Permalink
Browse files

http: verify client method is a string

Prior to this commit, it was possible to pass a truthy non-string
value as the HTTP method to the HTTP client, resulting in an
exception being thrown. This commit adds validation to the method.

PR-URL: #10111
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information...
lucamaraschi authored and cjihrig committed Dec 4, 2016
1 parent 6967ed4 commit df3978421b86991fb45256f1a8694e0590019b13
Showing with 45 additions and 1 deletion.
  1. +5 −1 lib/_http_client.js
  2. +40 −0 test/parallel/test-http-client-check-http-token.js
View
@@ -68,7 +68,11 @@ function ClientRequest(options, cb) {
self.socketPath = options.socketPath;
self.timeout = options.timeout;
var method = self.method = (options.method || 'GET').toUpperCase();
var method = options.method;
if (method != null && typeof method !== 'string') {
throw new TypeError('Method must be a string');
}
method = self.method = (method || 'GET').toUpperCase();
if (!common._checkIsHttpToken(method)) {
throw new TypeError('Method must be a valid HTTP token');
}
@@ -0,0 +1,40 @@
'use strict';
const common = require('../common');
const assert = require('assert');
const http = require('http');
const expectedSuccesses = [undefined, null, 'GET', 'post'];
let requestCount = 0;
const server = http.createServer((req, res) => {
requestCount++;
res.end();
if (expectedSuccesses.length === requestCount) {
server.close();
}
}).listen(0, test);
function test() {
function fail(input) {
assert.throws(() => {
http.request({ method: input, path: '/' }, common.fail);
}, /^TypeError: Method must be a string$/);
}
fail(-1);
fail(1);
fail(0);
fail({});
fail(true);
fail(false);
fail([]);
function ok(method) {
http.request({ method: method, port: server.address().port }).end();
}
expectedSuccesses.forEach((method) => {
ok(method);
});
}

0 comments on commit df39784

Please sign in to comment.