nodejs/test/parallel/test-http-chunked-smuggling.js

'use strict';

const common = require('../common');
const http = require('http');
const net = require('net');
const assert = require('assert');

// Verify that invalid chunk extensions cannot be used to perform HTTP request
// smuggling attacks.

const server = http.createServer(common.mustCall((request, response) => {
  assert.notStrictEqual(request.url, '/admin');
  response.end('hello world');
}), 1);

server.listen(0, common.mustCall(start));

function start() {
  const sock = net.connect(server.address().port);

  sock.write('' +
    'GET / HTTP/1.1\r\n' +
    'Host: localhost:8080\r\n' +
    'Transfer-Encoding: chunked\r\n' +
    '\r\n' +
    '2;\n' +
    'xx\r\n' +
    '4c\r\n' +
    '0\r\n' +
    '\r\n' +
    'GET /admin HTTP/1.1\r\n' +
    'Host: localhost:8080\r\n' +
    'Transfer-Encoding: chunked\r\n' +
    '\r\n' +
    '0\r\n' +
    '\r\n'
  );

  sock.resume();
  sock.on('end', common.mustCall(function() {
    server.close();
  }));
}
http: add regression test for chunked smuggling PR-URL: https://github.com/nodejs-private/node-private/pull/284 Reviewed-By: Akshay K <iit.akshay@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Robert Nagy <ronagy@icloud.com> 2021-08-25 18:06:51 +02:00			`'use strict';`

			`const common = require('../common');`
			`const http = require('http');`
			`const net = require('net');`
			`const assert = require('assert');`

test: fix test description The request uses chunked transfer encoding and the HTTP response status code is not 400 but 200. PR-URL: https://github.com/nodejs/node/pull/40486 Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> 2021-10-17 10:21:33 +02:00			`// Verify that invalid chunk extensions cannot be used to perform HTTP request`
			`// smuggling attacks.`
http: add regression test for chunked smuggling PR-URL: https://github.com/nodejs-private/node-private/pull/284 Reviewed-By: Akshay K <iit.akshay@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Robert Nagy <ronagy@icloud.com> 2021-08-25 18:06:51 +02:00
			`const server = http.createServer(common.mustCall((request, response) => {`
			`assert.notStrictEqual(request.url, '/admin');`
			`response.end('hello world');`
			`}), 1);`

			`server.listen(0, common.mustCall(start));`

			`function start() {`
			`const sock = net.connect(server.address().port);`

			`sock.write('' +`
			`'GET / HTTP/1.1\r\n' +`
			`'Host: localhost:8080\r\n' +`
			`'Transfer-Encoding: chunked\r\n' +`
			`'\r\n' +`
test: add semicolon after chunk size The ABNF for chunk extensions as per RFC 7230 is chunk-ext = *( ";" chunk-ext-name [ "=" chunk-ext-val ] ) chunk-ext-name = token chunk-ext-val = token / quoted-string Add a semicolon after the chunk size for clarity. This does not invalidate the test as it verifies that the HTTP parser does not ignore chunk extensions. PR-URL: https://github.com/nodejs/node/pull/40487 Refs: https://grenfeldt.dev/2021/10/08/gunicorn-20.1.0-public-disclosure-of-request-smuggling Reviewed-By: James M Snell <jasnell@gmail.com> 2021-10-17 10:35:10 +02:00			`'2;\n' +`
http: add regression test for chunked smuggling PR-URL: https://github.com/nodejs-private/node-private/pull/284 Reviewed-By: Akshay K <iit.akshay@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Robert Nagy <ronagy@icloud.com> 2021-08-25 18:06:51 +02:00			`'xx\r\n' +`
			`'4c\r\n' +`
			`'0\r\n' +`
			`'\r\n' +`
			`'GET /admin HTTP/1.1\r\n' +`
			`'Host: localhost:8080\r\n' +`
			`'Transfer-Encoding: chunked\r\n' +`
			`'\r\n' +`
			`'0\r\n' +`
			`'\r\n'`
			`);`

			`sock.resume();`
			`sock.on('end', common.mustCall(function() {`
			`server.close();`
			`}));`
			`}`