Skip to content

Import v2.x CVES #183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ShogunPanda merged 5 commits into from
Sep 1, 2022
Merged

Import v2.x CVES #183

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c2ea408
http: verify chunk parameters
ronag Jul 13, 2021
4b2a04b
http: disable whitespace for special headers
kumarak Jul 1, 2021
8c2646a
Strict transfer encoding 2.1 (#162)
ShogunPanda Sep 1, 2022
92161da
chore: Mark the series as unsupported.
ShogunPanda Sep 1, 2022
e31a224
chore: Refer to the latest version.
ShogunPanda Sep 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Strict transfer encoding 2.1 (#162)
  • Loading branch information
@ShogunPanda
ShogunPanda committed Sep 1, 2022
commit 8c2646a6dea515bbe77251d357415372bd762ca9
13 changes: 8 additions & 5 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,12 @@ jobs:
- name: Install clang for Windows
if: runner.os == 'Windows'
run: |
Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https://get.scoop.sh')
iwr -useb get.scoop.sh -outfile 'install.ps1'
.\install.ps1 -RunAsAdmin
scoop install llvm --global

# Scoop modifies the PATH so we make the modified PATH global.
echo "::set-env name=PATH::$env:PATH"
echo $env:PATH >> $env:GITHUB_PATH

- name: Fetch code
uses: actions/checkout@v2
Expand All @@ -45,7 +46,8 @@ jobs:

- name: Build libllhttp.a
shell: bash
run: make build/libllhttp.a
run: |
make build/libllhttp.a

test:
name: Run tests
Expand All @@ -60,11 +62,12 @@ jobs:
- name: Install clang for Windows
if: runner.os == 'Windows'
run: |
Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https://get.scoop.sh')
iwr -useb get.scoop.sh -outfile 'install.ps1'
.\install.ps1 -RunAsAdmin
scoop install llvm --global

# Scoop modifies the PATH so we make the modified PATH global.
echo "::set-env name=PATH::$env:PATH"
echo $env:PATH >> $env:GITHUB_PATH

- name: Fetch code
uses: actions/checkout@v2
Expand Down
87 changes: 62 additions & 25 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 4 additions & 4 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,18 +37,18 @@
"homepage": "https://github.com/nodejs/llhttp#readme",
"devDependencies": {
"@types/mocha": "^5.2.7",
"@types/node": "^10.17.52",
"@types/node": "^10.17.60",
"llparse-dot": "^1.0.1",
"llparse-test-fixture": "^5.0.1",
"llparse-test-fixture": "^5.0.2",
"mdgator": "^1.1.2",
"mocha": "^7.2.0",
"ts-node": "^7.0.1",
"tslint": "^5.20.1",
"typescript": "^3.9.9"
"typescript": "^3.9.10"
},
"dependencies": {
"@types/semver": "^5.5.0",
"llparse": "^7.1.0",
"llparse": "^7.1.1",
"semver": "^5.7.1"
}
}
80 changes: 41 additions & 39 deletions src/llhttp/constants.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,38 +6,40 @@ export type HTTPMode = 'loose' | 'strict';

export enum ERROR {
OK = 0,
INTERNAL,
STRICT,
LF_EXPECTED,
UNEXPECTED_CONTENT_LENGTH,
CLOSED_CONNECTION,
INVALID_METHOD,
INVALID_URL,
INVALID_CONSTANT,
INVALID_VERSION,
INVALID_HEADER_TOKEN,
INVALID_CONTENT_LENGTH,
INVALID_CHUNK_SIZE,
INVALID_STATUS,
INVALID_EOF_STATE,
INVALID_TRANSFER_ENCODING,

CB_MESSAGE_BEGIN,
CB_HEADERS_COMPLETE,
CB_MESSAGE_COMPLETE,
CB_CHUNK_HEADER,
CB_CHUNK_COMPLETE,

PAUSED,
PAUSED_UPGRADE,

USER,
INTERNAL = 1,
STRICT = 2,
CR_EXPECTED = 25,
LF_EXPECTED = 3,
UNEXPECTED_CONTENT_LENGTH = 4,
CLOSED_CONNECTION = 5,
INVALID_METHOD = 6,
INVALID_URL = 7,
INVALID_CONSTANT = 8,
INVALID_VERSION = 9,
INVALID_HEADER_TOKEN = 10,
INVALID_CONTENT_LENGTH = 11,
INVALID_CHUNK_SIZE = 12,
INVALID_STATUS = 13,
INVALID_EOF_STATE = 14,
INVALID_TRANSFER_ENCODING = 15,

