http: create an option for setting a maximum size for uri parsing

[caiolrm]

The http server wasn't able to tell exactly what caused an
HPE_HEADER_OVERFLOW, meaning it would yield a 431 error even if what
caused it was the request URI being too long.

This adds a limit to the URI sizes through a new option called
max-http-uri-size, which will be checked against the actual URIs
after on_url callback at the node_http_parser_impl file.

Fixes: #26296
Refs: expressjs/express#3898

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• tests and/or benchmarks are included
• documentation is changed or added
• commit message follows commit guidelines

[bnoordhuis]

If --max-http-uri-size > --http-max-header-size you'll never get a 414.

That's probably going to be surprising to some. I'm slightly -1 on adding a separate switch.

[lpinca]

I think making it configurable makes sense. Apache uses the LimitRequestLine Directive for this.

[lpinca]

Yes, I agree on that. This is what this PR is addressing no?

[lpinca]

I'm not sure about the default value. Other than that LGTM.

[lpinca]

@BridgeAR your comment is actually correct as it seems the same counter is used for both the request line and the rest of the headers. I think @caiolrm is working on that.

[lpinca]

Added semver-major because #25605 was also tagged as semver-major.

[caiolrm]

I splitted the counting in two different functions, now the uri length isn't being considered with the headers, also had to make some changes to tests. @BridgeAR @lpinca

[lpinca]

Thank you. Would you be so kind to remove the merge commit?

[mcollina]

This is a shot in the dark but Is there anything wrong on picking something a lot higher like for example 500k as a default and letting the end user customize via flag or similar? My thought process: picking up 8k might break some people but definitely not 500k and if you feel it as a security threat... just reduce it.

Unfortunately no. We had 80KB before and it was exploitable as a DoS vector https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/#denial-of-service-with-large-http-headers-cve-2018-12121. I prefer a safe default.

There is little difference in safety between 8KB and 16KB.

[Trott]

I know URI !== URL but simplicity for the developer probably takes precedence over terminology precision. Since we use url elsewhere in the module (message.url as well as the name of the first argument for http.get() and http.request()), I wonder if this should be maxHttpUrlSize instead of maxHttpUriSize? (Same for the CLI flag.)

[richardlau]

I know URI !== URL but simplicity for the developer probably takes precedence over terminology precision. Since we use url elsewhere in the module (message.url as well as the name of the first argument for http.get() and http.request()), I wonder if this should be maxHttpUrlSize instead of maxHttpUriSize? (Same for the CLI flag.)

But the error that ends up being written is 414 URI Too Long.

[Trott]

But the error that ends up being written is 414 URI Too Long.

Not a bad point, but anything coming from the spec is going to say "URI" as the string "URL" does not appear at all in RFC 7231. But we're not going to change "url" to "uri" in our code base for any other options. So probably best to stick to one term when referring to the same thing.

All that said, I'm fine if we decide to use "uri" here. Let's just make sure it's a considered decision and not an accidental inconsistency.

[caiolrm]

@bnoordhuis that would render the "--http-max-header-size" option unable to limit the actual header size when using the legacy parser. Could you take a look at nodejs/http-parser#463? I splitted the counting there too, maybe that's better, considering we would only need to do something like this:

  const uint32_t max_http_uri_size =
      per_process::cli_options->max_http_uri_size;
  http_parser_set_max_uri_size(max_http_uri_size);

and the options would work for both parsers after that

@mcollina just to clear it up, are you talking about 16KB for headers and 8KB for url?

@Trott I agree with you, there seems to be a preference for url over uri everywhere else in the code.

[vsemozhetbyt]

Suggested change

	Read-only property specifying the maximum allowed size of HTTP request uri
	Read-only property specifying the maximum allowed size of HTTP request URI

[vsemozhetbyt]

Missing bottom references. Will this option be documented later?

[mcollina]

@mcollina just to clear it up, are you talking about 16KB for headers and 8KB for url?

I'm talking about 16KB total. I'd leave the division of those an implementation detail. If possible, I would limit the url to 7KB. I would also let headers use whatever is left in the "budget".

[mcollina]

This PR has changes specific to llhttp and http_parser. Can you add a test that exercise both paths?

See https://github.com/nodejs/node/blob/93e384a75bd5ff8b528437e9c8a937575d27bb59/test/sequential/test-set-http-max-http-headers.js.

[mcollina]

Can you please explain this change?

[caiolrm]

currentSize is being used by fillHeaders to subtract from the max header size and generate a header value with a length that makes the total header size hit the limit. Since the implementation at node_http_parser_impl.h when using llhttp doesn't count the url size towards the header size after the changes, there's no point considering the "/" size when using fillHeaders anymore.

[mcollina]

It is highly possible that the payload comes out of the other side of the socket as a single Buffer. Can you please add a test where the URL is split into two or more chunks?

[mcollina]

Can you add some comments in this function?

[lirantal]

I'm talking about 16KB total. I'd leave the division of those an implementation detail. If possible, I would limit the url to 7KB. I would also let headers use whatever is left in the "budget".

@mcollina if we're updating the total request size to 16KB, perhaps we should conform with rfc7230 recommendation of request-line lengths of 8000 octets ?

[sam-github]

Reference:

Various ad hoc limitations on request-line length are found in
practice. It is RECOMMENDED that all HTTP senders and recipients
support, at a minimum, request-line lengths of 8000 octets.

• https://tools.ietf.org/html/rfc7230#section-3.1.1

I looked, but not equivalent recommendation exists for header section as a whole, not that I found:

HTTP does not place a predefined limit on the length of each header
field or on the length of the header section as a whole, as described
in Section 2.5. Various ad hoc limitations on individual header
field length are found in practice, often depending on the specific
field semantics.

A server that receives a request header field, or set of fields,
larger than it wishes to process MUST respond with an appropriate 4xx
(Client Error) status code.

https://tools.ietf.org/html/rfc7230#section-3.2

[fhinkel]

I'm cleaning out a few old PRs 🧹. I'm closing this due to inactivity. Please re-open if needed!

[Joshsteverson]

I have been waiting on this PR to be merged. The --max-http-header-size flag does not seem to account for large uri strings. What is the suggested path forward for URI (with query parameters) that exceeds 8K? I am supporting a legacy system that sends very large form data URI parameters.

[sam-github]

@nodejs/http could use more reviews

[addaleax]

This seems mostly fine to me, but it definitely needs a rebase now that the legacy parser has been removed…

[addaleax]

Fwiw, this should not be a per-process but rather a per-Environment option.

[addaleax]

@Joshsteverson If you are invested in this PR, I think you can feel free to pick it up and open a new PR based on the code in this one. Usually, all that a PR needs to eventually land is an active author.

[jasnell]

Looks like this stalled out and would need to be updated in order for it to move forward. Closing but it can be reopened if someone wants to pick it back up.