http: create an option for setting a maximum size for uri parsing

caiolrm · caiolrm · commit 45fa65249ed5 · 2019-03-10T17:52:41.000-03:00
The http server wasn't able to tell exactly what caused an HPE_HEADER_OVERFLOW, meaning it would yield a 431 error even if what caused it was the request URI being too long. This adds a limit to the URI sizes through a new option called max-http-uri-size, which will be checked against the actual URIs after on_url callback at the node_http_parser_impl file. Fixes: #26296 Refs: expressjs/express#3898
diff --git a/doc/api/http.md b/doc/api/http.md
@@ -1959,6 +1959,17 @@ added: v11.6.0
 Read-only property specifying the maximum allowed size of HTTP headers in bytes.
 Defaults to 8KB. Configurable using the [`--max-http-header-size`][] CLI option.
 
+## http.maxUriSize
+<!-- YAML
+added: v12.0.0
+-->
+
+* {number}
+
+Read-only property specifying the maximum allowed size of HTTP request uri
+in bytes. Defaults to 7KB. Configurable using the
+[`--max-http-uri-size`][] CLI option.
+
 ## http.request(options[, callback])
 ## http.request(url[, options][, callback])
 <!-- YAML
diff --git a/lib/_http_server.js b/lib/_http_server.js
@@ -509,6 +509,10 @@ const badRequestResponse = Buffer.from(
   `HTTP/1.1 400 ${STATUS_CODES[400]}${CRLF}` +
   `Connection: close${CRLF}${CRLF}`, 'ascii'
 );
+const uriTooLongResponse = Buffer.from(
+  `HTTP/1.1 414 ${STATUS_CODES[414]}${CRLF}` +
+  `Connection: close${CRLF}${CRLF}`, 'ascii'
+);
 const requestHeaderFieldsTooLargeResponse = Buffer.from(
   `HTTP/1.1 431 ${STATUS_CODES[431]}${CRLF}` +
   `Connection: close${CRLF}${CRLF}`, 'ascii'
@@ -520,9 +524,16 @@ function socketOnError(e) {
 
   if (!this.server.emit('clientError', e, this)) {
     if (this.writable) {
-      const response = e.code === 'HPE_HEADER_OVERFLOW' ?
-        requestHeaderFieldsTooLargeResponse : badRequestResponse;
-      this.write(response);
+      switch (e.code) {
+        case 'HPE_URI_OVERFLOW':
+          this.write(uriTooLongResponse);
+          break;
+        case 'HPE_HEADER_OVERFLOW':
+          this.write(requestHeaderFieldsTooLargeResponse);
+          break;
+        default:
+          this.write(badRequestResponse);
+      }
     }
     this.destroy(e);
   }
diff --git a/lib/http.js b/lib/http.js
@@ -33,6 +33,7 @@ const {
   ServerResponse
 } = require('_http_server');
 let maxHeaderSize;
+let maxUriSize;
 
 function createServer(opts, requestListener) {
   return new Server(opts, requestListener);
@@ -76,6 +77,19 @@ Object.defineProperty(module.exports, 'maxHeaderSize', {
   }
 });
 
+Object.defineProperty(module.exports, 'maxUriSize', {
+  configurable: true,
+  enumerable: true,
+  get() {
+    if (maxUriSize === undefined) {
+      const { getOptionValue } = require('internal/options');
+      maxUriSize = getOptionValue('--max-http-uri-size');
+    }
+
+    return maxUriSize;
+  }
+});
+
 Object.defineProperty(module.exports, 'globalAgent', {
   configurable: true,
   enumerable: true,
diff --git a/src/node_http_parser_impl.h b/src/node_http_parser_impl.h
@@ -180,7 +180,7 @@ class Parser : public AsyncWrap, public StreamListener {
 
 
   int on_url(const char* at, size_t length) {
-    int rv = TrackHeader(length);
+    int rv = TrackHeader(length, before_headers);
     if (rv != 0) {
       return rv;
     }
@@ -825,11 +825,20 @@ class Parser : public AsyncWrap, public StreamListener {
     got_exception_ = false;
   }
 
