http: disable chunked encoding when OBS fold is used

Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
PR-URL: #341
CVE-ID: CVE-2022-32213, CVE-2022-32215, CVE-2022-35256

Author: ShogunPanda

deps/llhttp/CMakeLists.txt

@@ -1,7 +1,7 @@
 cmake_minimum_required(VERSION 3.5.1)
 cmake_policy(SET CMP0069 NEW)
 
-project(llhttp VERSION )
+project(llhttp VERSION 6.0.10)
 include(GNUInstallDirs)
 
 set(CMAKE_C_STANDARD 99)

deps/llhttp/include/llhttp.h

@@ -3,7 +3,7 @@
 
 #define LLHTTP_VERSION_MAJOR 6
 #define LLHTTP_VERSION_MINOR 0
-#define LLHTTP_VERSION_PATCH 9
+#define LLHTTP_VERSION_PATCH 10
 
 #ifndef LLHTTP_STRICT_MODE
 # define LLHTTP_STRICT_MODE 0

deps/llhttp/src/llhttp.c

@@ -6,13 +6,11 @@ const assert = require('assert');
 const { createServer, maxHeaderSize } = require('http');
 const { createConnection } = require('net');
 
-const { getOptionValue } = require('internal/options');
-
 const CRLF = '\r\n';
 const DUMMY_HEADER_NAME = 'Cookie: ';
 const DUMMY_HEADER_VALUE = 'a'.repeat(
   // Plus one is to make it 1 byte too big
-  maxHeaderSize - DUMMY_HEADER_NAME.length - (2 * CRLF.length) + 1
+  maxHeaderSize - DUMMY_HEADER_NAME.length + 2
 );
 const PAYLOAD_GET = 'GET /blah HTTP/1.1';
 const PAYLOAD = PAYLOAD_GET + CRLF +
@@ -21,14 +19,11 @@ const PAYLOAD = PAYLOAD_GET + CRLF +
 const server = createServer();
 
 server.on('connection', mustCall((socket) => {
-  // Legacy parser gives sligthly different response.
-  // This discripancy is not fixed on purpose.
-  const legacy = getOptionValue('--http-parser') === 'legacy';
   socket.on('error', expectsError({
     name: 'Error',
     message: 'Parse Error: Header overflow',
     code: 'HPE_HEADER_OVERFLOW',
-    bytesParsed: maxHeaderSize + PAYLOAD_GET.length - (legacy ? -1 : 0),
+    bytesParsed: maxHeaderSize + PAYLOAD_GET.length + (CRLF.length * 2) + 1,
     rawPacket: Buffer.from(PAYLOAD)
   }));
 }));

test/parallel/test-http-header-overflow.js

@@ -6,21 +6,7 @@ const assert = require('assert');
 const http = require('http');
 const net = require('net');
 
-const msg = [
-  'GET / HTTP/1.1',
-  'Host: localhost',
-  'Dummy: x\nContent-Length: 23',
-  '',
-  'GET / HTTP/1.1',
-  'Dummy: GET /admin HTTP/1.1',
-  'Host: localhost',
-  '',
-  '',
-].join('\r\n');
-
-const server = http.createServer(common.mustNotCall());
-
-server.listen(0, common.mustSucceed(() => {
+function serverHandler(server, msg) {
   const client = net.connect(server.address().port, 'localhost');
 
