http: add --security-revert for CVE-2018-12116

PR-URL: nodejs-private/node-private#146
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

Author: mcollina

lib/_http_client.js

@@ -14,6 +14,8 @@ const OutgoingMessage = require('_http_outgoing').OutgoingMessage;
 const Agent = require('_http_agent');
 const Buffer = require('buffer').Buffer;
 
+const REVERT_CVE_2018_12116 = process.REVERT_CVE_2018_12116;
+
 const INVALID_PATH_REGEX = /[^\u0021-\u00ff]/;
 
 function ClientRequest(options, cb) {
@@ -47,7 +49,14 @@ function ClientRequest(options, cb) {
   var path;
   if (options.path) {
     path = String(options.path);
-    if (INVALID_PATH_REGEX.test(path))
+    var invalidPath;
+    if (REVERT_CVE_2018_12116) {
+      invalidPath = /[\u0000-\u0020]/.test(path);
+    } else {
+      invalidPath = INVALID_PATH_REGEX.test(path);
+    }
+
+    if (invalidPath)
       throw new TypeError('Request path contains unescaped characters');
   }
 

src/node_revert.h

@@ -15,8 +15,8 @@
  **/
 namespace node {
 
-#define SECURITY_REVERSIONS(XX)
-//  XX(CVE_2016_PEND, "CVE-2016-PEND", "Vulnerability Title")
+#define SECURITY_REVERSIONS(XX) \
+  XX(CVE_2018_12116, "CVE-2018-12116", "HTTP request splitting")
 
 enum reversion {
 #define V(code, ...) SECURITY_REVERT_##code,