From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id QIn6BGC8YmAEyQAAgWs5BA (envelope-from ) for ; Tue, 30 Mar 2021 07:51:28 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 2DCKOl+8YmCSTQAA1q6Kng (envelope-from ) for ; Tue, 30 Mar 2021 05:51:27 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 44EAA1FA4B for ; Tue, 30 Mar 2021 07:51:27 +0200 (CEST) Received: from localhost ([::1]:54634 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lR6x9-0001nW-9E for larch@yhetil.org; Tue, 30 Mar 2021 01:30:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40090) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lR6x1-0001n7-76 for guix-patches@gnu.org; Tue, 30 Mar 2021 01:30:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:38547) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lR6x0-0001J1-Vn for guix-patches@gnu.org; Tue, 30 Mar 2021 01:30:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lR6x0-0005mr-Qq for guix-patches@gnu.org; Tue, 30 Mar 2021 01:30:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47282] [PATCH v2 12/13] gnu: Add llhttp-bootstrap. Resent-From: Timothy Sample Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 30 Mar 2021 05:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47282 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 47282@debbugs.gnu.org Cc: Jelle Licht Received: via spool by 47282-submit@debbugs.gnu.org id=B47282.161708214722119 (code B ref 47282); Tue, 30 Mar 2021 05:30:02 +0000 Received: (at 47282) by debbugs.gnu.org; 30 Mar 2021 05:29:07 +0000 Received: from localhost ([127.0.0.1]:50089 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lR6w6-0005kN-0I for submit@debbugs.gnu.org; Tue, 30 Mar 2021 01:29:06 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:55797) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lR6vu-0005iF-H0 for 47282@debbugs.gnu.org; Tue, 30 Mar 2021 01:28:57 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 7025B5C00A2; Tue, 30 Mar 2021 01:28:49 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Tue, 30 Mar 2021 01:28:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=nn3L8z5KPvUZK18NU7xiCHpaArJCHOgWMdHwsqLsGus=; b=qD4PssSh 3NRPCbeYQZecXp5u4Ce9XaHQ2WBuVFHVWgA4qw69OjDwY3knireSlY1RnrIew3GT dpPKO6QjOliUrL41e4PAdCDTbpOvtI61OKrgo0DwPWknXsHxM2I3juLk36kCoQCv N7EB/mAlyGwutIzQeG4dZDnFS3B5/ZeKA3/bdjcXJcgkdTwy3Z14FFzjYYTKuuoo 82aMeOKPCYKaN2BlFKZU8DojAJJS6cu+FWWZzR0CrlJxKsQPDs2eqRsj7WeUAcPr Is1pwY3bckglykMEc1ZFBYTx0c/1AhKBg4iWIg0kL2839iQF0hz9VagE6yUuIY5Q EJnjolAUp13YUg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudehledgleelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefvihhmohht hhihucfurghmphhlvgcuoehsrghmphhlvghtsehnghihrhhordgtohhmqeenucggtffrrg htthgvrhhnpeefueehhedvfffhffefleegjeegtefgtdefieefvddtjeehudfgudeuteeh udeuheenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhivghtfhdrohhrghenucfkph epjeegrdduudeirddukeeirdeggeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgr mhepmhgrihhlfhhrohhmpehsrghmphhlvghtsehnghihrhhordgtohhm X-ME-Proxy: Received: from mrblack.lan (74-116-186-44.qc.dsl.ebox.net [74.116.186.44]) by mail.messagingengine.com (Postfix) with ESMTPA id 38F3D24005B; Tue, 30 Mar 2021 01:28:49 -0400 (EDT) From: Timothy Sample Date: Tue, 30 Mar 2021 01:27:42 -0400 Message-Id: <20210330052743.575-12-samplet@ngyro.com> X-Mailer: git-send-email 2.31.0 In-Reply-To: <87k0pprz6n.fsf@ngyro.com> References: <87k0pprz6n.fsf@ngyro.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617083487; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=nn3L8z5KPvUZK18NU7xiCHpaArJCHOgWMdHwsqLsGus=; b=abAa4FcGl5phinYJ1FtmPGAzREax0jKF/3poRFEBYVnoeCQ4KrtK8vLscdJCL6S95GXu+h qwMTsQl4WIA6uK/7N18OWJqa3Xi+QdWoy4y50gNgxR6b2mt6jJOkMv84WEMHJ5xHnwRwc7 dmNanyg5kZyDJnZpyCqRBO5Oi3dlA6AVqlkFcYeVGLBzuN6eaHc+DuPFS1Q9IXh0Xl2ZiO QrywddAOGqz6nHttYjpmwI6741wCTvxVgp/sVMHFgwhFH2be3amKIS4iUZ0iqaO72LNkFk OuHyC4ot9mCiI7Hh5YVRNSoIm5FLKXYYlkDnpGaWcSM6yS850Dk1nbZ5+PF7IQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617083487; a=rsa-sha256; cv=none; b=TQZguzqub2NdDZ6O19u3tolfmj5Io5fDAn0Td7hNAv3NOvSXTOUQbA05fFm9ySM8GBwp7I 3/samzMt+avTUeHpjDhjIWYi10x7VQuUaPSYYutUMwsl03dtfbgrVp5YNmwHOac1SeR7/D koAEa+OL1jDEVuc4OHPnz1+beHxTaf4TWI3teZepR/k+wtG/6wHb2nxqOtleGt0HEiow2w 5/H94Trg61pkOeg0Q8pb4XfYpr7PaJutXC+D3JkAgf4P9QYpmcLopamtk59KYlY7SWho1K