Node: Add maxHeadersCount support for http(s)2 server

Created on 20 Mar 2020  Â·  9Comments  Â·  Source: nodejs/node

Is your feature request related to a problem? Please describe.

In http(s)1, user can limit server.maxHeadersCount for server, to avoid malicious request (like hash collision attack), because normal headers wont be more than 20 in fact.

But in http(s)2, user has no chance to prevent parse that, even if user check request.rawHeaders.length/2>2000 && response.writeHead(400), the request.headers already been parsed.

Describe the solution you'd like

Add server.maxHeadersCount, just like http(s)1 did.

Describe alternatives you've considered

feature request http2
Source
picture LongTengDao
👍3

All 9 comments

Sounds good to me – maxHeaderSize could be added along with that. :+1:

addaleax picture addaleax on 20 Mar 2020
😄1

I found maxHeaderListPairs in docs accidentally. Are they same?

LongTengDao picture LongTengDao on 20 Mar 2020

@longtengdao Yeah, actually, that’s the same thing. It’s really unfortunate how the naming mismatches – I guess that means adding an alias makes sense here?

addaleax picture addaleax on 20 Mar 2020
👍1

I didn't found that, not only because the name, but also the way to set... one is property of instance, one is in creating options.

I guess that means adding an alias makes sense here?

I have no idea. Maybe deprecate server.maxHeadersCount in http1 to maxHeaderListPairs also works?

By the way, via reading the source, I found the effects of server.maxHeadersCount seems to prevent excessive request.headers assigning:

  // Propagate headers limit from server instance to parser
  if (typeof server.maxHeadersCount === 'number') {
    parser.maxHeaderPairs = server.maxHeadersCount << 1;
  }

  let n = headers.length;

  // If parser.maxHeaderPairs <= 0 assume that there's no limit.
  if (parser.maxHeaderPairs > 0)
    n = MathMin(n, parser.maxHeaderPairs);

  incoming._addHeaderLines(headers, n);

and prevent excessive request.rawHeaders pushing which depends on if the headers are recieved in two times or not:

function parserOnHeaders(headers, url) {
  // Once we exceeded headers limit - stop collecting them
  if (this.maxHeaderPairs <= 0 ||
      this._headers.length < this.maxHeaderPairs) {
    this._headers = this._headers.concat(headers);
  }
  this._url += url;
}

Does maxHeaderListPairs do exact same? I couldn't found more useful infomation by search in source.

LongTengDao picture LongTengDao on 20 Mar 2020

@LongTengDao You should read this PR #16676. And use git blame instead of global text search

Himself65 picture Himself65 on 24 Mar 2020
👍1

I read the source code these days.
And I found that http use maxHeadersCount, but http2 use maxHeaderListPairs, which they use the different C++ library and implement.
Unify them not easy work. 😟

Himself65 picture Himself65 on 25 Mar 2020
👍1

I've done this issue which adds aliases for http1/2 named maxHeadersCount and maxHeaderListPairs,
but I'm doubting that if we really need this kind of thing.
Adding the aliases will add the complexity of the code, that we have two option mange the one thing. Actually, I disapprove of this feature.
🤔

Himself65 picture Himself65 on 26 Mar 2020

I've done this issue which adds aliases for http1/2 named maxHeadersCount and maxHeaderListPairs,
but I'm doubting that if we really need this kind of thing.
Adding the aliases will add the complexity of the code, that we have two option mange the one thing. Actually, I disapprove of this feature.
🤔

Maybe just add explain in docs will resolve this (if we can't remove one of them, and just reserve anothor)?

LongTengDao picture LongTengDao on 27 Mar 2020

add doc is a good idea

Himself65 picture Himself65 on 27 Mar 2020
😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

addaleax picture addaleax  Â·  3Comments
sandeepks1 picture sandeepks1  Â·  3Comments
vsemozhetbyt picture vsemozhetbyt  Â·  3Comments
srl295 picture srl295  Â·  3Comments
seishun picture seishun  Â·  3Comments