fix: guard idle socket validation to skip fresh sockets (#5400)

mcollina · UlisesGascon · web-flow · commit f4c31d60c42d · 2026-06-10T23:00:40.000-07:00
* fix: guard idle socket validation to skip fresh sockets References: GHSA-35p6-xmwp-9g52 Signed-off-by: Matteo Collina <hello@matteocollina.com> Co-authored-by: Ulises Gascon <ulisesgascongonzalez@gmail.com> * test: update issue 810 idle validation expectations * test: stabilize idle validation coverage * test: avoid issue 810 hangs on older Node.js * test: stabilize parser error cleanup * test: stabilize fetch encoding sockets * test: use explicit loopback in fetch encoding * test: use explicit loopback in fetch cookies * test: use explicit loopback in fetch h2 cookies --------- Signed-off-by: Matteo Collina <hello@matteocollina.com> Co-authored-by: Ulises Gascon <ulisesgascongonzalez@gmail.com>
diff --git a/lib/dispatcher/client-h1.js b/lib/dispatcher/client-h1.js
@@ -57,6 +57,9 @@ const EMPTY_BUF = Buffer.alloc(0)
 const FastBuffer = Buffer[Symbol.species]
 const addListener = util.addListener
 const removeAllListeners = util.removeAllListeners
+const kIdleSocketValidation = Symbol('kIdleSocketValidation')
+const kIdleSocketValidationTimeout = Symbol('kIdleSocketValidationTimeout')
+const kSocketUsed = Symbol('kSocketUsed')
 
 let extractBody
 
@@ -371,6 +374,11 @@ class Parser {
       return -1
     }
 
+    if (client[kRunning] === 0) {
+      util.destroy(socket, new SocketError('bad response', util.getSocketInfo(socket)))
+      return -1
+    }
+
     const request = client[kQueue][client[kRunningIdx]]
     if (!request) {
       return -1
@@ -474,6 +482,11 @@ class Parser {
       return -1
     }
 
+    if (client[kRunning] === 0) {
+      util.destroy(socket, new SocketError('bad response', util.getSocketInfo(socket)))
+      return -1
+    }
+
     const request = client[kQueue][client[kRunningIdx]]
 
     /* istanbul ignore next: difficult to make a test case for */
@@ -647,6 +660,7 @@ class Parser {
     request.onComplete(headers)
 
     client[kQueue][client[kRunningIdx]++] = null
+    socket[kSocketUsed] = true
 
     if (socket[kWriting]) {
       assert(client[kRunning] === 0)
@@ -705,6 +719,9 @@ async function connectH1 (client, socket) {
   socket[kWriting] = false
   socket[kReset] = false
   socket[kBlocking] = false
+  socket[kIdleSocketValidation] = 0
+  socket[kIdleSocketValidationTimeout] = null
+  socket[kSocketUsed] = false
   socket[kParser] = new Parser(client, socket, llhttpInstance)
 
   addListener(socket, 'error', function (err) {
@@ -751,6 +768,8 @@ async function connectH1 (client, socket) {
     const client = this[kClient]
     const parser = this[kParser]
 
+    clearIdleSocketValidation(this)
+
     if (parser) {
       if (!this[kError] && parser.statusCode && !parser.shouldKeepAlive) {
         this[kError] = parser.finish() || this[kError]
@@ -816,7 +835,7 @@ async function connectH1 (client, socket) {
       return socket.destroyed
     },
     busy (request) {
-      if (socket[kWriting] || socket[kReset] || socket[kBlocking]) {
+      if (socket[kWriting] || socket[kReset] || socket[kBlocking] || socket[kIdleSocketValidation] === 1) {
         return true
       }
 
@@ -854,6 +873,31 @@ async function connectH1 (client, socket) {
   }
 }
 
+function clearIdleSocketValidation (socket) {
+  if (socket[kIdleSocketValidationTimeout]) {
+    clearTimeout(socket[kIdleSocketValidationTimeout])
+    socket[kIdleSocketValidationTimeout] = null
+  }
+
+  socket[kIdleSocketValidation] = 0
+}
+
+function scheduleIdleSocketValidation (client, socket) {
+  socket[kIdleSocketValidation] = 1
+  socket[kIdleSocketValidationTimeout] = setTimeout(() => {
+    socket[kIdleSocketValidationTimeout] = null
+    socket[kIdleSocketValidation] = 2
+
+    if (client[kSocket] === socket && !socket.destroyed) {
+      client[kResume]()
+    }
+  }, 0)
+  socket[kIdleSocketValidationTimeout].unref?.()
+}
+
+/**
+ * @param {import('./client.js')} client
+ */
 function resumeH1 (client) {
   const socket = client[kSocket]
 
