http: fix validation of "Link" header #46466
Conversation
I updated the commit message and changed the string from backticks to single quotes with escapes to pass linting. Thanks for the help! |
|
Can you also add a test? |
anonrig
added
request-ci
anonrig
added
the
author ready
github-actions
bot
removed
the
request-ci
github-actions
bot
removed
the
request-ci
| (not necessarily a valid URI reference) followed by zero or more | ||
| link-params separated by semicolons. | ||
| */ | ||
| const linkValueRegExp = /^(?:<[^>]*>)(?:\s*;\s*[^;"\s]+(?:=(")?[^;"\s]*\1)?)*$/; |
There was a problem hiding this comment.
It probably does not matter as the header is sent by the server but this regex is vulnerable to ReDoS.
There was a problem hiding this comment.
FWIW the original is also vulnerable.
There was a problem hiding this comment.
I'm not questioning your point, I'm asking as I want to learn on this matter:
- How do you know?
- How can we fix it?
There was a problem hiding this comment.
- How do you know?
https://github.com/makenowjust-labs/recheck
- How can we fix it?
Usually it is possible to tweak the regex. I'm not sure if it is possible in this case. I did not spend time on it. The input is "trusted" so I think it does not worth the effort.
There was a problem hiding this comment.
Thanks for reference.
I also think it's not worth the effort. Shall we just insert a comment for future knowledge?
There was a problem hiding this comment.
The input is "trusted" so I think it does not worth the effort.
I'd be concerned that we'd start leveraging this at a future time for something and expose it to end users. There should at least be a comment, IMO.
There was a problem hiding this comment.
(To be 100% clear: If we're certain that this is not something that will accept user input, yeah, we don't need to fix it. But let's add a comment explaining.)
There was a problem hiding this comment.
This regex (and the existing one) will fail to do the right thing if a quotation mark is backslash-escaped inside the string, right? (I only skimmed the spec so I apologize if I'm wrong!) Are we doing the whole "using a regexp when a parsing algorithm is what is needed" thing? (This is a question, but not a blocking objection or anything. The current regexp would have the same issue if this one has that issue.)
There was a problem hiding this comment.
You could have a for loop that loops backward from the string examining each character. That might actually be more performant than a regex.
It could also start from the beginning of the string, but yes, I think that it would be better.
There was a problem hiding this comment.
We can add a TODO comment and do this in a follow-up PR.
|
@nodejs/build could you take a look? This seems an odd failure: https://ci.nodejs.org/job/node-test-commit/59852/console |
11:18:44 + git rev-parse origin/main
11:18:44 + REBASE_ONTO=96c720e98f4ea80103a9d240ae8072190a226729
11:18:44 + git rebase --committer-date-is-author-date 96c720e98f4ea80103a9d240ae8072190a226729
11:18:45 Rebasing (1/6)
Auto-merging lib/internal/validators.js
11:18:45 CONFLICT (content): Merge conflict in lib/internal/validators.js
11:18:45 error: could not apply 2e6e618a56b... http: fix validation of "Link" headerIt has failed to rebase this PR onto |
|
@SRHerzog could you review? |
Updated regex for "Link" header validation to better match the specification in RFC 8288 section 3. Does not check for valid URI format but handles the rest of the header more permissively than before. Alternative to another outstanding PR that disables validation entirely. Fixes: nodejs#46453 Refs: https://www.rfc-editor.org/rfc/rfc8288.html#section-3 Refs: nodejs#46464
|
There was a new comma in |
github-actions
bot
removed
the
request-ci
mcollina
added
commit-queue
nodejs-github-bot
removed
the
commit-queue
|
Landed in d0531eb |
Updated regex for "Link" header validation to better match the specification in RFC 8288 section 3. Does not check for valid URI format but handles the rest of the header more permissively than before. Alternative to another outstanding PR that disables validation entirely. Fixes: #46453 Refs: https://www.rfc-editor.org/rfc/rfc8288.html#section-3 Refs: #46464 PR-URL: #46466 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Updated regex for "Link" header validation to better match the specification in RFC 8288 section 3. Does not check for valid URI format but handles the rest of the header more permissively than before. Alternative to another outstanding PR that disables validation entirely. Fixes: #46453 Refs: https://www.rfc-editor.org/rfc/rfc8288.html#section-3 Refs: #46464 PR-URL: #46466 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Updated regex for "Link" header validation to better match the
specification in RFC 8288 section 3. Does not check for valid URI
format but handles the rest of the header more permissively than
before. Alternative to another outstanding PR that disables validation
entirely.
Fixes: #46453
Refs: https://www.rfc-editor.org/rfc/rfc8288.html#section-3
Refs: #46464