http: disallow two-byte characters in URL path

CVE-2018-12116 Backport of b961d9f to 6.x Original commit: This commit changes node's handling of two-byte characters in the path component of an http URL. Previously, node would just strip the higher byte when generating the request. So this code: ``` http.request({host: "example.com", port: "80", "/Ｎ"}) ``` would request `http://example.com/.` (`.` is the character for the byte `0x2e`). This is not useful and can in some cases lead to filter evasion. With this change, the code generates `ERR_UNESCAPED_CHARACTERS`, just like space and control characters already did. PR-URL: #16237 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Timothy Gu <timothygu99@gmail.com> PR-URL: nodejs-private/node-private#146 Fixes: nodejs-private/security#207 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Timothy Gu <timothygu99@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
nodejs · Nov 27, 2018 · 811b63c · 811b63c
1 parent 9c268d0
commit 811b63c
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 8 deletions.
diff --git a/lib/_http_client.js b/lib/_http_client.js
@@ -14,6 +14,7 @@ const OutgoingMessage = require('_http_outgoing').OutgoingMessage;
 const Agent = require('_http_agent');
 const Buffer = require('buffer').Buffer;
 
+const INVALID_PATH_REGEX = /[^\u0021-\u00ff]/;
 
 function ClientRequest(options, cb) {
   var self = this;
@@ -43,14 +44,14 @@ function ClientRequest(options, cb) {
   if (self.agent && self.agent.protocol)
     expectedProtocol = self.agent.protocol;
 
-  if (options.path && /[\u0000-\u0020]/.test(options.path)) {
-    // The actual regex is more like /[^A-Za-z0-9\-._~!$&'()*+,;=/:@]/
-    // with an additional rule for ignoring percentage-escaped characters
-    // but that's a) hard to capture in a regular expression that performs
-    // well, and b) possibly too restrictive for real-world usage.
-    // Restrict the filter to control characters and spaces.
-    throw new TypeError('Request path contains unescaped characters');
-  } else if (protocol !== expectedProtocol) {
+  var path;
+  if (options.path) {
+    path = String(options.path);
+    if (INVALID_PATH_REGEX.test(path))
+      throw new TypeError('Request path contains unescaped characters');
+  }
+
+  if (protocol !== expectedProtocol) {
     throw new Error('Protocol "' + protocol + '" not supported. ' +
                     'Expected "' + expectedProtocol + '"');
   }

diff --git a/test/parallel/test-http-client-invalid-path.js b/test/parallel/test-http-client-invalid-path.js
@@ -0,0 +1,12 @@
+'use strict';
+
+require('../common');
+
+const http = require('http');
+const assert = require('assert');
+
+assert.throws(() => {
+  http.request({
+    path: '/thisisinvalid\uffe2'
+  }).end();
+}, /Request path contains unescaped characters/);