Skip to content

fix(fixRequestBody): check readableLength #1096

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 10, 2025
Merged

fix(fixRequestBody): check readableLength #1096

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 5 additions & 38 deletions src/handlers/fix-request-body.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,20 @@
import type * as http from 'http';
import * as querystring from 'querystring';

import type { Options } from '../types';
import { getLogger } from '../logger';

export type BodyParserLikeRequest = http.IncomingMessage & { body?: any };

type HandleBadRequestArgs = {
proxyReq: http.ClientRequest;
req: BodyParserLikeRequest;
res: http.ServerResponse<http.IncomingMessage>;
};

/**
* Fix proxied body if bodyParser is involved.
*/
export function fixRequestBody<TReq extends BodyParserLikeRequest = BodyParserLikeRequest>(
proxyReq: http.ClientRequest,
req: TReq,
res: http.ServerResponse<http.IncomingMessage>,
options: Options,
): void {
// skip fixRequestBody() when req.readableLength not 0 (bodyParser failure)
if (req.readableLength !== 0) {
return;
}

const requestBody = req.body;

if (!requestBody) {
Expand All @@ -33,22 +27,6 @@ export function fixRequestBody<TReq extends BodyParserLikeRequest = BodyParserLi
return;
}

const logger = getLogger(options);

// Handle bad request when unexpected "Connect: Upgrade" header is provided
if (/upgrade/gi.test(proxyReq.getHeader('Connection') as string)) {
handleBadRequest({ proxyReq, req, res });
logger.error(`[HPM] HPM_UNEXPECTED_CONNECTION_UPGRADE_HEADER. Aborted request: ${req.url}`);
return;
}

// Handle bad request when invalid request body is provided
if (hasInvalidKeys(requestBody)) {
handleBadRequest({ proxyReq, req, res });
logger.error(`[HPM] HPM_INVALID_REQUEST_DATA. Aborted request: ${req.url}`);
return;
}

const writeBody = (bodyData: string) => {
proxyReq.setHeader('Content-Length', Buffer.byteLength(bodyData));
proxyReq.write(bodyData);
Expand Down Expand Up @@ -79,14 +57,3 @@ function handlerFormDataBodyData(contentType: string, data: any) {
}
return str;
}

function hasInvalidKeys(obj) {
return Object.keys(obj).some((key) => /[\n\r]/.test(key));
}

function handleBadRequest({ proxyReq, req, res }: HandleBadRequestArgs) {
res.writeHead(400);
res.end('Bad Request');
proxyReq.destroy();
req.destroy();
}
105 changes: 20 additions & 85 deletions test/unit/fix-request-body.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ describe('fixRequestBody', () => {
jest.spyOn(proxyRequest, 'setHeader');
jest.spyOn(proxyRequest, 'write');

fixRequestBody(proxyRequest, createRequestWithBody(undefined), fakeProxyResponse(), {});
fixRequestBody(proxyRequest, createRequestWithBody(undefined));

expect(proxyRequest.setHeader).not.toHaveBeenCalled();
expect(proxyRequest.write).not.toHaveBeenCalled();
Expand All @@ -51,7 +51,7 @@ describe('fixRequestBody', () => {
jest.spyOn(proxyRequest, 'setHeader');
jest.spyOn(proxyRequest, 'write');

fixRequestBody(proxyRequest, createRequestWithBody({}), fakeProxyResponse(), {});
fixRequestBody(proxyRequest, createRequestWithBody({}));

expect(proxyRequest.setHeader).toHaveBeenCalled();
expect(proxyRequest.write).toHaveBeenCalled();
Expand All @@ -64,12 +64,7 @@ describe('fixRequestBody', () => {
jest.spyOn(proxyRequest, 'setHeader');
jest.spyOn(proxyRequest, 'write');

fixRequestBody(
proxyRequest,
createRequestWithBody({ someField: 'some value' }),
fakeProxyResponse(),
{},
);
fixRequestBody(proxyRequest, createRequestWithBody({ someField: 'some value' }));

const expectedBody = JSON.stringify({ someField: 'some value' });
expect(proxyRequest.setHeader).toHaveBeenCalledWith('Content-Length', expectedBody.length);
Expand All @@ -83,12 +78,7 @@ describe('fixRequestBody', () => {
jest.spyOn(proxyRequest, 'setHeader');
jest.spyOn(proxyRequest, 'write');

fixRequestBody(
proxyRequest,
createRequestWithBody({ someField: 'some value' }),
fakeProxyResponse(),
{},
);
fixRequestBody(proxyRequest, createRequestWithBody({ someField: 'some value' }));

const expectedBody = handlerFormDataBodyData('multipart/form-data', {
someField: 'some value',
Expand All @@ -112,12 +102,7 @@ describe('fixRequestBody', () => {
jest.spyOn(proxyRequest, 'setHeader');
jest.spyOn(proxyRequest, 'write');

fixRequestBody(
proxyRequest,
createRequestWithBody({ someField: 'some value' }),
fakeProxyResponse(),
{},
);
fixRequestBody(proxyRequest, createRequestWithBody({ someField: 'some value' }));

const expectedBody = handlerFormDataBodyData('multipart/form-data', {
someField: 'some value',
Expand All @@ -142,12 +127,7 @@ describe('fixRequestBody', () => {
jest.spyOn(proxyRequest, 'setHeader');
jest.spyOn(proxyRequest, 'write');

