http: improve invalid character in header error message

[evanlucas]

Checklist

• make -j8 test (UNIX), or vcbuild test nosign (Windows) passes
• tests and/or benchmarks are included
• documentation is changed or added
• commit message follows commit guidelines

Affected core subsystem(s)

http

Description of change

This commit includes the header name in the error message when invalid
characters are in the value.

[jasnell]

LGTM with a nit.

[jasnell]

const

[evanlucas]

ack, not sure what I was thinking.

[cjihrig]

LGTM pending @jasnell's nits.

[lpinca]

LGTM

[lpinca]

Tiny nit: commit subject line is a bit too long (55 chars) but I honestly have not idea how to make it shorter.

[Fishrock123]

@ChALkeR could you search for The header content contains invalid characters

[jasnell]

Ping ... @evanlucas @Fishrock123 @ChALkeR ... as a semver-major this needs to be landed ASAP if it's going to make it into v7.0.0. We're a week out from the release and I do not want to land a semver-major last minute.

[evanlucas]

Commit message title has been updated.

[bnoordhuis]

Style: a line continuation should have four spaces of indent.

[bnoordhuis]

Anyone have opinions on whether this could be used in information leaks or, if the header name is attacker-controlled, inserting tainted data in logs or terminals? It seems farfetched but it's good to think about such things.

[evanlucas]

@bnoordhuis that is a good point. Thanks for bringing it up. We are already throwing if the header name is not valid with a message like 'Header name must be a valid HTTP Token ["' + name + '"]'. We also include the header name in the error message if the value is undefined. Is there an alternative that you suggest that would make this less concerning to you?

[addaleax]

How about ${JSON.stringify(name)} instead of "${name}"? That might be a bit simplistic but at least it escapes anything there is to escape.

[evanlucas]

Updated with @addaleax's suggestion.

[ChALkeR]

@Fishrock123 @evanlucas Sorry for the delay on this one — still catching up and finishing unfinished stuff =).

All matches for header content contains (from August, I have not yet updated the dataset since then):

http-node-1.2.0.tgz/_http_outgoing.js:309:    throw new TypeError('The header content contains invalid characters');
http-node-1.2.0.tgz/_http_outgoing.js:348:    throw new TypeError('The header content contains invalid characters');
http-node-1.2.0.tgz/_http_outgoing.js:522:      throw new TypeError('The header content contains invalid characters');

Note that 7bef1b7 is relatively new, so I might need to sync the dataset today and re-check another time.

[jasnell]

@evanlucas ... I will be running the v7.0.0 RC1 build this afternoon. If this should get in to v7, then it needs to land this morning.

[Trott]

This was discussed at yesterday's CTC meeting and a resolution was arrived at, so I'm going to remove the ctc-agenda label.

[ChALkeR]

Ok, I updated the dataset to 2016-10-22, the results for header content contains are pretty much the same the same as they were in #9010 (comment):

frida-http-1.0.1.tgz/lib/_http_outgoing.js:313:    throw new TypeError('The header content contains invalid characters');
frida-http-1.0.1.tgz/lib/_http_outgoing.js:353:    throw new TypeError('The header content contains invalid characters');
http-node-1.2.0.tgz/_http_outgoing.js:309:    throw new TypeError('The header content contains invalid characters');
http-node-1.2.0.tgz/_http_outgoing.js:348:    throw new TypeError('The header content contains invalid characters');
http-node-1.2.0.tgz/_http_outgoing.js:522:      throw new TypeError('The header content contains invalid characters');
rapx-win-1.4.2.tgz/ruff_modules/http/src/_http_outgoing.js:312:        throw new TypeError('The header content contains invalid characters');
rapx-win-1.4.2.tgz/ruff_modules/http/src/_http_outgoing.js:351:        throw new TypeError('The header content contains invalid characters');

Only copies of _http_outgoing.js that were added to packages for whatever reason contain that string, It doesn't look like anyone currently depends on the exact error message.

Note that delaying this until v8.0 will give the package authors more time to introduce dependencies on the error message, so this would have to be re-checked later.

Upd: I performed another search for content contains to be more sure, as this PR just inserts more words between «content» and «contains». Same results (and some unrelated stuff that I discarded):

> ./search.code.sh 'content contains' | grep -vE '(that|the|text|new|HTML|node|tab|window|loaded|provided) content contains' | grep -vE '(fb|interaction|res|resultObj).content contains' | grep -vE 'content contains (the|HTML|myCoolFramework)'
frida-http-1.0.1.tgz/lib/_http_outgoing.js:313:    throw new TypeError('The header content contains invalid characters');
frida-http-1.0.1.tgz/lib/_http_outgoing.js:353:    throw new TypeError('The header content contains invalid characters');
frida-http-1.0.1.tgz/lib/_http_outgoing.js:527:      throw new TypeError('The trailer content contains invalid characters');
http-node-1.2.0.tgz/_http_outgoing.js:309:    throw new TypeError('The header content contains invalid characters');
http-node-1.2.0.tgz/_http_outgoing.js:348:    throw new TypeError('The header content contains invalid characters');
http-node-1.2.0.tgz/_http_outgoing.js:522:      throw new TypeError('The header content contains invalid characters');
rapx-win-1.4.2.tgz/ruff_modules/http/src/_http_outgoing.js:312:        throw new TypeError('The header content contains invalid characters');
rapx-win-1.4.2.tgz/ruff_modules/http/src/_http_outgoing.js:351:        throw new TypeError('The header content contains invalid characters');
rapx-win-1.4.2.tgz/ruff_modules/http/src/_http_outgoing.js:522:            throw new TypeError('The trailer content contains invalid characters');

[ChALkeR]

Btw, what about The trailer content contains invalid characters error? Shouldn't it be also changed?

[evanlucas]

@ChALkeR thanks, I'll add one for trailers too.

[evanlucas]

Closing as we landed the debug messages instead (#9195)