From 4718119ffbe895aecd9be0d6430357d44b4c7fd3 Mon Sep 17 00:00:00 2001 From: "Smylnycky, Jason M" Date: Fri, 15 May 2020 14:58:37 -0400 Subject: [PATCH 1/2] Skip sending the proxyReq event when the expect header is present --- lib/http-proxy/passes/web-incoming.js | 4 +- ...lib-http-proxy-passes-web-incoming-test.js | 44 +++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/lib/http-proxy/passes/web-incoming.js b/lib/http-proxy/passes/web-incoming.js index 781b32692..7ae735514 100644 --- a/lib/http-proxy/passes/web-incoming.js +++ b/lib/http-proxy/passes/web-incoming.js @@ -129,7 +129,9 @@ module.exports = { // Enable developers to modify the proxyReq before headers are sent proxyReq.on('socket', function(socket) { - if(server) { server.emit('proxyReq', proxyReq, req, res, options); } + if(server && !proxyReq.getHeader('expect')) { + server.emit('proxyReq', proxyReq, req, res, options); + } }); // allow outgoing socket to timeout so that we could diff --git a/test/lib-http-proxy-passes-web-incoming-test.js b/test/lib-http-proxy-passes-web-incoming-test.js index 37f74204b..ee7429c1b 100644 --- a/test/lib-http-proxy-passes-web-incoming-test.js +++ b/test/lib-http-proxy-passes-web-incoming-test.js @@ -126,6 +126,50 @@ describe('#createProxyServer.web() using own http server', function () { http.request('http://127.0.0.1:8081', function() {}).end(); }); + it('should skip proxyReq event when handling a request with header "expect: 100-continue" [https://www.npmjs.com/advisories/1486]', function (done) { + var proxy = httpProxy.createProxyServer({ + target: 'http://127.0.0.1:8080', + }); + + proxy.on('proxyReq', function(proxyReq, req, res, options) { + proxyReq.setHeader('X-Special-Proxy-Header', 'foobar'); + }); + + function requestHandler(req, res) { + proxy.web(req, res); + } + + var proxyServer = http.createServer(requestHandler); + + var source = http.createServer(function(req, res) { + source.close(); + proxyServer.close(); + expect(req.headers['x-special-proxy-header']).to.not.eql('foobar'); + done(); + }); + + proxyServer.listen('8081'); + source.listen('8080'); + + const postData = ''.padStart(10025, 'x'); + + const postOptions = { + hostname: '127.0.0.1', + port: 8081, + path: '/', + method: 'POST', + headers: { + 'Content-Type': 'application/x-www-form-urlencoded', + 'Content-Length': Buffer.byteLength(postData), + 'expect': '100-continue' + } + }; + + const req = http.request(postOptions, function() {}); + req.write(postData); + req.end(); + }); + it('should proxy the request and handle error via callback', function(done) { var proxy = httpProxy.createProxyServer({ target: 'http://127.0.0.1:8080' From 0069f9fd347d60b7e56efb2b86e59f04e5dd9131 Mon Sep 17 00:00:00 2001 From: "Smylnycky, Jason M" Date: Fri, 15 May 2020 15:35:44 -0400 Subject: [PATCH 2/2] Adjust padding to match advisory --- test/lib-http-proxy-passes-web-incoming-test.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/lib-http-proxy-passes-web-incoming-test.js b/test/lib-http-proxy-passes-web-incoming-test.js index ee7429c1b..f6553d300 100644 --- a/test/lib-http-proxy-passes-web-incoming-test.js +++ b/test/lib-http-proxy-passes-web-incoming-test.js @@ -151,7 +151,7 @@ describe('#createProxyServer.web() using own http server', function () { proxyServer.listen('8081'); source.listen('8080'); - const postData = ''.padStart(10025, 'x'); + const postData = ''.padStart(1025, 'x'); const postOptions = { hostname: '127.0.0.1',