http: validate headers in writeEarlyHints · nodejs/node@dafdc0a

kUniqueHeaders,

parseUniqueHeadersOption,

OutgoingMessage,

validateHeaderName,

validateHeaderValue,

} = require('_http_outgoing');

const {

kOutHeaders,

return;

}

if (checkInvalidHeaderChar(link)) {

throw new ERR_INVALID_CHAR('header content', 'Link');

}

head += 'Link: ' + link + '\r\n';

const keys = ObjectKeys(hints);

for (let i = 0; i < keys.length; i++) {

const key = keys[i];

if (key !== 'link') {

head += key + ': ' + hints[key] + '\r\n';

validateHeaderName(key);

const value = hints[key];

validateHeaderValue(key, value);

head += key + ': ' + value + '\r\n';

}

}

(not necessarily a valid URI reference) followed by zero or more

link-params separated by semicolons.

*/

const linkValueRegExp = /^(?:<[^>]*>)(?:\s*;\s*[^;"\s]+(?:=(")?[^;"\s]*\1)?)*$/;

const linkValueRegExp = /^(?:<[^>\r\n]*>)(?:\s*;\s*[^;"\s]+(?:=(")?[^;"\s]*\1)?)*$/;

/**

* @param {any} value

req.on('information', common.mustNotCall());

}));

}

{

const server = http.createServer(common.mustCall((req, res) => {

debug('Server sending early hints with CRLF injection...');

assert.throws(() => {

res.writeEarlyHints({

'link': '</styles.css>; rel=preload; as=style',

'X-Custom': 'valid\r\nSet-Cookie: session=evil',

});

}, (err) => err.code === 'ERR_INVALID_CHAR');

assert.throws(() => {

res.writeEarlyHints({

'link': '</styles.css>; rel=preload; as=style',

'X-Custom\r\nSet-Cookie: session=evil': 'value',

});

}, (err) => err.code === 'ERR_INVALID_HTTP_TOKEN');

assert.throws(() => {

res.writeEarlyHints({

link: '</styles.css\r\nSet-Cookie: session=evil>; rel=preload; as=style',

});

}, (err) => err.code === 'ERR_INVALID_ARG_VALUE');

debug('Server sending full response...');

res.end(testResBody);

server.close();

}));

server.listen(0, common.mustCall(() => {

const req = http.request({

port: server.address().port, path: '/'

});

req.end();

debug('Client sending request...');

req.on('information', common.mustNotCall());

}));

}