http: make req.headers have a null prototype

Makes IncomingMessage.prototype.headers and trailers have a null
prototype, matching the existing behavior of headersDistinct and
trailersDistinct.

Fixes prototype pollution concerns where headers like __proto__
could be interpreted as prototype manipulation.

Refs: #61771

PR-URL: #61772

Author: mcollina

lib/_http_incoming.js

@@ -112,7 +112,7 @@ ObjectDefineProperty(IncomingMessage.prototype, 'headers', {
   __proto__: null,
   get: function() {
     if (!this[kHeaders]) {
-      this[kHeaders] = {};
+      this[kHeaders] = { __proto__: null };
 
       const src = this.rawHeaders;
       const dst = this[kHeaders];
@@ -152,7 +152,7 @@ ObjectDefineProperty(IncomingMessage.prototype, 'trailers', {
   __proto__: null,
   get: function() {
     if (!this[kTrailers]) {
-      this[kTrailers] = {};
+      this[kTrailers] = { __proto__: null };
 
       const src = this.rawTrailers;
       const dst = this[kTrailers];

test/parallel/test-http-blank-header.js

@@ -28,7 +28,7 @@ const net = require('net');
 const server = http.createServer(common.mustCall((req, res) => {
   assert.strictEqual(req.method, 'GET');
   assert.strictEqual(req.url, '/blah');
-  assert.deepStrictEqual(req.headers, {
+  assert.deepStrictEqual(req.headers, { __proto__: null,
     host: 'example.org:443',
     origin: 'http://example.org',
     cookie: ''

test/parallel/test-http-client-headers-array.js

@@ -7,7 +7,7 @@ const http = require('http');
 
 function execute(options) {
   http.createServer(common.mustCall(function(req, res) {
-    const expectHeaders = {
+    const expectHeaders = { __proto__: null,
       'x-foo': 'boom',
       'cookie': 'a=1; b=2; c=3',
       'connection': 'keep-alive',

test/parallel/test-http-content-length.js

@@ -4,17 +4,17 @@ const assert = require('assert');
 const http = require('http');
 const Countdown = require('../common/countdown');
 
-const expectedHeadersMultipleWrites = {
+const expectedHeadersMultipleWrites = { __proto__: null,
   'connection': 'keep-alive',
   'transfer-encoding': 'chunked',
 };
 
-const expectedHeadersEndWithData = {
+const expectedHeadersEndWithData = { __proto__: null,
   'connection': 'keep-alive',
   'content-length': String('hello world'.length),
 };
 
-const expectedHeadersEndNoData = {
+const expectedHeadersEndNoData = { __proto__: null,
   'connection': 'keep-alive',
   'content-length': '0',
 };
@@ -62,7 +62,7 @@ server.listen(0, common.mustCall(function() {
   req.write('hello ');
   req.end('world');
   req.on('response', common.mustCall((res) => {
-    assert.deepStrictEqual(res.headers, { ...expectedHeadersMultipleWrites, 'keep-alive': 'timeout=1' });
+    assert.deepStrictEqual(res.headers, { __proto__: null, ...expectedHeadersMultipleWrites, 'keep-alive': 'timeout=1' });
     res.resume();
   }));
 
@@ -74,7 +74,7 @@ server.listen(0, common.mustCall(function() {
   req.removeHeader('Date');
   req.end('hello world');
   req.on('response', common.mustCall((res) => {
-    assert.deepStrictEqual(res.headers, { ...expectedHeadersEndWithData, 'keep-alive': 'timeout=1' });
+    assert.deepStrictEqual(res.headers, { __proto__: null, ...expectedHeadersEndWithData, 'keep-alive': 'timeout=1' });
     res.resume();
   }));
 
