fix: Do not allow OBS fold in headers by default. (nodejs#350)

ShogunPanda · AdamMajer · commit 30098caa270d · 2024-04-12T15:25:04.000+02:00
diff --git a/package.json b/package.json
@@ -1,7 +1,6 @@
 {
   "name": "llhttp",
   "version": "2.1.6-suse",
-  "version": "6.0.11",
   "description": "HTTP parser in LLVM IR",
   "main": "lib/llhttp.js",
   "types": "lib/llhttp.d.ts",
diff --git a/src/llhttp/http.ts b/src/llhttp/http.ts
@@ -599,11 +599,14 @@ export class HTTP {
         'Missing expected LF after header value'));
 
     n('header_value_lws')
-      .peek([ ' ', '\t' ],
-        this.load('header_state', {
-          [HEADER_STATE.TRANSFER_ENCODING_CHUNKED]:
-            this.resetHeaderState(span.headerValue.start(n('header_value_start'))),
-        }, span.headerValue.start(n('header_value_start'))))
+      .peek(
+        [ ' ', '\t' ],
+        this.testFlags(FLAGS.LENIENT, {
+          1: this.load('header_state', {
+            [HEADER_STATE.TRANSFER_ENCODING_CHUNKED]:
+              this.resetHeaderState(span.headerValue.start(n('header_value_start'))),
+          }, span.headerValue.start(n('header_value_start'))),
+        }, p.error(ERROR.INVALID_HEADER_TOKEN, 'Unexpected whitespace after header value')))
       .otherwise(this.setHeaderFlags('header_field_start'));
 
     const checkTrailing = this.testFlags(FLAGS.TRAILING, {
diff --git a/test/request/connection.md b/test/request/connection.md
@@ -263,7 +263,7 @@ off=75 message complete
 
 ### Multiple tokens with folding
 
-<!-- meta={"type": "request"} -->
+<!-- meta={"type": "request-lenient"} -->
 ```http
 GET /demo HTTP/1.1
 Host: example.com
@@ -296,7 +296,7 @@ off=178 len=18 span[header_field]="Sec-WebSocket-Key1"
 off=198 len=20 span[header_value]="4 @1  46546xW%0l 1 5"
 off=220 len=6 span[header_field]="Origin"
 off=228 len=18 span[header_value]="http://example.com"
-off=250 headers complete method=1 v=1/1 flags=15 content_length=0
+off=250 headers complete method=1 v=1/1 flags=115 content_length=0
 off=250 message complete
 off=250 error code=22 reason="Pause on CONNECT/Upgrade"
 ```
@@ -326,7 +326,7 @@ off=75 error code=22 reason="Pause on CONNECT/Upgrade"
 
