http: disallow sending obviously invalid status codes

evanlucas · rvagg · commit ad470e496bbd · 2016-09-28T00:00:05.000+10:00
Back port of 7e9b0dd 3d6225 to v0.12. PR-URL: nodejs-private/node-private#47 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Douglas Wilson <doug@somethingdoug.com>
diff --git a/lib/_http_server.js b/lib/_http_server.js
@@ -202,6 +202,10 @@ ServerResponse.prototype.writeHead = function(statusCode, reason, obj) {
     headers = obj;
   }
 
+  statusCode |= 0;
+  if (statusCode < 100 || statusCode > 999)
+    throw new RangeError('Invalid status code: ' + statusCode);
+
   var statusLine = 'HTTP/1.1 ' + statusCode.toString() + ' ' +
                    this.statusMessage + CRLF;
 
diff --git a/test/parallel/test-http-response-statuscode.js b/test/parallel/test-http-response-statuscode.js
@@ -0,0 +1,92 @@
+'use strict';
+var common = require('../common');
+var assert = require('assert');
+var http = require('http');
+
+var MAX_REQUESTS = 12;
+var reqNum = 0;
+
+var server = http.Server(common.mustCall(function(req, res) {
+  switch (reqNum) {
+    case 0:
+      assert.throws(common.mustCall(function() {
+        res.writeHead(-1);
+      }, /invalid status code/i));
+      break;
+    case 1:
+      assert.throws(common.mustCall(function() {
+        res.writeHead(Infinity);
+      }, /invalid status code/i));
+      break;
+    case 2:
+      assert.throws(common.mustCall(function() {
+        res.writeHead(NaN);
+      }, /invalid status code/i));
+      break;
+    case 3:
+      assert.throws(common.mustCall(function() {
+        res.writeHead({});
+      }, /invalid status code/i));
+      break;
+    case 4:
+      assert.throws(common.mustCall(function() {
+        res.writeHead(99);
+      }, /invalid status code/i));
+      break;
+    case 5:
+      assert.throws(common.mustCall(function() {
+        res.writeHead(1000);
+      }, /invalid status code/i));
+      break;
+    case 6:
+      assert.throws(common.mustCall(function() {
+        res.writeHead('1000');
+      }, /invalid status code/i));
+      break;
+    case 7:
+      assert.throws(common.mustCall(function() {
+        res.writeHead(null);
+      }, /invalid status code/i));
+      break;
+    case 8:
+      assert.throws(common.mustCall(function() {
+        res.writeHead(true);
+      }, /invalid status code/i));
+      break;
+    case 9:
+      assert.throws(common.mustCall(function() {
+        res.writeHead([]);
+      }, /invalid status code/i));
+      break;
+    case 10:
+      assert.throws(common.mustCall(function() {
+        res.writeHead('this is not valid');
+      }, /invalid status code/i));
+      break;
+    case 11:
+      assert.throws(common.mustCall(function() {
+        res.writeHead('404 this is not valid either');
+      }, /invalid status code/i));
+      this.close();
+      break;
+    default:
+      throw new Error('Unexpected request');
+  }
+  res.statusCode = 200;
+  res.end();
+}, MAX_REQUESTS));
+server.listen();
+
+server.on('listening', function makeRequest() {
+  var self = this;
+  http.get({
+    port: self.address().port
+  }, function(res) {
+    assert.strictEqual(res.statusCode, 200);
+    res.on('end', function() {
+      if (++reqNum < MAX_REQUESTS)
+        makeRequest.call(self);
+    });
+    res.resume();
+  });
+});

Original file line number	Diff line number	Diff line change
`@@ -202,6 +202,10 @@ ServerResponse.prototype.writeHead = function(statusCode, reason, obj) {`
`202`	`202`	`headers = obj;`
`203`	`203`	`}`
`204`	`204`
	`205`	`+ statusCode \|= 0;`
	`206`	`+ if (statusCode < 100 \|\| statusCode > 999)`
	`207`	`+ throw new RangeError('Invalid status code: ' + statusCode);`
	`208`	`+`
`205`	`209`	`var statusLine = 'HTTP/1.1 ' + statusCode.toString() + ' ' +`
`206`	`210`	`this.statusMessage + CRLF;`
`207`	`211`