search

hapijs / hapi

The Simple, Secure Framework Developers Trust
https://hapi.dev
Other
14.63k stars 1.34k forks source link

The application crashes when setting an invalid cookie value #4527

Open Hydrock opened 2 months ago

Hydrock commented 2 months ago

Runtime

node.js

Runtime version

v18.20.0 / LTS

Module version

21.3.2

Last module version without issue

No response

Used with

No response

Any other relevant information

When the server tries to set an invalid cookie value, the server crashes with an error:

node:_http_outgoing:662
  validateHeaderValue(name, value);
  ^

TypeError [ERR_INVALID_CHAR]: Invalid character in header content ["set-cookie"]
    at ServerResponse.setHeader (node:_http_outgoing:662:3)
    at internals.writeHead (/project/workspace/node_modules/@hapi/hapi/lib/transmit.js:336:21)
    at internals.transmit (/project/workspace/node_modules/@hapi/hapi/lib/transmit.js:104:15)
    at internals.fail (/project/workspace/node_modules/@hapi/hapi/lib/transmit.js:68:22)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Request._reply (/project/workspace/node_modules/@hapi/hapi/lib/request.js:456:9) {
  code: 'ERR_INVALID_CHAR',
  isBoom: true,
  isServer: true,
  data: null,
  output: {
    statusCode: 500,
    payload: {
      statusCode: 500,
      error: 'Internal Server Error',
      message: 'An internal server error occurred'
    },
    headers: {}
  }
}

Slack chat discussion: https://hapihour.slack.com/archives/C6CEEUE06/p1724861065721169

Problem example: https://codesandbox.io/p/devbox/hapi-cookie-test-forked-t2g89w?workspaceId=6ecda139-50d1-4062-98aa-206f54ef133e

What are you trying to achieve or the steps to reproduce?

Problem example: https://codesandbox.io/p/devbox/hapi-cookie-test-forked-t2g89w?workspaceId=6ecda139-50d1-4062-98aa-206f54ef133e

Just start the server at the address "/" and you will immediately see the server crash. This is because of the line:

// INVALID cookie
.state("cookieName2", "тест");

in slack's chat, a user under the nickname "yoannma" wrote the following:

I think I found why node crash :
- hapi try to serialize the hapi.response header to node.response in writeHead (https://github.com/hapijs/hapi/blob/master/lib/transmit.js#L336)
- node throw an error because of the bad characters
- hapi catch it, remove the headers, throw a boomify error (https://github.com/hapijs/hapi/blob/master/lib/transmit.js#L345)
- hapi try to send the 500 response (https://github.com/hapijs/hapi/blob/master/lib/transmit.js#L33)
- hapi reuse response.request._route._marshalCycle which contains the set-cookie declaration (https://github.com/hapijs/hapi/blob/master/lib/transmit.js#L40)
- hapi try send the 500 response which end up throwing
- hapi does not catch it this time

What was the result you got?

From my example above, it is clear that when the server tries to set an invalid value as - node, js crashes

What result did you expect?

If the cookie value is invalid, I expect that the application and nodejs will not crash, but simply an error will be thrown.

Ideally, enable validation of the values as on the server when installing them.[](url)

kanongil commented 2 months ago

This is related to the crash in #4316, and my comment here https://github.com/hapijs/hapi/issues/4297#issuecomment-937824559.