http2: check for valid headers

lib/internal/http2/compat.js

@@ -46,7 +46,13 @@ const {
   hideStackFrames
 } = require('internal/errors');
 const { validateString } = require('internal/validators');
-const { kSocket, kRequest, kProxySocket } = require('internal/http2/util');
+const {
+  kSocket,
+  kRequest,
+  kProxySocket,
+  assertValidPseudoHeader
+} = require('internal/http2/util');
+const { _checkIsHttpToken: checkIsHttpToken } = require('_http_common');
 
 const kBeginSend = Symbol('begin-send');
 const kState = Symbol('state');
@@ -586,6 +592,11 @@ class Http2ServerResponse extends Stream {
       return;
     }
 
+    if (name[0] === ':')
+      assertValidPseudoHeader(name);
+    else if (!checkIsHttpToken(name))
+      this.destroy(new ERR_INVALID_HTTP_TOKEN('Header name', name));
+
     this[kHeaders][name] = value;
   }
 

lib/internal/http2/core.js

@@ -35,7 +35,10 @@ const tls = require('tls');
 const { URL } = require('url');
 const { setImmediate } = require('timers');
 
-const { kIncomingMessage } = require('_http_common');
+const {
+  kIncomingMessage,
+  _checkIsHttpToken: checkIsHttpToken
+} = require('_http_common');
 const { kServerResponse } = require('_http_server');
 const JSStreamSocket = require('internal/js_stream_socket');
 
@@ -88,6 +91,7 @@ const {
     ERR_INVALID_ARG_TYPE,
     ERR_INVALID_CALLBACK,
     ERR_INVALID_CHAR,
+    ERR_INVALID_HTTP_TOKEN,
     ERR_INVALID_OPT_VALUE,
     ERR_OUT_OF_RANGE,
     ERR_SOCKET_CLOSED
@@ -108,6 +112,7 @@ const { onServerStream,
 
 const {
   assertIsObject,
+  assertValidPseudoHeader,
   assertValidPseudoHeaderResponse,
   assertValidPseudoHeaderTrailer,
   assertWithinRange,
@@ -1622,6 +1627,13 @@ class ClientHttp2Session extends Http2Session {
 
     this[kUpdateTimer]();
 
+    for (const i in headers) {
+      if (i[0] === ':') {
+        assertValidPseudoHeader(i);
+      } else if (i && !checkIsHttpToken(i))
+        this.destroy(new ERR_INVALID_HTTP_TOKEN('Header name', i));
+    }
+
     assertIsObject(headers, 'headers');
     assertIsObject(options, 'options');
 

lib/internal/http2/util.js

@@ -595,6 +595,7 @@ function sessionName(type) {
 
 module.exports = {
   assertIsObject,
+  assertValidPseudoHeader,
   assertValidPseudoHeaderResponse,
   assertValidPseudoHeaderTrailer,
   assertWithinRange,

test/parallel/test-http2-invalidheaderfields-client.js

@@ -0,0 +1,55 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto) { common.skip('missing crypto'); }
+const assert = require('assert');
+const http2 = require('http2');
+
+const server1 = http2.createServer();
+
+server1.listen(0, common.mustCall(() => {
+  const session = http2.connect(`http://localhost:${server1.address().port}`);
+  // Check for req headers
+  session.request({ 'no underscore': 123 });
+  session.on('error', common.mustCall((e) => {
+    assert.strictEqual(e.code, 'ERR_INVALID_HTTP_TOKEN');
+    server1.close();
+  }));
+}));
+
+const server2 = http2.createServer(common.mustCall((req, res) => {
+  // check for setHeader
+  res.setHeader('x y z', 123);
+  res.end();
+}));
+
+server2.listen(0, common.mustCall(() => {
+  const session = http2.connect(`http://localhost:${server2.address().port}`);
+  const req = session.request();
+  req.on('error', common.mustCall((e) => {
+    assert.strictEqual(e.code, 'ERR_HTTP2_STREAM_ERROR');
+    session.close();
+    server2.close();
+  }));
+}));
+
+const server3 = http2.createServer(common.mustCall((req, res) => {
+  // check for writeHead
+  assert.throws(common.mustCall(() => {
+    res.writeHead(200, {
+      'an invalid header': 123
+    });
+  }), {
+    code: 'ERR_HTTP2_INVALID_STREAM'
+  });
+  res.end();
+}));
+
+server3.listen(0, common.mustCall(() => {
+  const session = http2.connect(`http://localhost:${server3.address().port}`);
+  const req = session.request();
+  req.on('error', common.mustCall((e) => {
+    assert.strictEqual(e.code, 'ERR_HTTP2_STREAM_ERROR');
+    server3.close();
+    session.close();
+  }));
+}));