 ### Multiple tokens with folding, LWS, and CRLF
 
-<!-- meta={"type": "request"} -->
+<!-- meta={"type": "request-lenient"} -->
 ```http
 GET /demo HTTP/1.1
 Connection: keep-alive, \r\n upgrade
@@ -343,7 +343,7 @@ off=32 len=12 span[header_value]="keep-alive, "
 off=46 len=8 span[header_value]=" upgrade"
 off=56 len=7 span[header_field]="Upgrade"
 off=65 len=9 span[header_value]="WebSocket"
-off=78 headers complete method=1 v=1/1 flags=15 content_length=0
+off=78 headers complete method=1 v=1/1 flags=115 content_length=0
 off=78 message complete
 off=78 error code=22 reason="Pause on CONNECT/Upgrade"
 ```
diff --git a/test/request/invalid.md b/test/request/invalid.md
@@ -249,3 +249,64 @@ off=33 len=5 span[header_field]="Dummy"
 off=40 len=1 span[header_value]="x"
 off=41 error code=10 reason="Invalid header value char"
 ```
+
+### Spaces before headers
+
+<!-- meta={ "type": "request" } -->
+
+```http
+POST /hello HTTP/1.1
+Host: localhost
+Foo: bar
+ Content-Length: 38
+
+GET /bye HTTP/1.1
+Host: localhost
+
+
+```
+
+```log
+off=0 message begin
+off=5 len=6 span[url]="/hello"
+off=22 len=4 span[header_field]="Host"
+off=28 len=9 span[header_value]="localhost"
+off=39 len=3 span[header_field]="Foo"
+off=44 len=3 span[header_value]="bar"
+off=49 error code=10 reason="Unexpected whitespace after header value"
+```
+
+### Spaces before headers (lenient)
+
+<!-- meta={ "type": "request-lenient" } -->
+
+```http
+POST /hello HTTP/1.1
+Host: localhost
+Foo: bar
+ Content-Length: 38
+
+GET /bye HTTP/1.1
+Host: localhost
+
+
+```
+
+```log
+off=0 message begin
+off=5 len=6 span[url]="/hello"
+off=22 len=4 span[header_field]="Host"
+off=28 len=9 span[header_value]="localhost"
+off=39 len=3 span[header_field]="Foo"
+off=44 len=3 span[header_value]="bar"
+off=49 len=19 span[header_value]=" Content-Length: 38"
+off=72 headers complete method=3 v=1/1 flags=100 content_length=0
+off=72 message complete
+off=72 message begin
+off=76 len=4 span[url]="/bye"
+off=91 len=4 span[header_field]="Host"
+off=97 len=9 span[header_value]="localhost"
+off=110 headers complete method=1 v=1/1 flags=100 content_length=0
+off=110 message complete
+```
+
diff --git a/test/request/sample.md b/test/request/sample.md
@@ -369,7 +369,7 @@ off=61 message complete
 
 See nodejs/test/parallel/test-http-headers-obstext.js
 
-<!-- meta={"type": "request"} -->
+<!-- meta={"type": "request-lenient"} -->
 ```http
 GET / HTTP/1.1
 X-SSL-Nonsense:   -----BEGIN CERTIFICATE-----
@@ -444,7 +444,7 @@ off=1873 len=65 span[header_value]="\twTC6o2xq5y0qZ03JonF7OJspEd3I5zKY3E+ov7/ZhW
 off=1940 len=65 span[header_value]="\tYhixw1aKEPzNjNowuIseVogKOLXxWI5vAi5HgXdS0/ES5gDGsABo4fqovUKlgop3"
 off=2007 len=5 span[header_value]="\tRA=="
 off=2014 len=26 span[header_value]="\t-----END CERTIFICATE-----"
-off=2044 headers complete method=1 v=1/1 flags=0 content_length=0
+off=2044 headers complete method=1 v=1/1 flags=100 content_length=0
 off=2044 message complete
 ```
 
diff --git a/test/request/transfer-encoding.md b/test/request/transfer-encoding.md
@@ -536,7 +536,5 @@ off=0 message begin
 off=4 len=4 span[url]="/url"
 off=19 len=17 span[header_field]="Transfer-Encoding"
 off=38 len=7 span[header_value]="chunked"
-off=47 len=5 span[header_value]="  abc"
-off=56 headers complete method=4 v=1/1 flags=200 content_length=0
-off=56 error code=15 reason="Request has invalid `Transfer-Encoding`"
+off=47 error code=10 reason="Unexpected whitespace after header value"
 ```
diff --git a/test/response/transfer-encoding.md b/test/response/transfer-encoding.md
@@ -118,7 +118,7 @@ off=78 len=1 span[body]=lf
 
 ## Invalid OBS fold after chunked value
 
-<!-- meta={"type": "response" } -->
+<!-- meta={"type": "response"} -->
 ```http
 HTTP/1.1 200 OK
 Transfer-Encoding: chunked
@@ -136,18 +136,6 @@ off=0 message begin
 off=13 len=2 span[status]="OK"
 off=17 len=17 span[header_field]="Transfer-Encoding"
 off=36 len=7 span[header_value]="chunked"
-off=45 len=5 span[header_value]="  abc"
-off=54 headers complete status=200 v=1/1 flags=200 content_length=0
-off=54 len=1 span[body]="5"
-off=55 len=1 span[body]=cr
-off=56 len=1 span[body]=lf
-off=57 len=5 span[body]="World"
-off=62 len=1 span[body]=cr
-off=63 len=1 span[body]=lf
-off=64 len=1 span[body]="0"
-off=65 len=1 span[body]=cr
-off=66 len=1 span[body]=lf
-off=67 len=1 span[body]=cr
-off=68 len=1 span[body]=lf
+off=45 error code=10 reason="Unexpected whitespace after header value"
 ```
 
diff --git a/tsconfig.json b/tsconfig.json
@@ -7,7 +7,8 @@
     "outDir": "./lib",
     "declaration": true,
     "pretty": true,
-    "sourceMap": true
+    "sourceMap": true,
+    "skipLibCheck": true
   },
   "include": [
     "src/**/*.ts"

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "llhttp",`
`3`	`3`	`"version": "2.1.6-suse",`
`4`		`- "version": "6.0.11",`
`5`	`4`	`"description": "HTTP parser in LLVM IR",`
`6`	`5`	`"main": "lib/llhttp.js",`
`7`	`6`	`"types": "lib/llhttp.d.ts",`