Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HPE_INVALID_HEADER_TOKEN on https requests #30515

Closed
ejoebstl opened this issue Nov 17, 2019 · 11 comments
Closed

HPE_INVALID_HEADER_TOKEN on https requests #30515

ejoebstl opened this issue Nov 17, 2019 · 11 comments
Labels
http_parser Issues and PRs related to the HTTP Parser dependency or the http_parser binding. http Issues or PRs related to the http subsystem.

Comments

@ejoebstl
Copy link

ejoebstl commented Nov 17, 2019

Version: v10.16.3
Platform: alpine:3.10 in docker
Subsystem: http_parser: '2.9.2'

HTTP request crashes with HPE_INVALID_HEADER_TOKEN.

Script to reproduce:

https.get('https://www.dezeen.com/2015/08/04/walden-raft-provides-seclusion-french-lake-elise-morin-florent-albinet-henry-david-thoreau-cabin/', (resp) => { }).on("error", (err) => {
  console.log(err);
});

Output:

{ Error: Parse Error
    at TLSSocket.socketOnData (_http_client.js:442:20)
    at TLSSocket.emit (events.js:198:13)
    at TLSSocket.EventEmitter.emit (domain.js:466:23)
    at addChunk (_stream_readable.js:288:12)
    at readableAddChunk (_stream_readable.js:269:11)
    at TLSSocket.Readable.push (_stream_readable.js:224:10)
    at TLSWrap.onStreamRead (internal/stream_base_commons.js:94:17) bytesParsed: 1087, code: 'HPE_INVALID_HEADER_TOKEN' }

I think it's related to http_parser: '2.9.2'. It does not happen with a slightly older build which uses http_parser: '2.8.0'.

Likely related to #27711 (comment).

The mentioned workaround does not work here, as the --http-parser option is not available on node v10.

@ejoebstl ejoebstl changed the title HPE_INVALID_HEADER_TOKEN on http requests HPE_INVALID_HEADER_TOKEN on https requests Nov 17, 2019
@richardlau
Copy link
Member

Node.js 10.16.3 still uses http_parser 2.8.0. @sam-github has a PR to bump the http_parser version to 2.9.1 (#30471) but it hasn't landed on 10.x yet.

Unless Node.js in docker is linking to an external http_parser?

@ejoebstl
Copy link
Author

ejoebstl commented Nov 17, 2019

To clarify: This is the build installed on alpine linux 3.10. Notice nodejs 10.16.3 and http_parser 2.9.2 below.

> docker run -it alpine:3.10 sh
/ # apk update
/ # apk add nodejs
(1/7) Installing ca-certificates (20190108-r0)
(2/7) Installing c-ares (1.15.0-r0)
(3/7) Installing libgcc (8.3.0-r0)
(4/7) Installing http-parser (2.9.2-r0)
(5/7) Installing libstdc++ (8.3.0-r0)
(6/7) Installing libuv (1.29.1-r0)
(7/7) Installing nodejs (10.16.3-r0)
Executing busybox-1.30.1-r2.trigger
Executing ca-certificates-20190108-r0.trigger
OK: 32 MiB in 21 packages
/ # 
/ #
/ # node --version
v10.16.3
/ # node
> process
process {
  title: 'node',
  version: 'v10.16.3',
  versions:
   { http_parser: '2.9.2',
     node: '10.16.3',
     v8: '6.8.275.32-node.54',
     uv: '1.29.1',
     zlib: '1.2.11',
     brotli: '1.0.7',
     ares: '1.15.0',
     modules: '64',
     nghttp2: '1.39.2',
     napi: '4',
     openssl: '1.1.1c',
     icu: '64.2',
     unicode: '12.1',
     cldr: '35.1',
     tz: '2019a' },
  arch: 'x64',
  platform: 'linux',
[......]

Details here. Is it worth raising an issue with the maintainer? I guess they are using an external http_parser.