   let response = '';
@@ -40,4 +26,58 @@ server.listen(0, common.mustSucceed(() => {
   }));
   client.write(msg);
   client.resume();
-}));
+}
+
+{
+  const msg = [
+    'GET / HTTP/1.1',
+    'Host: localhost',
+    'Dummy: x\nContent-Length: 23',
+    '',
+    'GET / HTTP/1.1',
+    'Dummy: GET /admin HTTP/1.1',
+    'Host: localhost',
+    '',
+    '',
+  ].join('\r\n');
+
+  const server = http.createServer(common.mustNotCall());
+
+  server.listen(0, common.mustSucceed(serverHandler.bind(null, server, msg)));
+}
+
+{
+  const msg = [
+    'POST / HTTP/1.1',
+    'Host: localhost',
+    'x:x\nTransfer-Encoding: chunked',
+    '',
+    '1',
+    'A',
+    '0',
+    '',
+    '',
+  ].join('\r\n');
+
+  const server = http.createServer(common.mustNotCall());
+
+  server.listen(0, common.mustSucceed(serverHandler.bind(null, server, msg)));
+}
+
+{
+  const msg = [
+    'POST / HTTP/1.1',
+    'Host: localhost',
+    'x:\nTransfer-Encoding: chunked',
+    '',
+    '1',
+    'A',
+    '0',
+    '',
+    '',
+  ].join('\r\n');
+
+  const server = http.createServer(common.mustNotCall());
+
+  server.listen(0, common.mustSucceed(serverHandler.bind(null, server, msg)));
+}

test/parallel/test-http-missing-header-separator-cr.js

@@ -6,47 +6,84 @@ const assert = require('assert');
 const http = require('http');
 const net = require('net');
 
-const msg = [
-  'POST / HTTP/1.1',
-  'Host: 127.0.0.1',
-  'Transfer-Encoding: chunked',
-  'Transfer-Encoding: chunked-false',
-  'Connection: upgrade',
-  '',
-  '1',
-  'A',
-  '0',
-  '',
-  'GET /flag HTTP/1.1',
-  'Host: 127.0.0.1',
-  '',
-  '',
-].join('\r\n');
-
-const server = http.createServer(common.mustNotCall((req, res) => {
-  res.end();
-}, 1));
-
-server.listen(0, common.mustSucceed(() => {
-  const client = net.connect(server.address().port, 'localhost');
-
-  let response = '';
-
-  // Verify that the server listener is never called
-
-  client.on('data', common.mustCall((chunk) => {
-    response += chunk;
+{
+  const msg = [
+    'POST / HTTP/1.1',
+    'Host: 127.0.0.1',
+    'Transfer-Encoding: chunked',
+    'Transfer-Encoding: chunked-false',
+    'Connection: upgrade',
+    '',
+    '1',
+    'A',
+    '0',
+    '',
+    'GET /flag HTTP/1.1',
+    'Host: 127.0.0.1',
+    '',
+    '',
+  ].join('\r\n');
+
+  const server = http.createServer(common.mustNotCall((req, res) => {
+    res.end();
+  }, 1));
+
+  server.listen(0, common.mustSucceed(() => {
+    const client = net.connect(server.address().port, 'localhost');
+
+    let response = '';
+
+    // Verify that the server listener is never called
+
+    client.on('data', common.mustCall((chunk) => {
+      response += chunk;
+    }));
+
+    client.setEncoding('utf8');
+    client.on('error', common.mustNotCall());
+    client.on('end', common.mustCall(() => {
+      assert.strictEqual(
+        response,
+        'HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n'
+      );
+      server.close();
+    }));
+    client.write(msg);
+    client.resume();
   }));
+}
+
+{
+  const msg = [
+    'POST / HTTP/1.1',
+    'Host: 127.0.0.1',
+    'Transfer-Encoding: chunked',
+    ' , chunked-false',
+    'Connection: upgrade',
+    '',
+    '1',
+    'A',
+    '0',
+    '',
+    'GET /flag HTTP/1.1',
+    'Host: 127.0.0.1',
+    '',
+    '',
+  ].join('\r\n');
+
+  const server = http.createServer(common.mustCall((request, response) => {
+    assert.notStrictEqual(request.url, '/admin');
+    response.end('hello world');
+  }), 1);
+
+  server.listen(0, common.mustSucceed(() => {
+    const client = net.connect(server.address().port, 'localhost');
+
+    client.on('end', common.mustCall(function() {
+      server.close();
+    }));
 
-  client.setEncoding('utf8');
-  client.on('error', common.mustNotCall());
-  client.on('end', common.mustCall(() => {
-    assert.strictEqual(
-      response,
-      'HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n'
-    );
-    server.close();
+    client.write(msg);
+    client.resume();
   }));
-  client.write(msg);
-  client.resume();
-}));
+}