http: disable request smuggling via empty headers

PR-URL: https://github.com/nodejs-private/node-private/pull/427 Fixes: https://hackerone.com/reports/2001873 Refs: https://github.com/nodejs-private/llhttp-private/pull/13 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> CVE-ID: CVE-2023-30589
2023-06-13 12:06:27 +02:00 · 2023-06-13 12:06:27 +02:00 · 2e6de554f6
commit 2e6de554f6
parent 4a82c8fda0
4 changed files with 650 additions and 493 deletions
--- a/deps/llhttp/CMakeLists.txt
+++ b/deps/llhttp/CMakeLists.txt
@ -1,7 +1,7 @@
 cmake_minimum_required(VERSION 3.5.1)
 cmake_policy(SET CMP0069 NEW)

-project(llhttp VERSION 8.1.0)
+project(llhttp VERSION 8.1.1)
 include(GNUInstallDirs)

 set(CMAKE_C_STANDARD 99)
--- a/deps/llhttp/include/llhttp.h
+++ b/deps/llhttp/include/llhttp.h
@ -3,7 +3,7 @@

 #define LLHTTP_VERSION_MAJOR 8
 #define LLHTTP_VERSION_MINOR 1
-#define LLHTTP_VERSION_PATCH 0
+#define LLHTTP_VERSION_PATCH 1

 #ifndef LLHTTP_STRICT_MODE
 # define LLHTTP_STRICT_MODE 0
--- a/deps/llhttp/src/llhttp.c
+++ b/deps/llhttp/src/llhttp.c
--- a/test/parallel/test-http-missing-header-separator-lf.js
+++ b/test/parallel/test-http-missing-header-separator-lf.js
@ -0,0 +1,83 @@
+'use strict';
+
+const common = require('../common');
+const assert = require('assert');
+
+const http = require('http');
+const net = require('net');
+
+function serverHandler(server, msg) {
+  const client = net.connect(server.address().port, 'localhost');
+
+  let response = '';
+
+  client.on('data', common.mustCall((chunk) => {
+    response += chunk;
+  }));
+
+  client.setEncoding('utf8');
+  client.on('error', common.mustNotCall());
+  client.on('end', common.mustCall(() => {
+    assert.strictEqual(
+      response,
+      'HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n'
+    );
+    server.close();
+  }));
+  client.write(msg);
+  client.resume();
+}
+
+{
+  const msg = [
+    'GET / HTTP/1.1',
+    'Host: localhost',
+    'Dummy: x\rContent-Length: 23',
+    '',
+    'GET / HTTP/1.1',
+    'Dummy: GET /admin HTTP/1.1',
+    'Host: localhost',
+    '',
+    '',
+  ].join('\r\n');
+
+  const server = http.createServer(common.mustNotCall());
+
+  server.listen(0, common.mustSucceed(serverHandler.bind(null, server, msg)));
+}
+
+{
+  const msg = [
+    'POST / HTTP/1.1',
+    'Host: localhost',
+    'x:x\rTransfer-Encoding: chunked',
+    '',
+    '1',
+    'A',
+    '0',
+    '',
+    '',
+  ].join('\r\n');
+
+  const server = http.createServer(common.mustNotCall());
+
+  server.listen(0, common.mustSucceed(serverHandler.bind(null, server, msg)));
+}
+
+{
+  const msg = [
+    'POST / HTTP/1.1',
+    'Host: localhost',
+    'x:\rTransfer-Encoding: chunked',
+    '',
+    '1',
+    'A',
+    '0',
+    '',
+    '',
+  ].join('\r\n');
+
+  const server = http.createServer(common.mustNotCall());
+
+  server.listen(0, common.mustSucceed(serverHandler.bind(null, server, msg)));
+}