@@ -86,7 +86,7 @@ server.listen(0, common.mustCall(function() {
   req.removeHeader('Date');
   req.end();
   req.on('response', common.mustCall((res) => {
-    assert.deepStrictEqual(res.headers, { ...expectedHeadersEndNoData, 'keep-alive': 'timeout=1' });
+    assert.deepStrictEqual(res.headers, { __proto__: null, ...expectedHeadersEndNoData, 'keep-alive': 'timeout=1' });
     res.resume();
   }));
 

test/parallel/test-http-multiple-headers.js

@@ -19,7 +19,7 @@ const server = createServer(
       'Host', host,
       'Transfer-Encoding', 'chunked',
     ]);
-    assert.deepStrictEqual(req.headers, {
+    assert.deepStrictEqual(req.headers, { __proto__: null,
       'connection': 'close',
       'x-req-a': 'eee, fff, ggg, hhh',
       'x-req-b': 'iii; jjj; kkk; lll',
@@ -41,7 +41,7 @@ const server = createServer(
         'X-req-Y', 'zzz; www',
       ]);
       assert.deepStrictEqual(
-        req.trailers, { 'x-req-x': 'xxx, yyy', 'x-req-y': 'zzz; www' }
+        req.trailers, { __proto__: null, 'x-req-x': 'xxx, yyy', 'x-req-y': 'zzz; www' }
       );
       assert.deepStrictEqual(
         req.trailersDistinct,
@@ -124,7 +124,7 @@ server.listen(0, common.mustCall(() => {
       'x-res-d', 'JJJ; KKK; LLL',
       'Transfer-Encoding', 'chunked',
     ]);
-    assert.deepStrictEqual(res.headers, {
+    assert.deepStrictEqual(res.headers, { __proto__: null,
       'x-res-a': 'AAA, BBB, CCC',
       'x-res-b': 'DDD; EEE; FFF; GGG',
       'connection': 'close',
@@ -149,7 +149,7 @@ server.listen(0, common.mustCall(() => {
       ]);
       assert.deepStrictEqual(
         res.trailers,
-        { 'x-res-x': 'XXX, YYY', 'x-res-y': 'ZZZ; WWW' }
+        { __proto__: null, 'x-res-x': 'XXX, YYY', 'x-res-y': 'ZZZ; WWW' }
       );
       assert.deepStrictEqual(
         res.trailersDistinct,

test/parallel/test-http-raw-headers.js

@@ -36,7 +36,7 @@ http.createServer(common.mustCall(function(req, res) {
     'Connection',
     'keep-alive',
   ];
-  const expectHeaders = {
+  const expectHeaders = { __proto__: null,
     'host': `localhost:${this.address().port}`,
     'transfer-encoding': 'CHUNKED',
     'x-bar': 'yoyoyo',
@@ -52,7 +52,7 @@ http.createServer(common.mustCall(function(req, res) {
     'X-baR',
     'OyOyOyO',
   ];
-  const expectTrailers = { 'x-bar': 'yOyOyOy, OyOyOyO, yOyOyOy, OyOyOyO' };
+  const expectTrailers = { __proto__: null, 'x-bar': 'yOyOyOy, OyOyOyO, yOyOyOy, OyOyOyO' };
 
   this.close();
 
@@ -98,7 +98,7 @@ http.createServer(common.mustCall(function(req, res) {
       'Transfer-Encoding',
       'chunked',
     ];
-    const expectHeaders = {
+    const expectHeaders = { __proto__: null,
       'keep-alive': 'timeout=1',
       'trailer': 'x-foo',
       'date': null,
@@ -120,7 +120,7 @@ http.createServer(common.mustCall(function(req, res) {
         'X-foO',
         'OxOxOxO',
       ];
-      const expectTrailers = { 'x-foo': 'xOxOxOx, OxOxOxO, xOxOxOx, OxOxOxO' };
+      const expectTrailers = { __proto__: null, 'x-foo': 'xOxOxOx, OxOxOxO, xOxOxOx, OxOxOxO' };
 
       assert.deepStrictEqual(res.rawTrailers, expectRawTrailers);
       assert.deepStrictEqual(res.trailers, expectTrailers);

test/parallel/test-http-remove-header-stays-removed.js

@@ -50,7 +50,7 @@ const server = http.createServer(common.mustCall(function(request, response) {
 server.listen(0, common.mustCall(function() {
   http.get({ port: this.address().port }, common.mustCall((res) => {
     assert.strictEqual(res.statusCode, 200);
-    assert.deepStrictEqual(res.headers, { date: 'coffee o clock' });
+    assert.deepStrictEqual(res.headers, { __proto__: null, date: 'coffee o clock' });
 
     let response = '';
     res.setEncoding('ascii');

test/parallel/test-http-server-headers-null-proto.js

@@ -0,0 +1,95 @@
+'use strict';
+
+const common = require('../common');
+const assert = require('assert');
+const http = require('http');
+const net = require('net');
+
+// Test 1: req.headers has a null prototype
+{
+  const server = http.createServer(common.mustCall((req, res) => {
+    assert.strictEqual(Object.getPrototypeOf(req.headers), null);
+    res.end();
+  }));
+
+  server.listen(0, common.mustCall(() => {
+    const port = server.address().port;
+
+    const client = net.connect(port, common.mustCall(() => {
+      client.write(
+        'GET / HTTP/1.1\r\n' +
+        'Host: localhost\r\n' +
+        'Connection: close\r\n' +
+        '\r\n',
+      );
+    }));
+
+    client.on('end', common.mustCall(() => {
+      server.close();
+    }));
+
+    client.resume();
+  }));
+}
+
+// Test 2: req.trailers has a null prototype
+{
+  const server = http.createServer(common.mustCall((req, res) => {
+    res.setHeader('Transfer-Encoding', 'chunked');
+    res.write('Hello');
+    res.addTrailers({
+      'X-Trailer': 'test',
+    });
+    res.end();
+  }));
+
+  server.listen(0, common.mustCall(() => {
+    const port = server.address().port;
+
+    const client = net.connect(port, common.mustCall(() => {
+      client.write(
+        'GET / HTTP/1.1\r\n' +
+        'Host: localhost\r\n' +
+        'TE: trailers\r\n' +
+        'Connection: close\r\n' +
+        '\r\n',
+      );
+    }));
+
+    client.on('data', () => {});
+
+    client.on('end', common.mustCall(() => {
+      server.close();
+    }));
+  }));
+}
+
+// Test 3: req.headers with __proto__ header (should not pollute prototype)
+{
+  const server = http.createServer(common.mustCall((req, res) => {
+    assert.strictEqual(Object.getPrototypeOf(req.headers), null);
+    // The __proto__ header should be stored as a regular property
+    assert.strictEqual(req.headers['__proto__'], 'test');
+    res.end();
+  }));
+
+  server.listen(0, common.mustCall(() => {
+    const port = server.address().port;
+
+    const client = net.connect(port, common.mustCall(() => {
+      client.write(
+        'GET / HTTP/1.1\r\n' +
+        'Host: localhost\r\n' +
+        '__proto__: test\r\n' +
+        'Connection: close\r\n' +
+        '\r\n',
+      );
+    }));
+
+    client.on('end', common.mustCall(() => {
+      server.close();
+    }));
+
+    client.resume();
+  }));
+}

test/parallel/test-http-upgrade-agent.js

@@ -76,7 +76,7 @@ server.listen(0, '127.0.0.1', common.mustCall(function() {
       assert.strictEqual(recvData.toString(), 'nurtzo');
     }));
 
-    const expectedHeaders = { 'hello': 'world',
+    const expectedHeaders = { __proto__: null, 'hello': 'world',
                               'connection': 'upgrade',
                               'upgrade': 'websocket' };
     assert.deepStrictEqual(expectedHeaders, res.headers);

test/parallel/test-http-upgrade-client.js

@@ -85,7 +85,8 @@ server.listen(0, common.mustCall(function() {
       const expectedHeaders = {
         hello: 'world',
         connection: 'upgrade',
-        upgrade: 'websocket'
+        upgrade: 'websocket',
+        __proto__: null
       };
       assert.deepStrictEqual(res.headers, expectedHeaders);
       socket.end();