CB_MESSAGE_BEGIN = 16,
CB_HEADERS_COMPLETE = 17,
CB_MESSAGE_COMPLETE = 18,
CB_CHUNK_HEADER = 19,
CB_CHUNK_COMPLETE = 20,

PAUSED = 21,
PAUSED_UPGRADE = 22,
// PAUSED_H2_UPGRADE = 23 in v6.x

USER = 24,
}

export enum TYPE {
BOTH = 0, // default
REQUEST,
RESPONSE,
REQUEST = 1,
RESPONSE = 2,
}

export enum FLAGS {
Expand Down Expand Up @@ -187,8 +189,8 @@ Object.keys(METHOD_MAP).forEach((key) => {

export enum FINISH {
SAFE = 0,
SAFE_WITH_CB,
UNSAFE,
SAFE_WITH_CB = 1,
UNSAFE = 2,
}

// Internal
Expand Down Expand Up @@ -284,15 +286,15 @@ export const MINOR = MAJOR;

export enum HEADER_STATE {
GENERAL = 0,
CONNECTION,
CONTENT_LENGTH,
TRANSFER_ENCODING,
UPGRADE,

CONNECTION_KEEP_ALIVE,
CONNECTION_CLOSE,
CONNECTION_UPGRADE,
TRANSFER_ENCODING_CHUNKED,
CONNECTION = 1,
CONTENT_LENGTH = 2,
TRANSFER_ENCODING = 3,
UPGRADE = 4,

CONNECTION_KEEP_ALIVE = 5,
CONNECTION_CLOSE = 6,
CONNECTION_UPGRADE = 7,
TRANSFER_ENCODING_CHUNKED = 8,
}

export const SPECIAL_HEADERS = {
Expand Down
33 changes: 28 additions & 5 deletions src/llhttp/http.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ const NODES: ReadonlyArray<string> = [
'header_value',
'header_value_otherwise',
'header_value_lenient',
'header_value_lenient_failed',
'header_value_lws',
'header_value_te_chunked',
'header_value_te_chunked_last',
Expand Down Expand Up @@ -452,11 +453,27 @@ export class HTTP {
FLAGS.CHUNKED,
'header_value_te_chunked');

// Once chunked has been selected, no other encoding is possible in requests
// https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.1
const forbidAfterChunkedInRequest = (otherwise: Node) => {
return this.load('type', {
[TYPE.REQUEST]: this.testFlags(FLAGS.LENIENT, {
0: span.headerValue.end().skipTo(
p.error(ERROR.INVALID_TRANSFER_ENCODING, 'Invalid `Transfer-Encoding` header value'),
),
}).otherwise(otherwise),
}, otherwise);
};

n('header_value_start')
.otherwise(this.load('header_state', {
[HEADER_STATE.UPGRADE]: this.setFlag(FLAGS.UPGRADE, fallback),
[HEADER_STATE.TRANSFER_ENCODING]: this.setFlag(
FLAGS.TRANSFER_ENCODING, toTransferEncoding),
[HEADER_STATE.TRANSFER_ENCODING]: this.testFlags(
FLAGS.CHUNKED,
{
1: forbidAfterChunkedInRequest(this.setFlag(FLAGS.TRANSFER_ENCODING, toTransferEncoding)),
},
this.setFlag(FLAGS.TRANSFER_ENCODING, toTransferEncoding)),
[HEADER_STATE.CONTENT_LENGTH]: n('header_value_content_length_once'),
[HEADER_STATE.CONNECTION]: n('header_value_connection'),
}, 'header_value'));
Expand All @@ -478,7 +495,8 @@ export class HTTP {
.peek([ '\r', '\n' ], this.update('header_state',
HEADER_STATE.TRANSFER_ENCODING_CHUNKED,
'header_value_otherwise'))
.otherwise(n('header_value_te_chunked'));
.peek(',', forbidAfterChunkedInRequest(n('header_value_te_chunked')))
.otherwise(n('header_value_te_token'));

n('header_value_te_token')
.match(',', n('header_value_te_token_ows'))
Expand Down Expand Up @@ -563,18 +581,23 @@ export class HTTP {

const checkLenient = this.testFlags(FLAGS.LENIENT, {
1: n('header_value_lenient'),
}, p.error(ERROR.INVALID_HEADER_TOKEN, 'Invalid header value char'));
}, n('header_value_lenient_failed'));

n('header_value_otherwise')
.peek('\r', span.headerValue.end().skipTo(n('header_value_almost_done')))
.peek('\n', span.headerValue.end(n('header_value_almost_done')))
.otherwise(checkLenient);

n('header_value_lenient')
.peek('\r', span.headerValue.end().skipTo(n('header_value_almost_done')))
.peek('\n', span.headerValue.end(n('header_value_almost_done')))
.skipTo(n('header_value_lenient'));

n('header_value_lenient_failed')
.peek('\n', span.headerValue.end().skipTo(
p.error(ERROR.CR_EXPECTED, 'Missing expected CR after header value')),
)
.otherwise(p.error(ERROR.INVALID_HEADER_TOKEN, 'Invalid header value char'));

n('header_value_almost_done')
.match('\n', n('header_value_lws'))
.otherwise(p.error(ERROR.LF_EXPECTED,
Expand Down
Loading