrade.I tried http-parser-js library to patch http but I still get the same issue
process.binding('http_parser').HTTPParser = require('http-parser-js').HTTPParser;
The text was updated successfully, but these errors were encountered: