http2: reject non-latin1 client request values and add httpValidation option

Signed-off-by: Matteo Collina <hello@matteocollina.com>
PR-URL: #63571

Author: mcollina

doc/api/http2.md

@@ -1112,6 +1112,14 @@ For HTTP/2 Client `Http2Session` instances only, the `http2session.request()`
 creates and returns an `Http2Stream` instance that can be used to send an
 HTTP/2 request to the connected server.
 
+When sending a request, header values must not contain characters outside the
+`latin1` encoding. The `:path` pseudo-header must not contain unescaped
+characters.
+
+This strict validation can be relaxed via the `httpValidation` option of
+[`http2.connect()`][], which allows control characters in header values
+when set to `'relaxed'` or `'insecure'`.
+
 When a `ClientHttp2Session` is first created, the socket may not yet be
 connected. If `clienthttp2session.request()` is called during this time, the
 actual request will be deferred until the socket is ready to go.
@@ -2970,6 +2978,17 @@ changes:
     for headers and trailers defined as having only a single value, such that
     an error is thrown if multiple values are provided.
     **Default:** `true`.
+  * `httpValidation` {string} Controls HTTP header value validation strictness
+    for HTTP/2 requests and responses. Accepted values are:
+    * `'strict'`: Strictest validation; rejects any non-ASCII or control
+      characters in header values (default).
+    * `'relaxed'`: Allows a limited set of control characters in header
+      values, aligning with the [Fetch specification][].
+    * `'insecure'`: Disables all header value validation (equivalent to
+      `insecureHTTPParser` in HTTP/1).
+    When set to `'relaxed'` or `'insecure'`, `strictSingleValueFields` is
+    automatically disabled.
+    **Default:** `'strict'`.
   * `...options` {Object} Any [`net.createServer()`][] option can be provided.
 * `onRequestHandler` {Function} See [Compatibility API][]
 * Returns: {Http2Server}
@@ -3159,6 +3178,17 @@ changes:
     for headers and trailers defined as having only a single value, such that
     an error is thrown if multiple values are provided.
     **Default:** `true`.
+  * `httpValidation` {string} Controls HTTP header value validation strictness
+    for HTTP/2 requests and responses. Accepted values are:
+    * `'strict'`: Strictest validation; rejects any non-ASCII or control
+      characters in header values (default).
+    * `'relaxed'`: Allows a limited set of control characters in header
+      values, aligning with the [Fetch specification][].
+    * `'insecure'`: Disables all header value validation (equivalent to
+      `insecureHTTPParser` in HTTP/1).
+    When set to `'relaxed'` or `'insecure'`, `strictSingleValueFields` is
+    automatically disabled.
+    **Default:** `'strict'`.
   * `http1Options` {Object} An options object for configuring the HTTP/1
     fallback when `allowHTTP1` is `true`. These options are passed to the
     underlying HTTP/1 server. See [`http.createServer()`][] for available
@@ -3333,6 +3363,17 @@ changes:
     and trailing whitespace validation for HTTP/2 header field names and values
     as per [RFC-9113](https://www.rfc-editor.org/rfc/rfc9113.html#section-8.2.1).
     **Default:** `true`.
+  * `httpValidation` {string} Controls HTTP header value validation strictness
+    for outgoing HTTP/2 requests. Accepted values are:
+    * `'strict'`: Strictest validation; rejects any non-ASCII or control
+      characters in header values (default).
+    * `'relaxed'`: Allows a limited set of control characters in header
+      values, aligning with the [Fetch specification][].
+    * `'insecure'`: Disables all header value validation (equivalent to
+      `insecureHTTPParser` in HTTP/1).
+    When set to `'relaxed'` or `'insecure'`, `strictSingleValueFields` is
+    automatically disabled.
+    **Default:** `'strict'`.
 * `listener` {Function} Will be registered as a one-time listener of the
   [`'connect'`][] event.
 * Returns: {ClientHttp2Session}
@@ -5093,3 +5134,4 @@ you need to implement any fall-back behavior yourself.
 [`tls.createServer()`]: tls.md#tlscreateserveroptions-secureconnectionlistener
 [`writable.writableFinished`]: stream.md#writablewritablefinished
 [error code]: #error-codes-for-rst_stream-and-goaway
+[Fetch specification]: https://fetch.spec.whatwg.org/

lib/internal/http2/core.js

@@ -117,6 +117,7 @@ const {
   isUint32,
   validateAbortSignal,
   validateBoolean,
+  validateOneOf,
   validateBuffer,
   validateFunction,
   validateInt32,
@@ -148,6 +149,7 @@ const {
   getStreamState,
   isPayloadMeaningless,
   kAuthority,
+  kHttpValidation,
   kSensitiveHeaders,
   kStrictSingleValueFields,
   kSocket,
@@ -1325,6 +1327,8 @@ class Http2Session extends EventEmitter {
     this[kHandle] = undefined;
     this[kStrictSingleValueFields] =
       options.strictSingleValueFields;
+    this[kHttpValidation] =
+      options.httpValidation;
 
     // Do not use nagle's algorithm
     if (typeof socket.setNoDelay === 'function')
@@ -2390,6 +2394,7 @@ class Http2Stream extends Duplex {
       headers,
       assertValidPseudoHeaderTrailer,
       this.session[kStrictSingleValueFields],
+      this.session[kHttpValidation],
     );
     this[kSentTrailers] = headers;
 
@@ -2603,6 +2608,7 @@ function prepareResponseHeaders(stream, headersParam, options) {
     headers,
     assertValidPseudoHeaderResponse,
     stream.session[kStrictSingleValueFields],
+    stream.session[kHttpValidation],
   );
 
   return { headers, headersList, statusCode };
@@ -2710,6 +2716,7 @@ function processRespondWithFD(self, fd, headers, offset = 0, length = -1,
       headers,
       assertValidPseudoHeaderResponse,
       self.session[kStrictSingleValueFields],
+      self.session[kHttpValidation],
     );
   } catch (err) {
     if (self.ownsFd)
@@ -2941,6 +2948,7 @@ class ServerHttp2Stream extends Http2Stream {
       headers,
       assertValidPseudoHeader,
       this.session[kStrictSingleValueFields],
+      this.session[kHttpValidation],
     );
 
     const streamOptions = options.endStream ? STREAM_OPTION_EMPTY_PAYLOAD : 0;
@@ -3209,6 +3217,7 @@ class ServerHttp2Stream extends Http2Stream {
       headers,
       assertValidPseudoHeaderResponse,
       this.session[kStrictSingleValueFields],
+      this.session[kHttpValidation],
     );
     if (!this[kInfoHeaders])
       this[kInfoHeaders] = [headers];
@@ -3386,6 +3395,16 @@ function initializeOptions(options) {
     options.strictSingleValueFields = true;
   }
 
+  const httpValidation = options.httpValidation;
+  if (httpValidation !== undefined) {
+    validateOneOf(httpValidation, 'options.httpValidation',
+                  ['strict', 'relaxed', 'insecure']);
+    if (httpValidation !== 'strict') {
+      // In relaxed/insecure mode, disable strict single-value fields
+      // and use lenient header value validation
+      options.strictSingleValueFields = false;
+    }
+  }
 
   // Initialize http1Options bag for HTTP/1 fallback when allowHTTP1 is true.
   // This bag is passed to storeHTTPOptions() to configure HTTP/1 server
@@ -3607,6 +3626,17 @@ function connect(authority, options, listener) {
     options.strictSingleValueFields = true;
   }
 
+  const httpValidation = options.httpValidation;
+  if (httpValidation !== undefined) {
+    validateOneOf(httpValidation, 'options.httpValidation',
+                  ['strict', 'relaxed', 'insecure']);
+    if (httpValidation !== 'strict') {
+      // In relaxed/insecure mode, disable strict single-value fields
+      // and use lenient header value validation
+      options.strictSingleValueFields = false;
+    }
+  }
+
   if (typeof authority === 'string')
     authority = new URL(authority);
 

lib/internal/http2/util.js

@@ -15,6 +15,7 @@ const {
 } = primordials;
 
 const {
+  _checkInvalidHeaderChar: checkInvalidHeaderChar,
   _checkIsHttpToken: checkIsHttpToken,
 } = require('_http_common');
 
@@ -26,11 +27,13 @@ const {
     ERR_HTTP2_CONNECT_SCHEME,
     ERR_HTTP2_HEADER_SINGLE_VALUE,
     ERR_HTTP2_INVALID_CONNECTION_HEADERS,
+    ERR_HTTP2_INVALID_HEADER_VALUE,
     ERR_HTTP2_INVALID_PSEUDOHEADER: { HideStackFramesError: ERR_HTTP2_INVALID_PSEUDOHEADER },
     ERR_HTTP2_INVALID_SETTING_VALUE,
     ERR_HTTP2_TOO_MANY_CUSTOM_SETTINGS,
     ERR_INVALID_ARG_TYPE,
     ERR_INVALID_HTTP_TOKEN,
+    ERR_UNESCAPED_CHARACTERS,
   },
   getMessage,
   hideStackFrames,
@@ -40,6 +43,7 @@ const {
 const kAuthority = Symbol('authority');
 const kSensitiveHeaders = Symbol('sensitiveHeaders');
 const kStrictSingleValueFields = Symbol('strictSingleValueFields');
+const kHttpValidation = Symbol('httpValidation');
 const kSocket = Symbol('socket');
 const kProtocol = Symbol('protocol');
 const kProxySocket = Symbol('proxySocket');
@@ -120,6 +124,18 @@ const kValidPseudoHeaders = new SafeSet([
   HTTP2_HEADER_PROTOCOL,
 ]);
 
+const INVALID_PATH_REGEX = /[^\u0021-\u00ff]/;
+
+function assertValidHeaderValue(name, value, lenient = false) {
+  if (name === ':path' && INVALID_PATH_REGEX.test(value)) {
+    throw new ERR_UNESCAPED_CHARACTERS('Request path');
+  }
+
+  if (checkInvalidHeaderChar(value, lenient)) {
+    throw new ERR_HTTP2_INVALID_HEADER_VALUE(value, name);
+  }
+}
+
 // This set contains headers that are permitted to have only a single
 // value. Multiple instances must not be specified.
 const kSingleValueFields = new SafeSet([
@@ -692,6 +708,7 @@ function prepareRequestHeadersArray(headers, session) {
     rawHeaders,
     assertValidPseudoHeader,
     session[kStrictSingleValueFields],
+    session[kHttpValidation],
   );
 
   return {
@@ -737,6 +754,7 @@ function prepareRequestHeadersObject(headers, session) {
     headersObject,
     assertValidPseudoHeader,
     session[kStrictSingleValueFields],
+    session[kHttpValidation],
   );
 
   return {
@@ -765,7 +783,9 @@ const kNoHeaderFlags = StringFromCharCode(NGHTTP2_NV_FLAG_NONE);
  */
 function buildNgHeaderString(arrayOrMap,
                              validatePseudoHeaderValue,
-                             strictSingleValueFields) {
+                             strictSingleValueFields,
+                             httpValidation) {
+  const lenient = httpValidation && httpValidation !== 'strict';
   let headers = '';
   let pseudoHeaders = '';
   let count = 0;
@@ -806,6 +826,7 @@ function buildNgHeaderString(arrayOrMap,
       const err = validatePseudoHeaderValue(key);
       if (err !== undefined)
         throw err;
+      assertValidHeaderValue(key, value, lenient);
       pseudoHeaders += `${key}\0${value}\0${flags}`;
       count++;
       return;
@@ -819,11 +840,13 @@ function buildNgHeaderString(arrayOrMap,
     if (isArray) {
       for (let j = 0; j < value.length; ++j) {
         const val = String(value[j]);
+        assertValidHeaderValue(key, val, lenient);
         headers += `${key}\0${val}\0${flags}`;
       }
       count += value.length;
       return;
     }
+    assertValidHeaderValue(key, value, lenient);
     headers += `${key}\0${value}\0${flags}`;
     count++;
   }
@@ -982,6 +1005,7 @@ module.exports = {
   isPayloadMeaningless,
   kAuthority,
   kSensitiveHeaders,
+  kHttpValidation,
   kStrictSingleValueFields,
   kSocket,
   kProtocol,

