nodejs/node

There appears to be a bug with the http2 header decoding

Open

#28,632 opened on Jul 11, 2019

View on GitHub
 (29 comments) (0 reactions) (0 assignees)JavaScript (117,218 stars) (35,535 forks)batch import
help wantedhttp2

Description

  • Version: 10.15.3
  • Platform: node: 10-alpine official docker image
  • Subsystem: http2

This comes from googleapis/nodejs-datastore#415. It looks like occasionally http2 headers objects are being provided from the http2 module with invalid and clearly incorrect header keys. For example, some bad headers objects look like these

[Object: null prototype] {
 ':status': 200,
 'content-disposition': 'attachment',
 'content-type': 'application/grpc',
 ' pø0': 'Wed, 10 Jul 2019 23:39:46 GMT',
 'alt-svc': 'quic=":443"; ma=2592000; v="46,43,39"'
}

[Object: null prototype] {
   ':status': 200,
   'content-disposition': 'attachment',
   'content-type': 'application/grpc',
   'A\u0000\u0000\u0000': 'Wed, 10 Jul 2019 22:37:34 GMT',
   'alt-svc': 'quic=":443"; ma=2592000; v="46,43,39"'
 }

[Object: null prototype] {
 ':status': 200,
 'content-disposition': 'attachment',
 'content-type': 'application/grpc',
 ' ÐÕJ': 'Wed, 10 Jul 2019 23:58:43 GMT',
 'alt-svc': 'quic=":443"; ma=2592000; v="46,43,39"'
}

while valid headers look like this:

[Object: null prototype] {
 ':status': 200,
 'content-disposition': 'attachment',
 'content-type': 'application/grpc',
 date: 'Wed, 10 Jul 2019 23:05:02 GMT',
 'alt-svc': 'quic=":443"; ma=2592000; v="46,43,39"'
}

In all of the cases we have seen, it looks like the date key is replace with this garbled nonsense. My guess is that it is relevant that that header is the one most likely to be encoded in the format Literal Header Field Never Indexed — Indexed Name because the value changes with every request.

Contributor guide

Tech stack
javascriptnodejs
Domain
backend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
over 1 week
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
JavaScriptHTTP/2 protocol basicsNode.js core internals
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
20
Research direction
Investigate the http2 module's header decoding logic, focusing on the handling of the 'date' header. The issue suggests that the HPACK compression may be incorrectly parsing headers with the 'Never Indexed' flag. Look at the relevant source files in lib/http2/ and test files to reproduce the bug. Examine the linked issue from googleapis/nodejs datastore for additional context.