Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect and trim any invalid incoming req header name #1276

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Detect and trim any invalid incoming req header name #1276

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1438b2d
Detect and trim any incoming req header that start or end with whites…
Jun 20, 2018
de7d295
Decreased indent from 4 to 2 in added code
Jun 20, 2018
6d65ac0
If whitespace inside header name is not at start or end, replace it w…
Jun 21, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
16 changes: 16 additions & 0 deletions lib/http-proxy/passes/web-incoming.js
View file
Open in desktop
Expand Up @@ -122,6 +122,22 @@ module.exports = {
if(!options.target) { return res.end(); }
}

// Check incoming req headers if they contain whitespace and modify if true.
// Without following modifications it will crash server
var reqHeaderKeys = Object.keys(req.headers);
for (var i = 0; i < reqHeaderKeys.length; i++) {
var reqHeaderKey = reqHeaderKeys[i];
if (reqHeaderKey.includes(" ")) {
var newHeaderKey = reqHeaderKey.trim();
// Replace all whitespaces that are not trimmed with dash (necessary for "foo bar" type of header names)
newHeaderKey = newHeaderKey.replace(" ", "-");
// Add new header to req headers
req.headers[newHeaderKey] = req.headers[reqHeaderKey];
// Remove invalid header
delete req.headers[reqHeaderKey];
}
}

// Request initalization
var proxyReq = (options.target.protocol === 'https:' ? https : http).request(
common.setupOutgoing(options.ssl || {}, options, req)
Expand Down
26 changes: 26 additions & 0 deletions test/lib-http-proxy-passes-web-incoming-test.js
View file
Open in desktop
Expand Up @@ -126,6 +126,32 @@ describe('#createProxyServer.web() using own http server', function () {
http.request('http://127.0.0.1:8081', function() {}).end();
});

it('should detect invalid header in req headers and modify header', function (done) {
var proxy = httpProxy.createProxyServer({
target: 'http://127.0.0.1:8080',
});

function requestHandler(req, res) {
// Add invalid header with whitespace
req.headers['x-invalid-req-header '] = 'foobar';
proxy.web(req, res);
}

var proxyServer = http.createServer(requestHandler);

var source = http.createServer(function(req, res) {
source.close();
proxyServer.close();
expect(req.headers['x-invalid-req-header']).to.eql('foobar');
done();
});

proxyServer.listen('8081');
source.listen('8080');

http.request('http://127.0.0.1:8081', function() {}).end();
});

it('should proxy the request and handle error via callback', function(done) {
var proxy = httpProxy.createProxyServer({
target: 'http://127.0.0.1:8080'
Expand Down