test/parallel/test-http2-client-unescaped-path.js

@@ -3,8 +3,8 @@
 const common = require('../common');
 if (!common.hasCrypto)
   common.skip('missing crypto');
+const assert = require('assert');
 const http2 = require('http2');
-const Countdown = require('../common/countdown');
 
 const server = http2.createServer();
 
@@ -14,24 +14,22 @@ const count = 32;
 
 server.listen(0, common.mustCall(() => {
   const client = http2.connect(`http://localhost:${server.address().port}`);
-  client.setMaxListeners(33);
 
-  const countdown = new Countdown(count + 1, () => {
-    server.close();
-    client.close();
-  });
-
-  // nghttp2 will catch the bad header value for us.
-  function doTest(i) {
-    const req = client.request({ ':path': `bad${String.fromCharCode(i)}path` });
-    req.on('error', common.expectsError({
-      code: 'ERR_HTTP2_STREAM_ERROR',
-      name: 'Error',
-      message: 'Stream closed with error code NGHTTP2_PROTOCOL_ERROR'
-    }));
-    req.on('close', common.mustCall(() => countdown.dec()));
+  for (let i = 0; i <= count; i += 1) {
+    const path = `bad${String.fromCharCode(i)}path`;
+    assert.throws(() => client.request({ ':path': path }), {
+      code: 'ERR_UNESCAPED_CHARACTERS',
+      name: 'TypeError',
+      message: 'Request path contains unescaped characters'
+    });
   }
 
-  for (let i = 0; i <= count; i += 1)
-    doTest(i);
+  assert.throws(() => client.request({ ':path': 'bad\u0100path' }), {
+    code: 'ERR_UNESCAPED_CHARACTERS',
+    name: 'TypeError',
+    message: 'Request path contains unescaped characters'
+  });
+
+  client.close();
+  server.close();
 }));

test/parallel/test-http2-invalidheaderfields-client.js

@@ -14,6 +14,11 @@ server1.listen(0, common.mustCall(() => {
   }, {
     code: 'ERR_INVALID_HTTP_TOKEN'
   });
+  assert.throws(() => {
+    session.request({ 'x-bad-char': 'oʊmɪɡə' });
+  }, {
+    code: 'ERR_HTTP2_INVALID_HEADER_VALUE'
+  });
   session.close();
   server1.close();
 }));

test/parallel/test-http2-util-headers-list.js

@@ -376,6 +376,26 @@ buildNgHeaderString(
   true
 );
 
+assert.throws(() => buildNgHeaderString(
+  { ':path': 'bad\u0100path' },
+  assertValidPseudoHeader,
+  true
+), {
+  code: 'ERR_UNESCAPED_CHARACTERS',
+  name: 'TypeError',
+  message: 'Request path contains unescaped characters'
+});
+
+assert.throws(() => buildNgHeaderString(
+  { 'x-bad-char': 'oʊmɪɡə' },
+  assertValidPseudoHeader,
+  true
+), {
+  code: 'ERR_HTTP2_INVALID_HEADER_VALUE',
+  name: 'TypeError',
+  message: 'Invalid value "oʊmɪɡə" for header "x-bad-char"'
+});
+
 // If both are present, the latter has priority
 assert.strictEqual(getAuthority({
   [HTTP2_HEADER_AUTHORITY]: 'abc',