fixup! http,https: add built-in proxy support in http/https.request and Agent

Author: joyeecheung

doc/api/errors.md

@@ -2489,6 +2489,12 @@ Accessing `Object.prototype.__proto__` has been forbidden using
 [`Object.setPrototypeOf`][] should be used to get and set the prototype of an
 object.
 
+<a id="ERR_PROXY_INVALID_CONFIG"></a>
+
+### `ERR_PROXY_INVALID_CONFIG`
+
+Failed to proxy a request because the proxy configuration is invalid.
+
 <a id="ERR_PROXY_TUNNEL"></a>
 
 ### `ERR_PROXY_TUNNEL`

lib/internal/errors.js

@@ -1670,6 +1670,7 @@ E('ERR_PERFORMANCE_INVALID_TIMESTAMP',
   '%d is not a valid timestamp', TypeError);
 E('ERR_PERFORMANCE_MEASURE_INVALID_OPTIONS', '%s', TypeError);
 E('ERR_PROXY_TUNNEL', '%s', Error);
+E('ERR_PROXY_INVALID_CONFIG', '%s', Error);
 E('ERR_QUIC_APPLICATION_ERROR', 'A QUIC application error occurred. %d [%s]', Error);
 E('ERR_QUIC_CONNECTION_FAILED', 'QUIC connection failed', Error);
 E('ERR_QUIC_ENDPOINT_CLOSED', 'QUIC endpoint closed: %s (%d)', Error);

lib/internal/http.js

@@ -17,6 +17,7 @@ const {
 const { URL } = require('internal/url');
 const { Buffer } = require('buffer');
 const { isIPv4 } = require('internal/net');
+const { ERR_PROXY_INVALID_CONFIG } = require('internal/errors').codes;
 let utcCache;
 
 function utcDate() {
@@ -185,13 +186,18 @@ function parseProxyConfigFromEnv(env, protocol, keepAlive) {
     return null;
   }
   // Get the proxy url - following the most popular convention, lower case takes precedence.
+  // See https://about.gitlab.com/blog/we-need-to-talk-no-proxy/#http_proxy-and-https_proxy
   const proxyUrl = (protocol === 'https:') ?
     (env.https_proxy || env.HTTPS_PROXY) : (env.http_proxy || env.HTTP_PROXY);
   // No proxy settings from the environment, ignore.
   if (!proxyUrl) {
     return null;
   }
 
+  if (proxyUrl.includes('\r') || proxyUrl.includes('\n')) {
+    throw new ERR_PROXY_INVALID_CONFIG(`Invalid proxy URL: ${proxyUrl}`);
+  }
+
   // Only http:// and https:// proxies are supported.
   // Ignore instead of throw, in case other protocols are supposed to be
   // handled by the user land.

test/client-proxy/test-http-proxy-request-invalid-credentials.mjs

@@ -0,0 +1,48 @@
+// This tests that proxy URLs with invalid credentials (containing \r or \n characters)
+// are rejected with an appropriate error.
+import assert from 'node:assert';
+import http from 'node:http';
+
+const testCases = [
+  {
+    name: 'carriage return in username',
+    proxyUrl: 'http://user\r:pass@proxy.example.com:8080',
+    expectedError: { code: 'ERR_PROXY_INVALID_CONFIG', message: /Invalid proxy URL/ },
+  },
+  {
+    name: 'newline in username',
+    proxyUrl: 'http://user\n:pass@proxy.example.com:8080',
+    expectedError: { code: 'ERR_PROXY_INVALID_CONFIG', message: /Invalid proxy URL/ },
+  },
+  {
+    name: 'carriage return in password',
+    proxyUrl: 'http://user:pass\r@proxy.example.com:8080',
+    expectedError: { code: 'ERR_PROXY_INVALID_CONFIG', message: /Invalid proxy URL/ },
+  },
+  {
+    name: 'newline in password',
+    proxyUrl: 'http://user:pass\n@proxy.example.com:8080',
+    expectedError: { code: 'ERR_PROXY_INVALID_CONFIG', message: /Invalid proxy URL/ },
+  },
+  {
+    name: 'CRLF injection attempt in username',
+    proxyUrl: 'http://user\r\nHost: example.com:pass@proxy.example.com:8080',
+    expectedError: { code: 'ERR_PROXY_INVALID_CONFIG', message: /Invalid proxy URL/ },
+  },
+  {
+    name: 'CRLF injection attempt in password',
+    proxyUrl: 'http://user:pass\r\nHost: example.com@proxy.example.com:8080',
+    expectedError: { code: 'ERR_PROXY_INVALID_CONFIG', message: /Invalid proxy URL/ },
+  },
+];
+
+for (const testCase of testCases) {
+  // Test that creating an agent with invalid proxy credentials throws an error
+  assert.throws(() => {
+    new http.Agent({
+      proxyEnv: {
+        HTTP_PROXY: testCase.proxyUrl,
+      },
+    });
+  }, testCase.expectedError);
+}

test/client-proxy/test-https-proxy-request-invalid-credentials.mjs

@@ -0,0 +1,53 @@
+// This tests that HTTPS proxy URLs with invalid credentials (containing \r or \n characters)
+// are rejected with an appropriate error.
+import * as common from '../common/index.mjs';
+import assert from 'node:assert';
+import https from 'node:https';
+
+if (!common.hasCrypto) {
+  common.skip('missing crypto');
+}
+
+const testCases = [
+  {
+    name: 'carriage return in username (HTTPS)',
+    proxyUrl: 'https://user\r:pass@proxy.example.com:8080',
+    expectedError: { code: 'ERR_PROXY_INVALID_CONFIG', message: /Invalid proxy URL/ },
+  },
+  {
+    name: 'newline in username (HTTPS)',
+    proxyUrl: 'https://user\n:pass@proxy.example.com:8080',
+    expectedError: { code: 'ERR_PROXY_INVALID_CONFIG', message: /Invalid proxy URL/ },
+  },
+  {
+    name: 'carriage return in password (HTTPS)',
+    proxyUrl: 'https://user:pass\r@proxy.example.com:8080',
+    expectedError: { code: 'ERR_PROXY_INVALID_CONFIG', message: /Invalid proxy URL/ },
+  },
+  {
+    name: 'newline in password (HTTPS)',
+    proxyUrl: 'https://user:pass\n@proxy.example.com:8080',
+    expectedError: { code: 'ERR_PROXY_INVALID_CONFIG', message: /Invalid proxy URL/ },
+  },
+  {
+    name: 'CRLF injection attempt in username (HTTPS)',
+    proxyUrl: 'https://user\r\nHost: example.com:pass@proxy.example.com:8080',
+    expectedError: { code: 'ERR_PROXY_INVALID_CONFIG', message: /Invalid proxy URL/ },
+  },
+  {
+    name: 'CRLF injection attempt in password (HTTPS)',
+    proxyUrl: 'https://user:pass\r\nHost: example.com@proxy.example.com:8080',
+    expectedError: { code: 'ERR_PROXY_INVALID_CONFIG', message: /Invalid proxy URL/ },
+  },
+];
+
+for (const testCase of testCases) {
+  // Test that creating an agent with invalid proxy credentials throws an error
+  assert.throws(() => {
+    new https.Agent({
+      proxyEnv: {
+        HTTPS_PROXY: testCase.proxyUrl,
+      },
+    });
+  }, testCase.expectedError);
+}