vms/rpcchainvm: ensure response code is valid (ava-labs#1437)

Author: hexfusion

vms/rpcchainvm/ghttp/gresponsewriter/writer_server.go

@@ -68,7 +68,7 @@ func (s *Server) WriteHeader(ctx context.Context, req *responsewriterpb.WriteHea
 	for _, header := range req.Headers {
 		headers[header.Key] = header.Values
 	}
-	s.writer.WriteHeader(int(req.StatusCode))
+	s.writer.WriteHeader(grpcutils.EnsureValidResponseCode(int(req.StatusCode)))
 	return &emptypb.Empty{}, nil
 }
 

vms/rpcchainvm/ghttp/http_client.go

@@ -217,7 +217,7 @@ func getHTTPSimpleRequest(r *http.Request) (*httppb.HandleSimpleHTTPRequest, err
 // convertWriteResponse converts a gRPC HandleSimpleHTTPResponse to an HTTP response.
 func convertWriteResponse(w http.ResponseWriter, resp *httppb.HandleSimpleHTTPResponse) error {
 	grpcutils.MergeHTTPHeader(resp.Headers, w.Header())
-	w.WriteHeader(int(resp.Code))
+	w.WriteHeader(grpcutils.EnsureValidResponseCode(int(resp.Code)))
 	_, err := w.Write(resp.Body)
 	return err
 }

vms/rpcchainvm/ghttp/http_test.go

@@ -0,0 +1,54 @@
+// Copyright (C) 2019-2021, Ava Labs, Inc. All rights reserved.
+// See the file LICENSE for licensing terms.
+
+package ghttp
+
+import (
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	httppb "github.com/ava-labs/avalanchego/proto/pb/http"
+)
+
+func Test_convertWriteResponse(t *testing.T) {
+	assert := assert.New(t)
+
+	scenerios := map[string]struct {
+		resp *httppb.HandleSimpleHTTPResponse
+	}{
+		"empty response": {
+			resp: &httppb.HandleSimpleHTTPResponse{},
+		},
+		"response header value empty": {
+			resp: &httppb.HandleSimpleHTTPResponse{
+				Code: 500,
+				Body: []byte("foo"),
+				Headers: []*httppb.Element{
+					{
+						Key: "foo",
+					},
+				},
+			},
+		},
+		"response header key empty": {
+			resp: &httppb.HandleSimpleHTTPResponse{
+				Code: 200,
+				Body: []byte("foo"),
+				Headers: []*httppb.Element{
+					{
+						Values: []string{"foo"},
+					},
+				},
+			},
+		},
+	}
+	for testName, scenerio := range scenerios {
+		t.Run(testName, func(t *testing.T) {
+			w := httptest.NewRecorder()
+			err := convertWriteResponse(w, scenerio.resp)
+			assert.NoError(err)
+		})
+	}
+}

vms/rpcchainvm/grpcutils/util.go

@@ -186,3 +186,13 @@ func TimestampAsTime(ts *tspb.Timestamp) (time.Time, error) {
 func TimestampFromTime(time time.Time) *tspb.Timestamp {
 	return tspb.New(time)
 }
+
+// EnsureValidResponseCode ensures that the response code is valid otherwise it returns 500.
+func EnsureValidResponseCode(code int) int {
+	// Response code outside of this range is invalid and could panic.
+	// ref. https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
+	if code < 100 || code > 599 {
+		return http.StatusInternalServerError
+	}
+	return code
+}