-
-  int TrackHeader(size_t len) {
+  enum tracking_position {
+    before_headers,
+    after_request_line
+  };
+  int TrackHeader(size_t len, enum tracking_position pos = after_request_line) {
 #ifdef NODE_EXPERIMENTAL_HTTP
     header_nread_ += len;
-    if (header_nread_ >= per_process::cli_options->max_http_header_size) {
+    if (pos == before_headers &&
+        header_nread_ >= per_process::cli_options->max_http_uri_size) {
+      llhttp_set_error_reason(&parser_,
+                              "HPE_URI_OVERFLOW:URI overflow");
+      return HPE_USER;
+    } else if (pos == after_request_line &&
+        header_nread_ >= per_process::cli_options->max_http_header_size) {
       llhttp_set_error_reason(&parser_, "HPE_HEADER_OVERFLOW:Header overflow");
       return HPE_USER;
     }
diff --git a/src/node_options.cc b/src/node_options.cc
@@ -426,6 +426,10 @@ PerProcessOptionsParser::PerProcessOptionsParser(
             "set the maximum size of HTTP headers (default: 8KB)",
             &PerProcessOptions::max_http_header_size,
             kAllowedInEnvironment);
+  AddOption("--max-http-uri-size",
+            "set the maximum size of HTTP request uri (default: 7KB)",
+            &PerProcessOptions::max_http_uri_size,
+            kAllowedInEnvironment);
   AddOption("--v8-pool-size",
             "set V8's thread pool size",
             &PerProcessOptions::v8_thread_pool_size,
diff --git a/src/node_options.h b/src/node_options.h
@@ -157,6 +157,7 @@ class PerProcessOptions : public Options {
   std::string trace_event_categories;
   std::string trace_event_file_pattern = "node_trace.${rotation}.log";
   uint64_t max_http_header_size = 8 * 1024;
+  uint64_t max_http_uri_size = 7 * 1024;
   int64_t v8_thread_pool_size = 4;
   bool zero_fill_all_buffers = false;
   bool debug_arraybuffer_allocations = false;
diff --git a/test/parallel/test-http-uri-overflow.js b/test/parallel/test-http-uri-overflow.js
@@ -0,0 +1,46 @@
+'use strict';
+const assert = require('assert');
+const { createServer, maxUriSize } = require('http');
+const { createConnection } = require('net');
+const { expectsError, mustCall } = require('../common');
+
+const CRLF = '\r\n';
+const REQUEST_METHOD_AND_SPACE = 'GET ';
+const DUMMY_URI = '/' + 'a'.repeat(
+  maxUriSize
+); // the slash makes it just 1 byte too long
+
+const PAYLOAD = REQUEST_METHOD_AND_SPACE + DUMMY_URI + CRLF;
+
+const server = createServer();
+
+server.on('connection', mustCall((socket) => {
+  socket.on('error', expectsError({
+    type: Error,
+    message: 'Parse Error',
+    code: 'HPE_URI_OVERFLOW',
+    bytesParsed: REQUEST_METHOD_AND_SPACE.length + DUMMY_URI.length,
+    rawPacket: Buffer.from(PAYLOAD)
+  }));
+}));
+
+server.listen(0, mustCall(() => {
+  const c = createConnection(server.address().port);
+  let received = '';
+
+  c.on('connect', mustCall(() => {
+    c.write(PAYLOAD);
+  }));
+  c.on('data', mustCall((data) => {
+    received += data.toString();
+  }));
+  c.on('end', mustCall(() => {
+    assert.strictEqual(
+      received,
+      'HTTP/1.1 414 URI Too Long\r\n' +
+      'Connection: close\r\n\r\n'
+    );
+    c.end();
+  }));
+  c.on('close', mustCall(() => server.close()));
+}));