@@ -868,6 +912,32 @@ function resumeH1 (client) {
       socket[kNoRef] = false
     }
 
+    if (client[kRunning] === 0 && client[kPending] > 0 && socket[kSocketUsed]) {
+      if (socket[kIdleSocketValidation] === 0) {
+        scheduleIdleSocketValidation(client, socket)
+        socket[kParser].readMore()
+        if (socket.destroyed) {
+          return
+        }
+        return
+      }
+
+      if (socket[kIdleSocketValidation] === 1) {
+        socket[kParser].readMore()
+        if (socket.destroyed) {
+          return
+        }
+        return
+      }
+    }
+
+    if (client[kRunning] === 0) {
+      socket[kParser].readMore()
+      if (socket.destroyed) {
+        return
+      }
+    }
+
     if (client[kSize] === 0) {
       if (socket[kParser].timeoutType !== TIMEOUT_KEEP_ALIVE) {
         socket[kParser].setTimeout(client[kKeepAliveTimeoutValue], TIMEOUT_KEEP_ALIVE)
@@ -961,6 +1031,7 @@ function writeH1 (client, request) {
   }
 
   const socket = client[kSocket]
+  clearIdleSocketValidation(socket)
 
   const abort = (err) => {
     if (request.aborted || request.completed) {
diff --git a/test/client-errors.js b/test/client-errors.js
@@ -1,31 +1,46 @@
 'use strict'
 
-const { tspl } = require('@matteo.collina/tspl')
-const { test, after } = require('node:test')
-const { Client } = require('..')
+const assert = require('node:assert')
+const { test } = require('node:test')
+const { once } = require('node:events')
+const { Client, errors } = require('..')
 const net = require('node:net')
 
-// TODO: move to test/node-test/client-connect.js
-test('parser error', async (t) => {
-  t = tspl(t, { plan: 2 })
-
-  const server = net.createServer()
-  server.once('connection', (socket) => {
-    socket.write('asd\n\r213123')
+function closeServer (server) {
+  return new Promise((resolve, reject) => {
+    server.close((err) => err ? reject(err) : resolve())
   })
-  after(() => server.close())
-
-  server.listen(0, () => {
-    const client = new Client(`http://localhost:${server.address().port}`)
-    after(() => client.destroy())
+}
 
+function request (client) {
+  return new Promise((resolve, reject) => {
     client.request({ path: '/', method: 'GET' }, (err) => {
-      t.ok(err)
-      client.close((err) => {
-        t.ifError(err)
-      })
+      if (err) {
+        reject(err)
+      } else {
+        resolve()
+      }
     })
   })
+}
+
+// TODO: move to test/node-test/client-connect.js
+test('parser error', async () => {
+  const server = net.createServer((socket) => {
+    socket.once('data', () => {
+      socket.end('asd\n\r213123')
+    })
+  })
+
+  server.listen(0)
+  await once(server, 'listening')
+
+  const client = new Client(`http://localhost:${server.address().port}`)
 
-  await t.completed
+  try {
+    await assert.rejects(request(client), errors.HTTPParserError)
+  } finally {
+    await client.destroy()
+    await closeServer(server)
+  }
 })
diff --git a/test/fetch/cookies.js b/test/fetch/cookies.js
@@ -15,17 +15,18 @@ test('Can receive set-cookie headers from a server using fetch - issue #1262', a
   const server = createServer((req, res) => {
     res.setHeader('set-cookie', 'name=value; Domain=example.com')
     res.end()
-  }).listen(0)
+  }).listen(0, '127.0.0.1')
 
   t.after(closeServerAsPromise(server))
   await once(server, 'listening')
 
-  const response = await fetch(`http://localhost:${server.address().port}`)
+  const response = await fetch(`http://127.0.0.1:${server.address().port}`, { keepalive: false })
 
   assert.strictEqual(response.headers.get('set-cookie'), 'name=value; Domain=example.com')
 
-  const response2 = await fetch(`http://localhost:${server.address().port}`, {
-    credentials: 'include'
+  const response2 = await fetch(`http://127.0.0.1:${server.address().port}`, {
+    credentials: 'include',
+    keepalive: false
   })
 
   assert.strictEqual(response2.headers.get('set-cookie'), 'name=value; Domain=example.com')
@@ -35,7 +36,7 @@ test('Can send cookies to a server with fetch - issue #1463', async (t) => {
   const server = createServer((req, res) => {
     assert.strictEqual(req.headers.cookie, 'value')
     res.end()
-  }).listen(0)
+  }).listen(0, '127.0.0.1')
 
   t.after(closeServerAsPromise(server))
   await once(server, 'listening')
@@ -47,7 +48,7 @@ test('Can send cookies to a server with fetch - issue #1463', async (t) => {
   ]
 
   for (const headers of headersInit) {
-    await fetch(`http://localhost:${server.address().port}`, { headers })
+    await fetch(`http://127.0.0.1:${server.address().port}`, { headers, keepalive: false })
   }
 })
 