@sam-github
Copy link
Contributor

Also repros with node w/http-parser@2.9.1

% ./out/Release/node                    
> https.get('https://www.dezeen.com/2015/08/04/walden-raft-provides-seclusion-french-lake-elise-morin-florent-albinet-henry-david-thoreau-cabin/', (resp) => { }).on("error", (err) => {console.log(err);}), null;
null
> { Error: Parse Error
    at TLSSocket.socketOnData (_http_client.js:454:20)
    at emitOne (events.js:116:13)
    at TLSSocket.emit (events.js:211:7)
    at addChunk (_stream_readable.js:263:12)
    at readableAddChunk (_stream_readable.js:250:11)
    at TLSSocket.Readable.push (_stream_readable.js:208:10)
    at TLSWrap.onread (net.js:601:20) bytesParsed: 605, code: 'HPE_INVALID_HEADER_TOKEN' }

> process.versions
{ http_parser: '2.9.1',
  node: '8.16.3-pre',
  v8: '6.2.414.78',
  uv: '1.23.2',
  zlib: '1.2.11',
  ares: '1.10.1-DEV',
  modules: '57',
  nghttp2: '1.39.2',
  napi: '4',
  openssl: '1.0.2s',
  icu: '60.1',
  unicode: '10.0',
  cldr: '32.0',
  tz: '2017c' }

Does not repro with 2.8.1 (build from v10.x-staging)

@nodejs/http-parser PTAL

@indutny
Copy link
Member

indutny commented Nov 18, 2019

This appears to be the same problem with Incapsula server as before:

Set-Cookie: ___utmvaskuOpzY=uda\u0001zMYa; path=/; Max-Age=900

@indutny
Copy link
Member

indutny commented Nov 18, 2019

See #29589

@sam-github
Copy link
Contributor

@indutny @nodejs/http I'm still not clear, is this a bug or not? Do you have a link to the "before" issue?

It's clearly a change in the behaviour of the http-parser, before #30471 http parser 2.8.0 doesn't error, after with 2.9.1 it does error.

Is that change a regression?

If its not a regression, is it enough of a change to block release in an LTS version? cc: @nodejs/lts

If the failure here is a result of the security fixes nodejs/http-parser#469 or nodejs/http-parser#458, we might need to add a --cve-revert to #30471, since its those sec issues that prompted me to PR updates to the http-parser into LTS branches.

@indutny
Copy link
Member

indutny commented Nov 18, 2019

My opinion here is that fixing this bug generally and without a runtime flag means likely security issue for most users. Incapsula is sending blatantly incorrect header value and we are right to reject it. HTTP/1.1 is very brittle as the protocol data is mixed with the protocol itself. It would be unwise to loosen our requirements since it could potentially lead to request smuggling and other nasty security vulnerabilities.

However, I do believe that we have to re-introduce the lenient parsing to llhttp and in fact I just opened a PR for this: nodejs/llhttp#33 . Not sure if it should be a blocker for a release in LTS version, though.

@devsnek devsnek added http Issues or PRs related to the http subsystem. http_parser Issues and PRs related to the HTTP Parser dependency or the http_parser binding. labels Nov 21, 2019
sam-github added a commit to sam-github/node that referenced this issue Dec 5, 2019
Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- nodejs#30553
- nodejs#27711 (comment)
- nodejs#30515
sam-github added a commit that referenced this issue Dec 9, 2019
Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- #30553
- #27711 (comment)
- #30515

PR-URL: #30567
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
targos pushed a commit that referenced this issue Dec 10, 2019
Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- #30553
- #27711 (comment)
- #30515

PR-URL: #30567
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@ianp
Copy link

ianp commented Dec 11, 2019

I would like to be able to set this on a per request basis, via a insecureParser option (similar to the existing maxHeaderSize) to http.request. Happy to have a go at creating a PR for it myself (now that @indutny has done all of the hard work!), should I open a new issue for this or just reference this one?

@sam-github
Copy link
Contributor

@ianp you don't need to open an issue to open a PR. @addaleax was interested in doing something similar to what you suggest,but I suspect would be happy for you to do it instead. Nobody can call dibs on a feature, so if you can implement it quickly, its yours.

@addaleax
Copy link
Member

@ianp Yes, feel free to go ahead! You can use Refs: https://github.com/nodejs/node/issues/30515 in the commit message if you want to refer to this issue 👍

sam-github added a commit to sam-github/node that referenced this issue Jan 10, 2020
Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- nodejs#30553
- nodejs#27711 (comment)
- nodejs#30515

PR-URL: nodejs#30567
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
sam-github added a commit to sam-github/node that referenced this issue Jan 10, 2020
Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- nodejs#30553
- nodejs#27711 (comment)
- nodejs#30515

PR-URL: nodejs#30567
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
targos pushed a commit that referenced this issue Jan 14, 2020
Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- #30553
- #27711 (comment)
- #30515

PR-URL: #30567
Backport-PR-URL: #30473
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@lundibundi
Copy link
Member

Closing, see #27711 (comment).

zsw007 added a commit to ibmruntimes/node that referenced this issue Feb 11, 2020
Backport 496736f

Original commit message:

    Allow insecure HTTP header parsing. Make clear it is insecure.

