Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: catch ERR_INVALID_URL error in listener #162

Merged
merged 1 commit into from
Apr 19, 2024
Merged

fix: catch ERR_INVALID_URL error in listener #162

merged 1 commit into from
Apr 19, 2024

Conversation

usualoma
Copy link
Member

fixes #159

@usualoma usualoma mentioned this pull request Apr 19, 2024
Closed
@yusukebe
Copy link
Member

@usualoma

Thanks for the quick fix! I'll merge it right now.

@yusukebe yusukebe merged commit d847e60 into honojs:main Apr 19, 2024
3 checks passed
nicolewhite pushed a commit to autoblocksai/cli that referenced this pull request Apr 19, 2024
@renovate
Update dependency @hono/node-server to v1.10.1 [SECURITY] (#42)
aaa420f 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [@hono/node-server](https://togithub.com/honojs/node-server) |
[`1.10.0` ->
`1.10.1`](https://renovatebot.com/diffs/npm/@hono%2fnode-server/1.10.0/1.10.1)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@hono%2fnode-server/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@hono%2fnode-server/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@hono%2fnode-server/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@hono%2fnode-server/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-32652](https://togithub.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx)

### Impact

The application hangs when receiving a Host header with a value that
`@hono/node-server` can't handle well. Invalid values are those that
cannot be parsed by the `URL` as a hostname such as an empty string,
slashes `/`, and other strings.

For example, if you have a simple application:

```ts
import { serve } from '@​hono/node-server'
import { Hono } from 'hono'

const app = new Hono()

app.get('/', (c) => c.text('Hello'))

serve(app)
```

Sending a request with a Host header with an empty value to it:

```
curl localhost:3000/ -H "Host: "
```

The results:

```
node:internal/url:775
    this.#updateContext(bindingUrl.parse(input, base));
                                   ^

TypeError: Invalid URL
    at new URL (node:internal/url:775:36)
    at newRequest (/Users/yusuke/work/h/159/node_modules/@​hono/node-server/dist/index.js:137:17)
    at Server.<anonymous> (/Users/yusuke/work/h/159/node_modules/@&#8203;hono/node-server/dist/index.js:399:17)
    at Server.emit (node:events:514:28)
    at Server.emit (node:domain:488:12)
    at parserOnIncoming (node:_http_server:1143:12)
    at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17) {
  code: 'ERR_INVALID_URL',
  input: 'http:///'
}
```

### Patches

The version `1.10.1` includes the fix for this issue. But, you should
use `1.11.0`, which has other fixes related to this issue.
[honojs/node-server#160
[honojs/node-server#161

### Workarounds

Nothing. Upgrade your `@hono/node-server`.

### References


[honojs/node-server#159

---

### Release Notes

<details>
<summary>honojs/node-server (@&#8203;hono/node-server)</summary>

###
[`v1.10.1`](https://togithub.com/honojs/node-server/releases/tag/v1.10.1)

[Compare
Source](https://togithub.com/honojs/node-server/compare/v1.10.0...v1.10.1)

#### What's Changed

- fix: catch ERR_INVALID_URL error in listener by
[@&#8203;usualoma](https://togithub.com/usualoma) in
[honojs/node-server#162

**Full Changelog**:
honojs/node-server@v1.10.0...v1.10.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone America/Chicago,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/autoblocksai/cli).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMDEuNCIsInVwZGF0ZWRJblZlciI6IjM3LjMwMS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@ishaan-jaff ishaan-jaff mentioned this pull request May 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yusukebe yusukebe yusukebe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Denial of Service in newRequest
2 participants
@usualoma @yusukebe