forked from nodejs/undici
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathheaders-crlf.js
41 lines (33 loc) · 993 Bytes
/
headers-crlf.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
'use strict'
const { tspl } = require('@matteo.collina/tspl')
const { test, after } = require('node:test')
const { once } = require('node:events')
const { Client } = require('..')
const { createServer } = require('node:http')
test('CRLF Injection in Nodejs ‘undici’ via host', async (t) => {
t = tspl(t, { plan: 1 })
const server = createServer(async (req, res) => {
res.end()
})
after(() => server.close())
server.listen(0)
await once(server, 'listening')
const client = new Client(`http://localhost:${server.address().port}`)
after(() => client.close())
const unsanitizedContentTypeInput = '12 \r\n\r\naaa:aaa'
try {
const { body } = await client.request({
path: '/',
method: 'POST',
headers: {
'content-type': 'application/json',
host: unsanitizedContentTypeInput
},
body: 'asd'
})
await body.dump()
} catch (err) {
t.strictEqual(err.code, 'UND_ERR_INVALID_ARG')
}
await t.completed
})