http2: add invalidheaders test

rexagod · mcollina · commit 1e4187fcf4b8 · 2020-06-17T10:26:03.000+02:00
Refs: #29829 PR-URL: #33161 Reviewed-By: Robert Nagy <ronagy@icloud.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Denys Otrishko <shishugi@gmail.com>
diff --git a/lib/internal/http2/compat.js b/lib/internal/http2/compat.js
@@ -73,7 +73,7 @@ let statusConnectionHeaderWarned = false;
 // close as possible to the current require('http') API
 
 const assertValidHeader = hideStackFrames((name, value) => {
-  if (name === '' || typeof name !== 'string') {
+  if (name === '' || typeof name !== 'string' || name.indexOf(' ') >= 0) {
     throw new ERR_INVALID_HTTP_TOKEN('Header name', name);
   }
   if (isPseudoHeader(name)) {
diff --git a/lib/internal/http2/util.js b/lib/internal/http2/util.js
@@ -18,7 +18,8 @@ const {
     ERR_HTTP2_INVALID_CONNECTION_HEADERS,
     ERR_HTTP2_INVALID_PSEUDOHEADER,
     ERR_HTTP2_INVALID_SETTING_VALUE,
-    ERR_INVALID_ARG_TYPE
+    ERR_INVALID_ARG_TYPE,
+    ERR_INVALID_HTTP_TOKEN
   },
   addCodeToName,
   hideStackFrames
@@ -490,6 +491,9 @@ function mapToHeaders(map,
       count++;
       continue;
     }
+    if (key.indexOf(' ') >= 0) {
+      throw new ERR_INVALID_HTTP_TOKEN('Header name', key);
+    }
     if (isIllegalConnectionSpecificHeader(key, value)) {
       throw new ERR_HTTP2_INVALID_CONNECTION_HEADERS(key);
     }
diff --git a/test/parallel/test-http2-invalidheaderfield.js b/test/parallel/test-http2-invalidheaderfield.js
@@ -0,0 +1,65 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto) { common.skip('missing crypto'); }
+
+// Check for:
+// Spaced headers
+// Psuedo headers
+// Capitalized headers
+
+const http2 = require('http2');
+const { throws, strictEqual } = require('assert');
+
+const server = http2.createServer(common.mustCall((req, res) => {
+  throws(() => {
+    res.setHeader(':path', '/');
+  }, {
+    code: 'ERR_HTTP2_PSEUDOHEADER_NOT_ALLOWED'
+  });
+  throws(() => {
+    res.setHeader('t est', 123);
+  }, {
+    code: 'ERR_INVALID_HTTP_TOKEN'
+  });
+  res.setHeader('TEST', 123);
+  res.setHeader('test_', 123);
+  res.setHeader(' test', 123);
+  res.end();
+}));
+
+server.listen(0, common.mustCall(() => {
+  const session1 = http2.connect(`http://localhost:${server.address().port}`);
+  session1.request({ 'test_': 123, 'TEST': 123 })
+    .on('end', common.mustCall(() => {
+      session1.close();
+      server.close();
+    }));
+
+  const session2 = http2.connect(`http://localhost:${server.address().port}`);
+  session2.on('error', common.mustCall((e) => {
+    strictEqual(e.code, 'ERR_INVALID_HTTP_TOKEN');
+  }));
+  throws(() => {
+    session2.request({ 't est': 123 });
+  }, {
+    code: 'ERR_INVALID_HTTP_TOKEN'
+  });
+
+  const session3 = http2.connect(`http://localhost:${server.address().port}`);
+  session3.on('error', common.mustCall((e) => {
+    strictEqual(e.code, 'ERR_INVALID_HTTP_TOKEN');
+  }));
+  throws(() => {
+    session3.request({ ' test': 123 });
+  }, {
+    code: 'ERR_INVALID_HTTP_TOKEN'
+  });
+
+  const session4 = http2.connect(`http://localhost:${server.address().port}`);
+  throws(() => {
+    session4.request({ ':test': 123 });
+  }, {
+    code: 'ERR_HTTP2_INVALID_PSEUDOHEADER'
+  });
+  session4.close();
+}));
diff --git a/test/parallel/test-http2-invalidheaderfields-client.js b/test/parallel/test-http2-invalidheaderfields-client.js
@@ -9,7 +9,11 @@ const server1 = http2.createServer();
 server1.listen(0, common.mustCall(() => {
   const session = http2.connect(`http://localhost:${server1.address().port}`);
   // Check for req headers
-  session.request({ 'no underscore': 123 });
+  assert.throws(() => {
+    session.request({ 'no underscore': 123 });
+  }, {
+    code: 'ERR_INVALID_HTTP_TOKEN'
+  });
   session.on('error', common.mustCall((e) => {
     assert.strictEqual(e.code, 'ERR_INVALID_HTTP_TOKEN');
     server1.close();
@@ -18,15 +22,18 @@ server1.listen(0, common.mustCall(() => {
 
 const server2 = http2.createServer(common.mustCall((req, res) => {
   // check for setHeader
-  res.setHeader('x y z', 123);
+  assert.throws(() => {
+    res.setHeader('x y z', 123);
+  }, {
+    code: 'ERR_INVALID_HTTP_TOKEN'
+  });
   res.end();
 }));
 
 server2.listen(0, common.mustCall(() => {
   const session = http2.connect(`http://localhost:${server2.address().port}`);
   const req = session.request();
-  req.on('error', common.mustCall((e) => {
-    assert.strictEqual(e.code, 'ERR_HTTP2_STREAM_ERROR');
+  req.on('end', common.mustCall(() => {
     session.close();
     server2.close();
   }));
@@ -39,16 +46,15 @@ const server3 = http2.createServer(common.mustCall((req, res) => {
       'an invalid header': 123
     });
   }), {
-    code: 'ERR_HTTP2_INVALID_STREAM'
+    code: 'ERR_INVALID_HTTP_TOKEN'
   });
   res.end();
 }));
 
 server3.listen(0, common.mustCall(() => {
   const session = http2.connect(`http://localhost:${server3.address().port}`);
   const req = session.request();
-  req.on('error', common.mustCall((e) => {
-    assert.strictEqual(e.code, 'ERR_HTTP2_STREAM_ERROR');
+  req.on('end', common.mustCall(() => {
     server3.close();
     session.close();
   }));

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ let statusConnectionHeaderWarned = false;`
`73`	`73`	`// close as possible to the current require('http') API`
`74`	`74`
`75`	`75`	`const assertValidHeader = hideStackFrames((name, value) => {`
`76`		`- if (name === '' \|\| typeof name !== 'string') {`
	`76`	`+ if (name === '' \|\| typeof name !== 'string' \|\| name.indexOf(' ') >= 0) {`
`77`	`77`	`throw new ERR_INVALID_HTTP_TOKEN('Header name', name);`
`78`	`78`	`}`
`79`	`79`	`if (isPseudoHeader(name)) {`