@@ -57,12 +58,13 @@ test('Cookie header is delimited with a semicolon rather than a comma - issue #1
   const server = createServer((req, res) => {
     strictEqual(req.headers.cookie, 'FOO=lorem-ipsum-dolor-sit-amet; BAR=the-quick-brown-fox')
     res.end()
-  }).listen(0)
+  }).listen(0, '127.0.0.1')
 
   t.after(closeServerAsPromise(server))
   await once(server, 'listening')
 
-  await fetch(`http://localhost:${server.address().port}`, {
+  await fetch(`http://127.0.0.1:${server.address().port}`, {
+    keepalive: false,
     headers: [
       ['cookie', 'FOO=lorem-ipsum-dolor-sit-amet'],
       ['cookie', 'BAR=the-quick-brown-fox']
@@ -83,18 +85,18 @@ test('Can receive set-cookie headers from a http2 server using fetch - issue #28
     stream.end('test')
   })
 
-  server.listen()
+  server.listen(0, '127.0.0.1')
   await once(server, 'listening')
 
-  const client = new Client(`https://localhost:${server.address().port}`, {
+  const client = new Client(`https://127.0.0.1:${server.address().port}`, {
     connect: {
       rejectUnauthorized: false
     },
     allowH2: true
   })
 
   const response = await fetch(
-    `https://localhost:${server.address().port}/`,
+    `https://127.0.0.1:${server.address().port}/`,
     // Needs to be passed to disable the reject unauthorized
     {
       method: 'GET',
diff --git a/test/fetch/encoding.js b/test/fetch/encoding.js
@@ -23,12 +23,12 @@ test('content-encoding header is case-iNsENsITIve', async (t) => {
 
     gzip.write(text)
     gzip.end()
-  }).listen(0)
+  }).listen(0, '127.0.0.1')
 
   t.after(closeServerAsPromise(server))
   await once(server, 'listening')
 
-  const response = await fetch(`http://localhost:${server.address().port}`)
+  const response = await fetch(`http://127.0.0.1:${server.address().port}`, { keepalive: false })
 
   assert.strictEqual(await response.text(), text)
   assert.strictEqual(response.headers.get('content-encoding'), contentCodings)
@@ -49,12 +49,12 @@ test('response decompression according to content-encoding should be handled in
 
     deflate.write(text)
     deflate.end()
-  }).listen(0)
+  }).listen(0, '127.0.0.1')
 
   t.after(closeServerAsPromise(server))
   await once(server, 'listening')
 
-  const response = await fetch(`http://localhost:${server.address().port}`)
+  const response = await fetch(`http://127.0.0.1:${server.address().port}`, { keepalive: false })
 
   assert.strictEqual(await response.text(), text)
 })
@@ -78,15 +78,15 @@ describe('content-encoding chain limit', () => {
       })
       res.end('test')
     })
-    await once(server.listen(0), 'listening')
+    await once(server.listen(0, '127.0.0.1'), 'listening')
   })
 
   after(() => {
     server.close()
   })
 
   test(`should allow exactly ${MAX_CONTENT_ENCODINGS} content-encodings`, async (t) => {
-    const response = await fetch(`http://localhost:${server.address().port}`, {
+    const response = await fetch(`http://127.0.0.1:${server.address().port}`, {
       keepalive: false,
       headers: { 'x-encoding-count': String(MAX_CONTENT_ENCODINGS) }
     })
@@ -98,7 +98,7 @@ describe('content-encoding chain limit', () => {
 
   test(`should reject more than ${MAX_CONTENT_ENCODINGS} content-encodings`, async (t) => {
     await assert.rejects(
-      fetch(`http://localhost:${server.address().port}`, {
+      fetch(`http://127.0.0.1:${server.address().port}`, {
         keepalive: false,
         headers: { 'x-encoding-count': String(MAX_CONTENT_ENCODINGS + 1) }
       }),
@@ -111,7 +111,7 @@ describe('content-encoding chain limit', () => {
 
   test('should reject excessive content-encoding chains', async (t) => {
     await assert.rejects(
-      fetch(`http://localhost:${server.address().port}`, {
+      fetch(`http://127.0.0.1:${server.address().port}`, {
         keepalive: false,
         headers: { 'x-encoding-count': '100' }
       }),
diff --git a/test/issue-810.js b/test/issue-810.js
diff --git a/test/response-queue-poisoning.js b/test/response-queue-poisoning.js
