http: validate non-link headers in writeEarlyHints#62017
Open
mcollina wants to merge 1 commit intonodejs:mainfrom
Open
http: validate non-link headers in writeEarlyHints#62017mcollina wants to merge 1 commit intonodejs:mainfrom
mcollina wants to merge 1 commit intonodejs:mainfrom
Conversation
Collaborator
|
Review requested:
|
There was a problem hiding this comment.
Pull request overview
This PR hardens writeEarlyHints() by validating non-link headers (names + values) before emitting 103 Early Hints, aligning behavior with other header-writing code paths across the HTTP stack.
Changes:
- Add
validateHeaderName()/validateHeaderValue()checks for non-linkearly hints in the HTTP/1.1 server response path. - Add
assertValidHeader()checks for non-linkearly hints in the HTTP/2 compat server response path. - Add/extend parallel tests covering invalid early-hints header name/value handling for HTTP/1.1 and HTTP/2.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
lib/_http_server.js |
Validates non-link early-hints header names/values before writing the 103 response. |
lib/internal/http2/compat.js |
Validates non-link early-hints headers in the HTTP/2 compat layer before sending informational headers. |
test/parallel/test-http-early-hints-invalid-argument.js |
Adds assertions for invalid early-hints header names and CRLF in values (HTTP/1.1). |
test/parallel/test-http2-compat-write-early-hints-invalid-header.js |
Adds assertions for invalid early-hints header names and invalid values (HTTP/2 compat). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
7fd2181 to
bf5cf85
Compare
Validate header names and values for non-link hints passed to writeEarlyHints() using validateHeaderName/validateHeaderValue, consistent with all other header-writing paths in the HTTP stack. Previously, only the `link` hint was validated via validateLinkHeaderValue(), while all other hints were concatenated directly into the response without any character validation. Also add assertValidHeader() to the HTTP/2 compat layer for defense in depth.
bf5cf85 to
69e6ce4
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #62017 +/- ##
==========================================
- Coverage 89.74% 89.73% -0.01%
==========================================
Files 676 676
Lines 206070 206077 +7
Branches 39517 39523 +6
==========================================
- Hits 184928 184921 -7
- Misses 13300 13310 +10
- Partials 7842 7846 +4
🚀 New features to boost your workflow:
|
lpinca
approved these changes
Feb 27, 2026
Member
|
semver-major? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
writeEarlyHints()usingvalidateHeaderName/validateHeaderValue, consistent with all other header-writing paths in the HTTP stackassertValidHeader()to the HTTP/2 compat layer for defense in depthPreviously, only the
linkhint was validated viavalidateLinkHeaderValue(), while all other hints were concatenated directly into the response without any character validation.Test plan
test/parallel/test-http-early-hints-invalid-argument.js— validates ERR_INVALID_HTTP_TOKEN for bad header names and ERR_INVALID_CHAR for CRLF in valuestest/parallel/test-http2-compat-write-early-hints-invalid-header.js— validates ERR_INVALID_HTTP_TOKEN for bad header names and ERR_HTTP2_INVALID_HEADER_VALUE for bad values