summaryrefslogtreecommitdiffstats
path: root/test/headers-crlf.js
blob: b24fd39149107f0e8ca64294a3b5ab03b9536d62 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
'use strict'

const { test } = require('tap')
const { Client } = require('..')
const { createServer } = require('http')

test('CRLF Injection in Nodejs ‘undici’ via host', (t) => {
  t.plan(1)

  const server = createServer(async (req, res) => {
    res.end()
  })
  t.teardown(server.close.bind(server))

  server.listen(0, async () => {
    const client = new Client(`http://localhost:${server.address().port}`)
    t.teardown(client.close.bind(client))

    const unsanitizedContentTypeInput = '12 \r\n\r\naaa:aaa'

    try {
      const { body } = await client.request({
        path: '/',
        method: 'POST',
        headers: {
          'content-type': 'application/json',
          host: unsanitizedContentTypeInput
        },
        body: 'asd'
      })
      await body.dump()
    } catch (err) {
      t.same(err.code, 'UND_ERR_INVALID_ARG')
    }
  })
})