Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The application crashes when setting an invalid cookie value #4527

Open
Hydrock opened this issue Aug 28, 2024 · 1 comment
Open

The application crashes when setting an invalid cookie value #4527

Hydrock opened this issue Aug 28, 2024 · 1 comment
Labels
bug Bug or defect

Comments

@Hydrock
Copy link

Hydrock commented Aug 28, 2024

Runtime

node.js

Runtime version

v18.20.0 / LTS

Module version

21.3.2

Last module version without issue

No response

Used with

No response

Any other relevant information

When the server tries to set an invalid cookie value, the server crashes with an error:

node:_http_outgoing:662
  validateHeaderValue(name, value);
  ^

TypeError [ERR_INVALID_CHAR]: Invalid character in header content ["set-cookie"]
    at ServerResponse.setHeader (node:_http_outgoing:662:3)
    at internals.writeHead (/project/workspace/node_modules/@hapi/hapi/lib/transmit.js:336:21)
    at internals.transmit (/project/workspace/node_modules/@hapi/hapi/lib/transmit.js:104:15)
    at internals.fail (/project/workspace/node_modules/@hapi/hapi/lib/transmit.js:68:22)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Request._reply (/project/workspace/node_modules/@hapi/hapi/lib/request.js:456:9) {
  code: 'ERR_INVALID_CHAR',
  isBoom: true,
  isServer: true,
  data: null,
  output: {
    statusCode: 500,
    payload: {
      statusCode: 500,
      error: 'Internal Server Error',
      message: 'An internal server error occurred'
    },
    headers: {}
  }
}

Slack chat discussion: https://hapihour.slack.com/archives/C6CEEUE06/p1724861065721169

Problem example: https://codesandbox.io/p/devbox/hapi-cookie-test-forked-t2g89w?workspaceId=6ecda139-50d1-4062-98aa-206f54ef133e

What are you trying to achieve or the steps to reproduce?

Problem example: https://codesandbox.io/p/devbox/hapi-cookie-test-forked-t2g89w?workspaceId=6ecda139-50d1-4062-98aa-206f54ef133e

Just start the server at the address "/" and you will immediately see the server crash. This is because of the line:

// INVALID cookie
.state("cookieName2", "тест");

in slack's chat, a user under the nickname "yoannma" wrote the following:

I think I found why node crash :
- hapi try to serialize the hapi.response header to node.response in writeHead (https://github.com/hapijs/hapi/blob/master/lib/transmit.js#L336)
- node throw an error because of the bad characters
- hapi catch it, remove the headers, throw a boomify error (https://github.com/hapijs/hapi/blob/master/lib/transmit.js#L345)
- hapi try to send the 500 response (https://github.com/hapijs/hapi/blob/master/lib/transmit.js#L33)
- hapi reuse response.request._route._marshalCycle which contains the set-cookie declaration (https://github.com/hapijs/hapi/blob/master/lib/transmit.js#L40)
- hapi try send the 500 response which end up throwing
- hapi does not catch it this time

What was the result you got?

From my example above, it is clear that when the server tries to set an invalid value as - node, js crashes

What result did you expect?

If the cookie value is invalid, I expect that the application and nodejs will not crash, but simply an error will be thrown.

Ideally, enable validation of the values as on the server when installing [them.](url)

@Hydrock Hydrock added the bug Bug or defect label Aug 28, 2024
@kanongil
Copy link
Contributor

This is related to the crash in #4316, and my comment here #4297 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Bug or defect
Projects
None yet
Development

No branches or pull requests

2 participants