    See:
    - nodejs/node#30553
    - nodejs/node#27711 (comment)
    - nodejs/node#30515

    PR-URL: nodejs/node#30567
    Backport-PR-URL: nodejs/node#30473
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Denys Otrishko <shishugi@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
zsw007 added a commit to ibmruntimes/node that referenced this issue Feb 12, 2020
Backport 496736f

Original commit message:

    Allow insecure HTTP header parsing. Make clear it is insecure.

    See:
    - nodejs/node#30553
    - nodejs/node#27711 (comment)
    - nodejs/node#30515

    PR-URL: nodejs/node#30567
    Backport-PR-URL: nodejs/node#30473
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Denys Otrishko <shishugi@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
zsw007 added a commit to ibmruntimes/node that referenced this issue Feb 12, 2020
Backport 496736f

Original commit message:

    Allow insecure HTTP header parsing. Make clear it is insecure.

    See:
    - nodejs/node#30553
    - nodejs/node#27711 (comment)
    - nodejs/node#30515

    PR-URL: nodejs/node#30567
    Backport-PR-URL: nodejs/node#30473
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Denys Otrishko <shishugi@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
BaochengSu added a commit to BaochengSu/node that referenced this issue Oct 21, 2020
Ported from
OpenSUSE:nodejs8-8.17.0-lp152.147.1:CVE-2019-15605.patch

Original commit message:

commit e2c8f89
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Thu Jan 16 11:55:52 2020 -0800

    test: using TE to smuggle reqs is not possible

    See: https://hackerone.com/reports/735748

    PR-URL: https://github.com/nodejs-private/node-private/pull/192
    Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>

commit 49f4220
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Tue Feb 4 10:36:57 2020 -0800

    deps: upgrade http-parser to v2.9.3

    PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4
    Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Sam Roberts <vieuxtech@gmail.com>

commit d616722
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Tue Jan 7 14:24:54 2020 -0800

    test: check that --insecure-http-parser works

    Test that using --insecure-http-parser will disable validation of
    invalid characters in HTTP headers.

    See:
    - nodejs#30567

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#31253
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

commit a9849c0
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Wed Nov 20 11:48:58 2019 -0800

    http: opt-in insecure HTTP header parsing

    Allow insecure HTTP header parsing. Make clear it is insecure.

    See:
    - nodejs#30553
    - nodejs#27711 (comment)
    - nodejs#30515

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#30567
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Denys Otrishko <shishugi@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>

commit a28e5cc
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Wed Nov 13 10:05:38 2019 -0800

    deps: upgrade http-parser to v2.9.1

    PR-URL: nodejs#30471
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>

Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
BaochengSu added a commit to BaochengSu/node that referenced this issue Jul 14, 2022
Ported from
OpenSUSE:nodejs8-8.17.0-lp152.147.1:CVE-2019-15605.patch

Original commit message:

commit e2c8f89
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Thu Jan 16 11:55:52 2020 -0800

    test: using TE to smuggle reqs is not possible

    See: https://hackerone.com/reports/735748

    PR-URL: https://github.com/nodejs-private/node-private/pull/192
    Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>

commit 49f4220
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Tue Feb 4 10:36:57 2020 -0800

    deps: upgrade http-parser to v2.9.3

    PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4
    Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Sam Roberts <vieuxtech@gmail.com>

commit d616722
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Tue Jan 7 14:24:54 2020 -0800

    test: check that --insecure-http-parser works

    Test that using --insecure-http-parser will disable validation of
    invalid characters in HTTP headers.

    See:
    - nodejs#30567

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#31253
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

commit a9849c0
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Wed Nov 20 11:48:58 2019 -0800

    http: opt-in insecure HTTP header parsing

    Allow insecure HTTP header parsing. Make clear it is insecure.

    See:
    - nodejs#30553
    - nodejs#27711 (comment)
    - nodejs#30515

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#30567
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Denys Otrishko <shishugi@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>

commit a28e5cc
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Wed Nov 13 10:05:38 2019 -0800

    deps: upgrade http-parser to v2.9.1

    PR-URL: nodejs#30471
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>

Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
http_parser Issues and PRs related to the HTTP Parser dependency or the http_parser binding. http Issues or PRs related to the http subsystem.
Projects
None yet
Development

No branches or pull requests

8 participants