fixRequestBody(
proxyRequest,
createRequestWithBody({ someField: 'some value' }),
fakeProxyResponse(),
{},
);
fixRequestBody(proxyRequest, createRequestWithBody({ someField: 'some value' }));
const expectedBody = JSON.stringify({ someField: 'some value' });
expect(proxyRequest.setHeader).toHaveBeenCalledWith('Content-Length', expectedBody.length);
expect(proxyRequest.write).toHaveBeenCalledWith(expectedBody);
Expand All @@ -160,12 +140,7 @@ describe('fixRequestBody', () => {
jest.spyOn(proxyRequest, 'setHeader');
jest.spyOn(proxyRequest, 'write');

fixRequestBody(
proxyRequest,
createRequestWithBody({ someField: 'some value' }),
fakeProxyResponse(),
{},
);
fixRequestBody(proxyRequest, createRequestWithBody({ someField: 'some value' }));

const expectedBody = querystring.stringify({ someField: 'some value' });
expect(proxyRequest.setHeader).toHaveBeenCalledWith('Content-Length', expectedBody.length);
Expand All @@ -179,12 +154,7 @@ describe('fixRequestBody', () => {
jest.spyOn(proxyRequest, 'setHeader');
jest.spyOn(proxyRequest, 'write');

fixRequestBody(
proxyRequest,
createRequestWithBody({ someField: 'some value' }),
fakeProxyResponse(),
{},
);
fixRequestBody(proxyRequest, createRequestWithBody({ someField: 'some value' }));

const expectedBody = querystring.stringify({ someField: 'some value' });
expect(proxyRequest.setHeader).toHaveBeenCalledWith('Content-Length', expectedBody.length);
Expand All @@ -198,69 +168,34 @@ describe('fixRequestBody', () => {
jest.spyOn(proxyRequest, 'setHeader');
jest.spyOn(proxyRequest, 'write');

fixRequestBody(
proxyRequest,
createRequestWithBody({ someField: 'some value' }),
fakeProxyResponse(),
{},
);
fixRequestBody(proxyRequest, createRequestWithBody({ someField: 'some value' }));

const expectedBody = JSON.stringify({ someField: 'some value' });
expect(proxyRequest.setHeader).toHaveBeenCalledWith('Content-Length', expectedBody.length);
expect(proxyRequest.write).toHaveBeenCalledTimes(1);
expect(proxyRequest.write).toHaveBeenCalledWith(expectedBody);
});

it('should return 400 and abort request on "Connection: Upgrade" header', () => {
it('should not fixRequestBody() when there bodyParser fails', () => {
const proxyRequest = fakeProxyRequest();
const request = createRequestWithBody({ someField: 'some value' });
const proxyResponse = fakeProxyResponse();
proxyRequest.setHeader('connection', 'upgrade');
proxyRequest.setHeader('content-type', 'application/x-www-form-urlencoded');

jest.spyOn(proxyRequest, 'destroy');
jest.spyOn(request, 'destroy');
jest.spyOn(proxyResponse, 'writeHead');
jest.spyOn(proxyResponse, 'end');

const logger = {
error: jest.fn(),
};
const request = {
get readableLength() {
return 4444; // simulate bodyParser failure
},
} as BodyParserLikeRequest;

fixRequestBody(proxyRequest, request, proxyResponse, { logger });

expect(proxyResponse.writeHead).toHaveBeenCalledWith(400);
expect(proxyResponse.end).toHaveBeenCalledTimes(1);
expect(proxyRequest.destroy).toHaveBeenCalledTimes(1);
expect(request.destroy).toHaveBeenCalledTimes(1);
expect(logger.error).toHaveBeenCalledWith(
`[HPM] HPM_UNEXPECTED_CONNECTION_UPGRADE_HEADER. Aborted request: /test_path`,
);
});

it('should return 400 and abort request on invalid request data', () => {
const proxyRequest = fakeProxyRequest();
const request = createRequestWithBody({ 'INVALID \n\r DATA': '' });
const proxyResponse = fakeProxyResponse();
proxyRequest.setHeader('content-type', 'application/x-www-form-urlencoded');

jest.spyOn(proxyRequest, 'write');
jest.spyOn(proxyRequest, 'destroy');
jest.spyOn(request, 'destroy');
jest.spyOn(proxyResponse, 'writeHead');
jest.spyOn(proxyResponse, 'end');

const logger = {
error: jest.fn(),
};

fixRequestBody(proxyRequest, request, proxyResponse, { logger });
fixRequestBody(proxyRequest, request);

expect(proxyResponse.writeHead).toHaveBeenCalledWith(400);
expect(proxyResponse.end).toHaveBeenCalledTimes(1);
expect(proxyRequest.destroy).toHaveBeenCalledTimes(1);
expect(request.destroy).toHaveBeenCalledTimes(1);
expect(logger.error).toHaveBeenCalledWith(
`[HPM] HPM_INVALID_REQUEST_DATA. Aborted request: /test_path`,
);
expect(proxyResponse.end).toHaveBeenCalledTimes(0);
expect(proxyRequest.write).toHaveBeenCalledTimes(0);
expect(proxyRequest.destroy).toHaveBeenCalledTimes(0);
});
});