http: disallow sending obviously invalid status codes

PR-URL: https://github.com/nodejs/node/pull/6291 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
2016-04-19 20:49:45 -04:00 · 2016-04-19 20:49:45 -04:00 · 7e9b0dd694
commit 7e9b0dd694
parent 0800c0aa72
2 changed files with 96 additions and 0 deletions
--- a/lib/_http_server.js
+++ b/lib/_http_server.js
@ -187,6 +187,10 @@ ServerResponse.prototype.writeHead = function(statusCode, reason, obj) {
    headers = obj;
  }

+  statusCode |= 0;
+  if (statusCode < 100 || statusCode > 999)
+    throw new RangeError(`Invalid status code: ${statusCode}`);
+
  var statusLine = 'HTTP/1.1 ' + statusCode.toString() + ' ' +
                   this.statusMessage + CRLF;

--- a/test/parallel/test-http-response-statuscode.js
+++ b/test/parallel/test-http-response-statuscode.js
@ -0,0 +1,92 @@
+'use strict';
+const common = require('../common');
+const assert = require('assert');
+const http = require('http');
+
+const MAX_REQUESTS = 12;
+var reqNum = 0;
+
+const server = http.Server(common.mustCall(function(req, res) {
+  switch (reqNum) {
+    case 0:
+      assert.throws(common.mustCall(() => {
+        res.writeHead(-1);
+      }, /invalid status code/i));
+      break;
+    case 1:
+      assert.throws(common.mustCall(() => {
+        res.writeHead(Infinity);
+      }, /invalid status code/i));
+      break;
+    case 2:
+      assert.throws(common.mustCall(() => {
+        res.writeHead(NaN);
+      }, /invalid status code/i));
+      break;
+    case 3:
+      assert.throws(common.mustCall(() => {
+        res.writeHead({});
+      }, /invalid status code/i));
+      break;
+    case 4:
+      assert.throws(common.mustCall(() => {
+        res.writeHead(99);
+      }, /invalid status code/i));
+      break;
+    case 5:
+      assert.throws(common.mustCall(() => {
+        res.writeHead(1000);
+      }, /invalid status code/i));
+      break;
+    case 6:
+      assert.throws(common.mustCall(() => {
+        res.writeHead('1000');
+      }, /invalid status code/i));
+      break;
+    case 7:
+      assert.throws(common.mustCall(() => {
+        res.writeHead(null);
+      }, /invalid status code/i));
+      break;
+    case 8:
+      assert.throws(common.mustCall(() => {
+        res.writeHead(true);
+      }, /invalid status code/i));
+      break;
+    case 9:
+      assert.throws(common.mustCall(() => {
+        res.writeHead([]);
+      }, /invalid status code/i));
+      break;
+    case 10:
+      assert.throws(common.mustCall(() => {
+        res.writeHead('this is not valid');
+      }, /invalid status code/i));
+      break;
+    case 11:
+      assert.throws(common.mustCall(() => {
+        res.writeHead('404 this is not valid either');
+      }, /invalid status code/i));
+      this.close();
+      break;
+    default:
+      throw new Error('Unexpected request');
+  }
+  res.statusCode = 200;
+  res.end();
+}, MAX_REQUESTS));
+server.listen();
+
+server.on('listening', function makeRequest() {
+  http.get({
+    port: this.address().port
+  }, (res) => {
+    assert.strictEqual(res.statusCode, 200);
+    res.on('end', () => {
+      if (++reqNum < MAX_REQUESTS)
+        makeRequest.call(this);
+    });
+    res.resume();
+  });
+});
+