Missing API docs for recent changes in HTTP module

[lirantal]

Updates to the HTTP module that landed in recent Node.js releases in an attempt to mitigate several CVEs may cause braking changes on users and teams which make use of large headers due to reasons such as bulk APIs that will employ a large string in the query param.

• Version: v6.15.0, v8.14.0, v10.14.0, v11.3.0.
• Subsystem: http

It seems that:

1. The current limitation of 8kb (instead of previously) 80kb is a hard limit and is not configurable.
2. There may be an escape hatch which is to re-compile node with a higher limit.

At the very least, I'm proposing to update the HTTP API docs with the above details to convey this information.

I will follow-up with a PR to the docs.

--

Reference: https://www.nearform.com/blog/protecting-node-js-from-uncontrolled-resource-consumption-headers-attacks

Related issues: #24692

[mcollina]

We picked 8KB as its the default of NGINX to protect from the same type of attack. Unfortunately making this configurable is not an easy feat, as it is a build-time configuration, unfortunately http_parser does this check via a macro. We deemed this as a good solution. I would suggest that if we want to make this a runtime configuration, a serious refactoring of http_parser is necessary. I would recommend this to happen in llhttp instead.

It is possible to change the max size by changing this define directive: HTTP_MAX_HEADER_SIZE=8192 in our gyp configs. See 1860352 for more details.
We should probably adding this settings into some docs. I'm sorry about not including this in the release.

[elmarx]

@mcollina thanks for the info.

Is there a way to set HTTP_MAX_HEADER_SIZE via the usual ./configure && make steps? Or does it require prior editing/patching of "deps/http_parser/http_parser.gyp"?

[mcollina]

@zauberpony I thought so, but after some investigation, it seem we need to add an option to ./configure. I'll see if I can prepare a PR asap.

[richardlau]

I think you could set the CFLAGS environment variable, e.g. CFLAGS=-DHTTP_MAX_HEADER_SIZE=10000 but I don't know what order gyp will put the arguments to the C compiler when combined with the definition in the http_parser gyp file.

[elmarx]

OK, for now I simply patched http_parser.gyp, which works (so no need to rush), but of course a flag or env-variable (I did not yet test @richardlau's suggestion) would be cleaner in the long run.

[Trott]

Fixed in 063e8fb