Skip to content

http: validate ClientRequest path on set#62030

Open
mcollina wants to merge 1 commit intonodejs:mainfrom
mcollina:fix/http-client-path-toctou
Open

http: validate ClientRequest path on set#62030
mcollina wants to merge 1 commit intonodejs:mainfrom
mcollina:fix/http-client-path-toctou

Conversation

@mcollina
Copy link
Member

@mcollina mcollina commented Feb 27, 2026

Summary

  • Add a getter/setter for ClientRequest.path that runs INVALID_PATH_REGEX validation on every assignment, not just at construction time
  • Store the path in an internal symbol (kPath) so the setter is always invoked
  • Prevents invalid characters (CRLF, null bytes, etc.) from being set on req.path after construction

Test plan

  • Added test/parallel/test-http-client-path-toctou.js verifying:
    • Setting req.path with \r\n, \r, \n, or \0 throws ERR_UNESCAPED_CHARACTERS
    • Path remains unchanged after a failed mutation
    • Valid path reassignment still works
  • All existing test-http-client-* tests pass (66/66)

@mcollina
http: validate ClientRequest path on set
951a901 
The `path` property on `ClientRequest` was only validated at
construction time. Add a getter/setter so that the same
`INVALID_PATH_REGEX` check runs whenever `req.path` is reassigned,
preventing invalid characters from reaching `_implicitHeader()`.
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Feb 27, 2026

Review requested:

  • @nodejs/http
  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added http Issues or PRs related to the http subsystem. needs-ci PRs that need a full CI run. labels Feb 27, 2026
@codecov
Copy link

codecov bot commented Feb 27, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.65%. Comparing base (38a6da5) to head (951a901).
⚠️ Report is 10 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62030      +/-   ##
==========================================
- Coverage   89.74%   89.65%   -0.09%     
==========================================
  Files         676      676              
  Lines      206070   206249     +179     
  Branches    39517    39509       -8     
==========================================
- Hits       184928   184908      -20     
- Misses      13300    13466     +166     
- Partials     7842     7875      +33
Files with missing lines Coverage Δ
lib/_http_client.js 97.43% <100.00%> (+0.04%) ⬆️

... and 46 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anonrig anonrig anonrig approved these changes

@marco-ippolito marco-ippolito marco-ippolito approved these changes

Assignees

No one assigned

Labels

http Issues or PRs related to the http subsystem. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mcollina @nodejs-github-bot @anonrig @marco-ippolito