http: verify client method is a string

lucamaraschi · cjihrig · commit df3978421b86 · 2016-12-08T09:51:07.000-05:00
Prior to this commit, it was possible to pass a truthy non-string value as the HTTP method to the HTTP client, resulting in an exception being thrown. This commit adds validation to the method. PR-URL: #10111 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/lib/_http_client.js b/lib/_http_client.js
@@ -68,7 +68,11 @@ function ClientRequest(options, cb){
 self.socketPath = options.socketPath;
 self.timeout = options.timeout;
 
- var method = self.method = (options.method || 'GET').toUpperCase();
+ var method = options.method;
+ if (method != null && typeof method !== 'string'){
+ throw new TypeError('Method must be a string');
+ }
+ method = self.method = (method || 'GET').toUpperCase();
 if (!common._checkIsHttpToken(method)){
 throw new TypeError('Method must be a valid HTTP token');
 }
diff --git a/test/parallel/test-http-client-check-http-token.js b/test/parallel/test-http-client-check-http-token.js
@@ -0,0 +1,40 @@
+'use strict';
+const common = require('../common');
+const assert = require('assert');
+const http = require('http');
+
+const expectedSuccesses = [undefined, null, 'GET', 'post'];
+let requestCount = 0;
+
+const server = http.createServer((req, res) =>{
+ requestCount++;
+ res.end();
+
+ if (expectedSuccesses.length === requestCount){
+ server.close();
+ }
+}).listen(0, test);
+
+function test(){
+ function fail(input){
+ assert.throws(() =>{
+ http.request({method: input, path: '/' }, common.fail);
+ }, /^TypeError: Method must be a string$/);
+ }
+
+ fail(-1);
+ fail(1);
+ fail(0);
+ fail({});
+ fail(true);
+ fail(false);
+ fail([]);
+
+ function ok(method){
+ http.request({method: method, port: server.address().port }).end();
+ }
+
+ expectedSuccesses.forEach((method) =>{
+ ok(method);
+ });
+}

-Original file line number
+Diff line change
 self.socketPath=options.socketPath;
 self.timeout=options.timeout;
 -varmethod=self.method=(options.method||'GET').toUpperCase();
 +varmethod=options.method;
 +if(method!=null&&typeofmethod!=='string'){
 +thrownewTypeError('Method must be a string');
 +}
 +method=self.method=(method||'GET').toUpperCase();
 if(!common._checkIsHttpToken(method)){
 thrownewTypeError('Method must be a valid HTTP token');
+}
-Original file line number
+Diff line change
@@ @@ -0,0 +1,40 @@ @@
 +'use strict';
 +constcommon=require('../common');
 +constassert=require('assert');
 +consthttp=require('http');
++
 +constexpectedSuccesses=[undefined,null,'GET','post'];
 +letrequestCount=0;
++
 +constserver=http.createServer((req,res)=>{
 +requestCount++;
 +res.end();
++
 +if(expectedSuccesses.length===requestCount){
 +server.close();
 +}
 +}).listen(0,test);
++
 +functiontest(){
 +functionfail(input){
 +assert.throws(()=>{
 +http.request({method: input,path: '/'},common.fail);
 +},/^TypeError:Methodmustbeastring$/);
 +}
++
 +fail(-1);
 +fail(1);
 +fail(0);
 +fail({});
 +fail(true);
 +fail(false);
 +fail([]);
++
 +functionok(method){
 +http.request({method: method,port: server.address().port}).end();
 +}
++
 +expectedSuccesses.forEach((method)=>{
 +ok(method);
 +});
 +}