Skip to content
Permalink
Browse files

test: using TE to smuggle reqs is not possible

See: https://hackerone.com/reports/735748

PR-URL: nodejs-private/node-private#199
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
  • Loading branch information
sam-github committed Jan 16, 2020
1 parent 8f41e83 commit eea3a7429bd91d1ed69b8364abecf06694661ac1
Showing with 41 additions and 1 deletion.
  1. +1 −1 test/parallel/test-http-client-error-rawbytes.js
  2. +40 −0 test/parallel/test-http-invalid-te.js
@@ -19,7 +19,7 @@ server.listen(0, common.mustCall(() => {
const req = http.get(`http://localhost:${server.address().port}/`);
req.end();
req.on('error', common.mustCall((err) => {
const reason = 'Content-Length can\'t be present with chunked encoding';
const reason = 'Content-Length can\'t be present with Transfer-Encoding';
assert.strictEqual(err.message, `Parse Error: ${reason}`);
assert(err.bytesParsed < response.length);
assert(err.bytesParsed >= response.indexOf('Transfer-Encoding'));
@@ -0,0 +1,40 @@
'use strict';

const common = require('../common');

// Test https://hackerone.com/reports/735748 is fixed.

const assert = require('assert');
const http = require('http');
const net = require('net');

const REQUEST_BB = `POST / HTTP/1.1
Content-Type: text/plain; charset=utf-8
Host: hacker.exploit.com
Connection: keep-alive
Content-Length: 10
Transfer-Encoding: chunked, eee
HELLOWORLDPOST / HTTP/1.1
Content-Type: text/plain; charset=utf-8
Host: hacker.exploit.com
Connection: keep-alive
Content-Length: 28
I AM A SMUGGLED REQUEST!!!
`;

const server = http.createServer(common.mustNotCall());

server.on('clientError', common.mustCall((err) => {
assert.strictEqual(err.code, 'HPE_UNEXPECTED_CONTENT_LENGTH');
server.close();
}));

server.listen(0, common.mustCall(() => {
const client = net.connect(
server.address().port,
common.mustCall(() => {
client.end(REQUEST_BB.replace(/\n/g, '\r\n'));
}));
}));

0 comments on commit eea3a74

Please sign in to comment.
You can’t perform that action at this time.