search

nodejs / http-parser

http request/response parser for c
MIT License
6.32k stars 1.53k forks source link

Parse Error: Invalid header value char #520

Closed gc closed 4 years ago

gc commented 4 years ago 
const fetch = require('node-fetch');

fetch('https://secure.runescape.com/m=hiscore_oldschool/index_lite.ws?player=magnaboy');

Fails with this error:

 FetchError: request to https://secure.runescape.com/m=hiscore_oldschool/index_lite.ws?player=magnaboy failed, reason: Parse Error: Invalid header value char
     at ClientRequest.<anonymous> (C:\project\node_modules\node-fetch\lib\index.js:1455:11)
     at ClientRequest.emit (events.js:315:20)
     at TLSSocket.socketOnData (_http_client.js:514:9)
     at TLSSocket.emit (events.js:315:20)
     at addChunk (_stream_readable.js:302:12)
     at readableAddChunk (_stream_readable.js:278:9)
     at TLSSocket.Readable.push (_stream_readable.js:217:10)
     at TLSWrap.onStreamRead (internal/stream_base_commons.js:186:23)

I tried to call this API with the exact same headers in other programming languages, in curl, wget and in all browsers - and it works in everything except nodejs, that I can find. Is it possible anyone can shed some light on this and if its possibly a problem in nodejs?

I've exhausted the depth of my ability to debug this error, and don't know how I should proceed. I reported it to the website owners but it doesnt seem practical or any priority at all for them to fix the root cause of whichever http header causes this.

bnoordhuis commented 4 years ago

The offending header, formatted with xxd:

00000b5e: 4d61 782d 4167 653d 3930 300d 0a3c 2053 6574 2d43 6f6f 6b69 653a 205f 5f5f  Max-Age=900..< Set-Cookie: ___
00000b7c: 7574 6d76 624b 5075 6d4c 4d4f 5a3d 415a 7a0d 0a3c 2020 2020 2058 4b70 4f4b  utmvbKPumLMOZ=AZz..<     XKpOK
00000b9a: 616c 473a 2059 7468 3b20 7061 7468 3d2f 3b20 4d61 782d 4167 653d 3930 300d  alG: Yth; path=/; Max-Age=900.
00000bb8: 0a3c 2058 2d43 444e 3a20 496e 6361 7073 756c 610d 0a3c 2054 7261 6e73 6665  .< X-CDN: Incapsula..< Transfe

The header on the last line starts with < X-CDN: and that's simply illegal; http-parser is right to reject it.

Other parsers may be more lenient but that's on them. Trying to make something meaningful out of garbage is a recipe for security issues.

furkanmustafa commented 2 years ago

sorry for necromancing the conversation, we're hitting a similar issue.

But, @bnoordhuis are you sure that output (you've formatted with xxd) is not curl's verbose output? Curl displays server response prefixed with < just for display purposes.