Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http: validate HTTP version #157

Merged
merged 1 commit into from
Aug 2, 2022
Merged

http: validate HTTP version #157

merged 1 commit into from
Aug 2, 2022

Conversation

ShogunPanda
Copy link
Contributor

@ShogunPanda ShogunPanda commented May 27, 2022
edited
Loading

Fixes nodejs/node#43115 on Node 16+.

@ShogunPanda
Copy link
Contributor Author

@indutny Any input on this? Does it look fine to you?

@pallas
Copy link
Contributor

pallas commented Jun 1, 2022

Why not check the major and minor after the parse is complete?

@ShogunPanda
Copy link
Contributor Author

Well, I would say to allow to save some bytes to read and close the bad socket ASAP.

@pallas
Copy link
Contributor

pallas commented Jun 1, 2022

Yes, you can do that during on_status or on_status_complete. Maybe it's worth adding an on_version_complete callback? I just worry that someone is using a non-standard major/minor for something and this would break that.

@ShogunPanda
Copy link
Contributor Author

Ok, let me think about it and eventually restructured this!

@ShogunPanda ShogunPanda force-pushed the validate-http-version branch from d245a5f to 2101d70 Compare June 17, 2022 11:49
@ShogunPanda
Copy link
Contributor Author

@pallas

I followed a slightly different approach without using callbacks. How does it look now?
I chose not to introduce a new callback as the version line might be invalid (let's say HTTP/1.1 THIS IS INVALID) and thus we could not really trigger a callback before the status is validated.

About people using invalid HTTP/1.1 version, I don't think we should support that. We are already lenient on many things but I don't think this really applies to anyone. Eventually they can complain and we will consider providing compatibility.

@pallas
Copy link
Contributor

pallas commented Jun 17, 2022

So this parser is used for protocols other than basic HTTP, which is why there are a set of methods for RTSP, ICE, &c.

If you really want to validate 0.9,1.0,1.1,1.2,2.0, could you please add a parser->lenient_flags so that the old path can be taken if it turns out to cause problems? Honestly though, I think this change is kind of an unnecessary constraint on users of the parser and any logic like this should be in the application instead.

@ShogunPanda
Copy link
Contributor Author

Well, it was reported in Node for security issue.

Adding a new lenient flag will not be a problem, I'll have it ready on Monday!

@pallas
Copy link
Contributor

pallas commented Jun 17, 2022

Sure, maybe it is a security problem, but it's not a problem in the parser, it's a problem in the application calling the parser.

@ShogunPanda
Copy link
Contributor Author

That's a fair point and I kinda agree.
But as we are stricter in some other places I think we should provide the same approach here.
Lenient flag is the way to go. I'll update this shortly.

@ShogunPanda
Copy link
Contributor Author

Lenient flag added!

@ShogunPanda
Copy link
Contributor Author

@indutny What do you think of the approach for checking the version? Is there any other way?

@indutny
Copy link
Member

indutny commented Jun 20, 2022

I feel like @pallas has a point. The parser supports multiple protocols and extensions and while we should make the core secure, the version checking sounds like it should be at the very least behind lenient flags.

@ShogunPanda
Copy link
Contributor Author

ShogunPanda commented Jun 20, 2022
edited
Loading

It is under a flag now. Do you mean that by default we are lenient and the flag makes it stricter?

Nevermind. I misread.
Anyway, the parser now has a new lenient flag to restore current version parsing and it is now safer by default.
Are we good to land this?

@ShogunPanda
Copy link
Contributor Author

@indutny @pallas Are we good about this? Can this land?

@ShogunPanda ShogunPanda force-pushed the validate-http-version branch from fcf2212 to 41b999d Compare July 18, 2022 14:23
@ShogunPanda
Copy link
Contributor Author

I have updated the PR to solve merge conflicts.
Are we ready to land this?

@ShogunPanda ShogunPanda force-pushed the validate-http-version branch from 41b999d to 848c4db Compare July 21, 2022 08:16
mcollina
mcollina approved these changes Jul 21, 2022
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@ShogunPanda
Copy link
Contributor Author

@indutny What is your take on this? Can we merge it?

@ShogunPanda ShogunPanda merged commit 182e4b6 into nodejs:main Aug 2, 2022
@ShogunPanda ShogunPanda deleted the validate-http-version branch August 2, 2022 08:36
pallas added a commit to pallas/pyllhttp that referenced this pull request Aug 3, 2022
@pallas
parser: add properties for lenient_transfer_encoding & lenient_version
1d104f9 
For the semantics of these new flags, see
* nodejs/llhttp#161 Chunked transfer encoding
* nodejs/llhttp#157 http: validate HTTP version
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcollina mcollina mcollina approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

http module accepts all http versions (e.g. HTTP/9.9) and treats/responds to them as http1
4 participants
@ShogunPanda @pallas @indutny @mcollina