fix(Headers): filter out forbidden headers & get should return null…

… on unknown header name (nodejs#1337) * fix: headers * re-run ci
metcoder95 · Dec 26, 2022 · 7561d7c · 7561d7c
1 parent 206c403
commit 7561d7c
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 2 deletions.
diff --git a/lib/fetch/response.js b/lib/fetch/response.js
@@ -393,7 +393,8 @@ function makeFilteredHeadersList (headersList, filter) {
     get (target, prop) {
       // Override methods used by Headers class.
       if (prop === 'get' || prop === 'has') {
-        return (name) => filter(name) ? target[prop](name) : undefined
+        const defaultReturn = prop === 'has' ? false : null
+        return (name) => filter(name) ? target[prop](name) : defaultReturn
       } else if (prop === Symbol.iterator) {
         return function * () {
           for (const entry of target) {
@@ -420,7 +421,10 @@ function filterResponse (response, type) {
 
     return makeFilteredResponse(response, {
       type: 'basic',
-      headersList: makeFilteredHeadersList(response.headersList, (name) => !forbiddenResponseHeaderNames.includes(name))
+      headersList: makeFilteredHeadersList(
+        response.headersList,
+        (name) => !forbiddenResponseHeaderNames.includes(name.toLowerCase())
+      )
     })
   } else if (type === 'cors') {
     // A CORS filtered response is a filtered response whose type is "cors"

diff --git a/test/fetch/headers.js b/test/fetch/headers.js
@@ -12,6 +12,8 @@ const {
   forbiddenHeaderNames,
   forbiddenResponseHeaderNames
 } = require('../../lib/fetch/constants')
+const { createServer } = require('http')
+const { fetch } = require('../../index')
 
 tap.test('Headers initialization', t => {
   t.plan(7)
@@ -627,3 +629,37 @@ tap.test('response guard', (t) => {
 
   t.end()
 })
+
+tap.test('set-cookie[2] in Headers constructor', (t) => {
+  const headers = new Headers(forbiddenResponseHeaderNames.map(k => [k, 'v']))
+
+  for (const header of forbiddenResponseHeaderNames) {
+    t.ok(headers.has(header))
+    t.equal(headers.get(header), 'v')
+  }
+
+  t.end()
+})
+
+// https://github.com/nodejs/undici/issues/1328
+tap.test('set-cookie[2] received from server - issue #1328', (t) => {
+  const server = createServer((req, res) => {
+    res.setHeader('set-cookie', 'my-cookie; wow')
+    res.end('Goodbye!')
+  }).unref()
+  t.teardown(server.close.bind(server))
+
+  server.listen(0, async () => {
+    const { headers } = await fetch(`http://localhost:${server.address().port}`)
+
+    t.notOk(headers.has('set-cookie'))
+    t.notOk(headers.has('Set-cookie'))
+    t.notOk(headers.has('sEt-CoOkIe'))
+
+    t.equal(headers.get('set-cookie'), null)
+    t.equal(headers.get('Set-cookie'), null)
+    t.equal(headers.get('sEt-CoOkIe'), null)
+
+    t.end()
+  })
+})