http: fix validation of "Link" header #46466
- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -459,7 +459,7 @@ function validateUnion(value, name, union) { | |
| } | ||
| } | ||
|
|
||
| const linkValueRegExp = /^(?:<[^>]*>)(?:\s*;\s*[^;"\s]+(?:=(")?[^;"\s]*\1)?)*$/; | ||
|
Member
There was a problem hiding this comment. It probably does not matter as the header is sent by the server but this regex is vulnerable to ReDoS.
Member
There was a problem hiding this comment. FWIW the original is also vulnerable.
Contributor
There was a problem hiding this comment. I'm not questioning your point, I'm asking as I want to learn on this matter:
Member
There was a problem hiding this comment.
https://github.com/makenowjust-labs/recheck
Usually it is possible to tweak the regex. I'm not sure if it is possible in this case. I did not spend time on it. The input is "trusted" so I think it does not worth the effort.
Contributor
There was a problem hiding this comment. Thanks for reference. I also think it's not worth the effort. Shall we just insert a comment for future knowledge?
Member
There was a problem hiding this comment.
I'd be concerned that we'd start leveraging this at a future time for something and expose it to end users. There should at least be a comment, IMO.
Member
There was a problem hiding this comment. (To be 100% clear: If we're certain that this is not something that will accept user input, yeah, we don't need to fix it. But let's add a comment explaining.)
Member
There was a problem hiding this comment. This regex (and the existing one) will fail to do the right thing if a quotation mark is backslash-escaped inside the string, right? (I only skimmed the spec so I apologize if I'm wrong!) Are we doing the whole "using a regexp when a parsing algorithm is what is needed" thing? (This is a question, but not a blocking objection or anything. The current regexp would have the same issue if this one has that issue.)
Member
There was a problem hiding this comment.
It could also start from the beginning of the string, but yes, I think that it would be better.
Member
There was a problem hiding this comment. We can add a TODO comment and do this in a follow-up PR. |
||
|
|
||
| /** | ||
| * @param {any} value | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| 'use strict'; | ||
| const common = require('../common'); | ||
| const assert = require('node:assert'); | ||
| const http = require('node:http'); | ||
| const debug = require('node:util').debuglog('test'); | ||
|
|
||
| const testResBody = 'response content\n'; | ||
|
|
||
| const server = http.createServer(common.mustCall((req, res) => { | ||
| debug('Server sending early hints...'); | ||
| res.writeEarlyHints({ | ||
| link: '</>; ' | ||
| }); | ||
|
|
||
| debug('Server sending full response...'); | ||
| res.end(testResBody); | ||
| })); | ||
|
|
||
| server.listen(0, common.mustCall(() => { | ||
| const req = http.request({ | ||
| port: server.address().port, path: '/' | ||
| }); | ||
|
|
||
| req.end(); | ||
| debug('Client sending request...'); | ||
|
|
||
| req.on('information', common.mustNotCall()); | ||
|
|
||
| process.on('uncaughtException', (err) => { | ||
|
SRHerzog marked this conversation as resolved.
Outdated
|
||
| debug(`Caught an exception: ${JSON.stringify(err)}`); | ||
| if (err.name === 'AssertionError') throw err; | ||
| assert.strictEqual(err.code, 'ERR_INVALID_ARG_VALUE'); | ||
| process.exit(); | ||
| }); | ||
| })); | ||
Uh oh!
There was an error while loading. Please reload this page.