Skip to content

Commit

Permalink
http: verify client method is a string
Browse files Browse the repository at this point in the history
Prior to this commit, it was possible to pass a truthy non-string
value as the HTTP method to the HTTP client, resulting in an
exception being thrown. This commit adds validation to the method.

PR-URL: nodejs#10111
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information
lucamaraschi authored and cjihrig committed Dec 8, 2016
1 parent 6967ed4 commit df39784
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 1 deletion.
6 changes: 5 additions & 1 deletion lib/_http_client.js
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,11 @@ function ClientRequest(options, cb) {
self.socketPath = options.socketPath;
self.timeout = options.timeout;

var method = self.method = (options.method || 'GET').toUpperCase();
var method = options.method;
if (method != null && typeof method !== 'string') {
throw new TypeError('Method must be a string');
}
method = self.method = (method || 'GET').toUpperCase();
if (!common._checkIsHttpToken(method)) {
throw new TypeError('Method must be a valid HTTP token');
}
Expand Down
40 changes: 40 additions & 0 deletions test/parallel/test-http-client-check-http-token.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
'use strict';
const common = require('../common');
const assert = require('assert');
const http = require('http');

const expectedSuccesses = [undefined, null, 'GET', 'post'];
let requestCount = 0;

const server = http.createServer((req, res) => {
requestCount++;
res.end();

if (expectedSuccesses.length === requestCount) {
server.close();
}
}).listen(0, test);

function test() {
function fail(input) {
assert.throws(() => {
http.request({ method: input, path: '/' }, common.fail);
}, /^TypeError: Method must be a string$/);
}

fail(-1);
fail(1);
fail(0);
fail({});
fail(true);
fail(false);
fail([]);

function ok(method) {
http.request({ method: method, port: server.address().port }).end();
}

expectedSuccesses.forEach((method) => {
ok(method);
});
}

0 comments on commit df39784

Please sign in to comment.