http: disallow sending obviously invalid status codes #6291
Conversation
|
/cc @nodejs/http |
mscdex
force-pushed
the
http-disallow-bad-statuscode
branch
from
8406b4d
to
3e01bad
Compare
|
This should likely also catch anything less than |
|
@jasnell True, but I was aiming to be as backwards compatible as possible with this. Who knows if anyone out there is using custom/unofficial status codes. |
|
Tagging this for possible backporting to v4.x, feel free to remove if you think it shouldn't be. I see this as a bug fix though. |
|
Anyone using anything less than 100 likely has other problems to deal with
|
|
If we're going to validate the numerical value, I would lean more towards a 3-digit check. What do other @nodejs/collaborators think? |
|
What's the reason for introduction of this patch at this point? Is there any open issue about it? |
|
Alright, thank you! |
| @@ -187,6 +187,10 @@ ServerResponse.prototype.writeHead = function(statusCode, reason, obj) { | |||
| headers = obj; | |||
| } | |||
|
|
|||
| const statusCode_ = +statusCode; | |||
| if (statusCode_ < 0 || !isFinite(statusCode_)) | |||
There was a problem hiding this comment.
Why not Number.isInteger?
There was a problem hiding this comment.
Number.isInteger() would return false for strings of valid numbers.
mscdex
force-pushed
the
http-disallow-bad-statuscode
branch
from
3e01bad
to
f9063c7
Compare
|
Ok, I've modified it to check the number of digits now.
|
mscdex
force-pushed
the
http-disallow-bad-statuscode
branch
from
f9063c7
to
dcda312
Compare
|
LGTM if CI is green |
|
I am okay with this. LGTM. semver major? |
|
@thefourtheye Possibly, but it is a bug fix shrug. |
| @@ -187,6 +187,10 @@ ServerResponse.prototype.writeHead = function(statusCode, reason, obj) { | |||
| headers = obj; | |||
| } | |||
|
|
|||
| statusCode |= 0; | |||
| if (statusCode < 100 || statusCode > 999) | |||
There was a problem hiding this comment.
Nit: I am not sure if this really matters but the expected port range is just 100-599 http://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
There was a problem hiding this comment.
Yes, @jasnell mentioned this already. However I think it might be better to be a bit more lenient in case of custom/unofficial/whatever status codes out in the wild.
There was a problem hiding this comment.
Oh, sorry. I didn't read the comments completely.
|
I think if we keep it at any three digit code we can easily justify landing
|
|
LGTM |
| break; | ||
| case 5: | ||
| assert.throws(common.mustCall(() => { | ||
| res.writeHead(1000); |
There was a problem hiding this comment.
Perhaps also have a case for a non-numeric string?
There was a problem hiding this comment.
+1 ... null, 'this is not invalid, [], true, etc could all be included in the tests here, just to be overly careful ;-)
There was a problem hiding this comment.
Suggested tests added.
|
LGTM |
|
LGTM, I like this change. |
| @@ -187,6 +187,10 @@ ServerResponse.prototype.writeHead = function(statusCode, reason, obj) { | |||
| headers = obj; | |||
| } | |||
|
|
|||
| statusCode |= 0; | |||
| if (statusCode < 100 || statusCode > 999) | |||
| throw new Error(`Invalid status code: ${statusCode}`); | |||
There was a problem hiding this comment.
Should this be a RangeError?
There was a problem hiding this comment.
Should passing 'NotAStatusCode' cause a RangeError?
There was a problem hiding this comment.
@ChALkeR It's debatable, but since statusCode is ultimately coerced to an integer value (e.g. 0 for non-numeric values) I thought maybe RangeError would fit better since 0 < 100. shrug
|
LGTM with a comment. |
mscdex
force-pushed
the
http-disallow-bad-statuscode
branch
from
dcda312
to
ec50170
Compare
|
Just one additional minor comment on the tests. Otherwise still LGTM |
mscdex
force-pushed
the
http-disallow-bad-statuscode
branch
from
ec50170
to
35b4f99
Compare
PR-URL: #6291 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: #6291 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: nodejs#6291 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: #6291 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
|
I'm adding this to v4.x-staging and to the v4.4.5 release candidate. if anyone objects or if we see any weird regressions I will back it out |
PR-URL: #6291 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: #6291 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Notable changes:
* **buffer**:
* Buffer no longer errors if you call lastIndexOf with a search term
longer than the buffer (Anna Henningsen)
#6511
* deps:
* update npm to 2.15.5 (Rebecca Turner)
#6663
* http:
* Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999 (Brian White)
#6291
Notable changes:
* **buffer**:
* Buffer no longer errors if you call lastIndexOf with a search term
longer than the buffer (Anna Henningsen)
#6511
* contextify:
* Context objects are now properly garbage collected, this solves a
problem some individuals were experiencing with extreme memory
growth (Ali Ijaz Sheikh)
#6871
* deps:
* update npm to 2.15.5 (Rebecca Turner)
#6663
* http:
* Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999 (Brian White)
#6291
Notable changes:
* **buffer**:
* Buffer no longer errors if you call lastIndexOf with a search term
longer than the buffer (Anna Henningsen)
#6511
* contextify:
* Context objects are now properly garbage collected, this solves a
problem some individuals were experiencing with extreme memory
growth (Ali Ijaz Sheikh)
#6871
* deps:
* update npm to 2.15.5 (Rebecca Turner)
#6663
* http:
* Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999 (Brian White)
#6291
Notable changes:
* **buffer**:
* Buffer no longer errors if you call lastIndexOf with a search term
longer than the buffer (Anna Henningsen)
#6511
* contextify:
* Context objects are now properly garbage collected, this solves a
problem some individuals were experiencing with extreme memory
growth (Ali Ijaz Sheikh)
#6871
* deps:
* update npm to 2.15.5 (Rebecca Turner)
#6663
* http:
* Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999 (Brian White)
#6291
Notable changes:
* **buffer**:
* Buffer no longer errors if you call lastIndexOf with a search term
longer than the buffer (Anna Henningsen)
#6511
* contextify:
* Context objects are now properly garbage collected, this solves a
problem some individuals were experiencing with extreme memory
growth (Ali Ijaz Sheikh)
#6871
* deps:
* update npm to 2.15.5 (Rebecca Turner)
#6663
* http:
* Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999 (Brian White)
#6291
|
Code that would previously run and happily dish out invalid status codes will now die from unhandled exceptions. Isn't that sort of the definition of a breaking change? Upgrading from v4.4.4 to v4.4.5 shouldn't require people to modify their code. |
|
It's too late now, and that I have the advantage of hindsight... If this PR was 2 commits, with the first one adding the (semver-patch) |
|
I was also quite surprised to see this backported. |
| case 0: | ||
| assert.throws(common.mustCall(() => { | ||
| res.writeHead(-1); | ||
| }, /invalid status code/i)); |
There was a problem hiding this comment.
The closing parenthesis for common.mustCall() is misplaced here and on the other lines. It should read:
}), /invalid status code/i);
With the current code, the RegExp is passed to mustCall as the expected paramater, and then silently replaced with 1 because it's non-numeric. Then the assert.throws call doesn't validate the error message and passes the test as long as any error is thrown.
I'll fix this along with my patch for #9027 unless you'd prefer to see it in a separate PR.
|
Thank you, guys, we got broken app after patch-upgrade👏 FYI, http://semver.org/
|
Checklist
Affected core subsystem(s)
Description of change
Disallows sending of invalid status codes.