http2: add invalidheaders test

Refs: https://github.com/nodejs/node/issues/29829 PR-URL: https://github.com/nodejs/node/pull/33161 Reviewed-By: Robert Nagy <ronagy@icloud.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Denys Otrishko <shishugi@gmail.com>
2020-04-25 03:37:43 +05:30 · 2020-04-25 03:37:43 +05:30 · 1e4187fcf4
commit 1e4187fcf4
parent ee7f0e3f75
4 changed files with 84 additions and 9 deletions
--- a/lib/internal/http2/compat.js
+++ b/lib/internal/http2/compat.js
@ -73,7 +73,7 @@ let statusConnectionHeaderWarned = false;
 // close as possible to the current require('http') API

 const assertValidHeader = hideStackFrames((name, value) => {
-  if (name === '' || typeof name !== 'string') {
+  if (name === '' || typeof name !== 'string' || name.indexOf(' ') >= 0) {
    throw new ERR_INVALID_HTTP_TOKEN('Header name', name);
  }
  if (isPseudoHeader(name)) {
--- a/lib/internal/http2/util.js
+++ b/lib/internal/http2/util.js
@ -18,7 +18,8 @@ const {
    ERR_HTTP2_INVALID_CONNECTION_HEADERS,
    ERR_HTTP2_INVALID_PSEUDOHEADER,
    ERR_HTTP2_INVALID_SETTING_VALUE,
-    ERR_INVALID_ARG_TYPE
+    ERR_INVALID_ARG_TYPE,
+    ERR_INVALID_HTTP_TOKEN
  },
  addCodeToName,
  hideStackFrames
@ -490,6 +491,9 @@ function mapToHeaders(map,
      count++;
      continue;
    }
+    if (key.indexOf(' ') >= 0) {
+      throw new ERR_INVALID_HTTP_TOKEN('Header name', key);
+    }
    if (isIllegalConnectionSpecificHeader(key, value)) {
      throw new ERR_HTTP2_INVALID_CONNECTION_HEADERS(key);
    }
--- a/test/parallel/test-http2-invalidheaderfield.js
+++ b/test/parallel/test-http2-invalidheaderfield.js
@ -0,0 +1,65 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto) { common.skip('missing crypto'); }
+
+// Check for:
+// Spaced headers
+// Psuedo headers
+// Capitalized headers
+
+const http2 = require('http2');
+const { throws, strictEqual } = require('assert');
+
+const server = http2.createServer(common.mustCall((req, res) => {
+  throws(() => {
+    res.setHeader(':path', '/');
+  }, {
+    code: 'ERR_HTTP2_PSEUDOHEADER_NOT_ALLOWED'
+  });
+  throws(() => {
+    res.setHeader('t est', 123);
+  }, {
+    code: 'ERR_INVALID_HTTP_TOKEN'
+  });
+  res.setHeader('TEST', 123);
+  res.setHeader('test_', 123);
+  res.setHeader(' test', 123);
+  res.end();
+}));
+
+server.listen(0, common.mustCall(() => {
+  const session1 = http2.connect(`http://localhost:${server.address().port}`);
+  session1.request({ 'test_': 123, 'TEST': 123 })
+    .on('end', common.mustCall(() => {
+      session1.close();
+      server.close();
+    }));
+
+  const session2 = http2.connect(`http://localhost:${server.address().port}`);
+  session2.on('error', common.mustCall((e) => {
+    strictEqual(e.code, 'ERR_INVALID_HTTP_TOKEN');
+  }));
+  throws(() => {
+    session2.request({ 't est': 123 });
+  }, {
+    code: 'ERR_INVALID_HTTP_TOKEN'
+  });
+
+  const session3 = http2.connect(`http://localhost:${server.address().port}`);
+  session3.on('error', common.mustCall((e) => {
+    strictEqual(e.code, 'ERR_INVALID_HTTP_TOKEN');
+  }));
+  throws(() => {
+    session3.request({ ' test': 123 });
+  }, {
+    code: 'ERR_INVALID_HTTP_TOKEN'
+  });
+
+  const session4 = http2.connect(`http://localhost:${server.address().port}`);
+  throws(() => {
+    session4.request({ ':test': 123 });
+  }, {
+    code: 'ERR_HTTP2_INVALID_PSEUDOHEADER'
+  });
+  session4.close();
+}));
--- a/test/parallel/test-http2-invalidheaderfields-client.js
+++ b/test/parallel/test-http2-invalidheaderfields-client.js
@ -9,7 +9,11 @@ const server1 = http2.createServer();
 server1.listen(0, common.mustCall(() => {
  const session = http2.connect(`http://localhost:${server1.address().port}`);
  // Check for req headers
-  session.request({ 'no underscore': 123 });
+  assert.throws(() => {
+    session.request({ 'no underscore': 123 });
+  }, {
+    code: 'ERR_INVALID_HTTP_TOKEN'
+  });
  session.on('error', common.mustCall((e) => {
    assert.strictEqual(e.code, 'ERR_INVALID_HTTP_TOKEN');
    server1.close();
@ -18,15 +22,18 @@ server1.listen(0, common.mustCall(() => {

 const server2 = http2.createServer(common.mustCall((req, res) => {
  // check for setHeader
-  res.setHeader('x y z', 123);
+  assert.throws(() => {
+    res.setHeader('x y z', 123);
+  }, {
+    code: 'ERR_INVALID_HTTP_TOKEN'
+  });
  res.end();
 }));

 server2.listen(0, common.mustCall(() => {
  const session = http2.connect(`http://localhost:${server2.address().port}`);
  const req = session.request();
-  req.on('error', common.mustCall((e) => {
-    assert.strictEqual(e.code, 'ERR_HTTP2_STREAM_ERROR');
+  req.on('end', common.mustCall(() => {
    session.close();
    server2.close();
  }));
@ -39,7 +46,7 @@ const server3 = http2.createServer(common.mustCall((req, res) => {
      'an invalid header': 123
    });
  }), {
-    code: 'ERR_HTTP2_INVALID_STREAM'
+    code: 'ERR_INVALID_HTTP_TOKEN'
  });
  res.end();
 }));
@ -47,8 +54,7 @@ const server3 = http2.createServer(common.mustCall((req, res) => {
 server3.listen(0, common.mustCall(() => {
  const session = http2.connect(`http://localhost:${server3.address().port}`);
  const req = session.request();
-  req.on('error', common.mustCall((e) => {
-    assert.strictEqual(e.code, 'ERR_HTTP2_STREAM_ERROR');
+  req.on('end', common.mustCall(() => {
    server3.close();
    session.close();
  }));