r13N9a7FCm2KX8khDv8+HZ0suxBpiBR1wl8bkekjEd54TshsV4XTBXb+TQAFIg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=qD4PssSh; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: 5.08 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=qD4PssSh; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 44EAA1FA4B X-Spam-Score: 5.08 X-Migadu-Scanner: scn0.migadu.com X-TUID: npC3cWvmBxtI From: Jelle Licht * gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/node.scm (llhttp-bootstrap): New variable. --- gnu/local.mk | 1 + gnu/packages/node.scm | 70 ++++++++++++ .../llhttp-bootstrap-CVE-2020-8287.patch | 100 ++++++++++++++++++ 3 files changed, 171 insertions(+) create mode 100644 gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch diff --git a/gnu/local.mk b/gnu/local.mk index 52a021c2a3..5959a563d1 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1366,6 +1366,7 @@ dist_patch_DATA = \ %D%/packages/patches/linux-pam-no-setfsuid.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/lirc-reproducible-build.patch \ + %D%/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch \ %D%/packages/patches/llvm-3.5-fix-clang-build-with-gcc5.patch \ %D%/packages/patches/llvm-9-fix-bitcast-miscompilation.patch \ %D%/packages/patches/llvm-9-fix-lpad-miscompilation.patch \ diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm index 5336012e43..45e5f8feca 100644 --- a/gnu/packages/node.scm +++ b/gnu/packages/node.scm @@ -510,6 +510,76 @@ Node.js and web browsers.") parser definition into a C output.") (license license:expat))) +(define-public llhttp-bootstrap + (package + (name "llhttp") + (version "2.1.3") + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/nodejs/llhttp.git") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "0pqj7kyyzr1zs4h9yzn5rdxnxspm3wqgsv00765dd42fszlmrmk8")) + (patches (search-patches "llhttp-bootstrap-CVE-2020-8287.patch")) + (modules '((guix build utils))) + (snippet + '(begin + ;; Fix imports for esbuild. + ;; https://github.com/evanw/esbuild/issues/477 + (substitute* "src/llhttp/http.ts" + (("\\* as assert") "assert")) + (substitute* "Makefile" + (("npx ts-node bin/generate.ts") + "node bin/generate.js")) + #t)))) + (build-system gnu-build-system) + (arguments + `(#:tests? #f ; no tests + #:make-flags (list "CLANG=gcc" + (string-append "DESTDIR=" (assoc-ref %outputs "out")) + "PREFIX=") + #:phases + (modify-phases %standard-phases + (replace 'configure + (lambda* (#:key inputs #:allow-other-keys) + (let ((esbuild (string-append (assoc-ref inputs "esbuild") + "/bin/esbuild"))) + (invoke esbuild + "--platform=node" + "--outfile=bin/generate.js" + "--bundle" "bin/generate.ts")))) + (add-before 'install 'create-install-directories + (lambda* (#:key outputs #:allow-other-keys) + (let ((out (assoc-ref outputs "out"))) + (for-each (lambda (dir) + (mkdir-p (string-append out dir))) + (list "/lib" "/include" "/src")) + #t))) + (add-after 'install 'install-src + (lambda* (#:key outputs #:allow-other-keys) + (let* ((out (assoc-ref outputs "out")) + (src-dir (string-append out "/src"))) + (install-file "build/c/llhttp.c" src-dir) + (install-file "src/native/api.c" src-dir) + (install-file "src/native/http.c" src-dir) + #t)))))) + (native-inputs + `(("esbuild" ,esbuild) + ("node" ,node-bootstrap) + ("node-semver" ,node-semver-bootstrap) + ("node-llparse-bootstrap" ,node-llparse-bootstrap))) + (home-page "https://github.com/nodejs/llhttp") + (properties '((hidden? . #t))) + (synopsis "Parser for HTTP messages") + (description "This is a rewrite of +@url{https://github.com/nodejs/http-parser, http-parser} using +@url{https://github.com/nodejs/llparse, llparse} to generate the C +source files.") + (license license:expat))) + (define-public libnode (package/inherit node (name "libnode") diff --git a/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch b/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch new file mode 100644 index 0000000000..215c920e53 --- /dev/null +++ b/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch @@ -0,0 +1,100 @@ +This patch comes from upstream. It corresponds to a patch applied to +the generated C source code for llhttp included in Node.js 14.16.0 +(see commit 641f786bb1a1f6eb1ff8750782ed939780f2b31a). That commit +fixes CVE-2020-8287. With this patch, the output of our +llhttp-bootstrap package matches the files included in Node.js 14.16.0 +exactly. + +commit e9b36ea64709c35ca66094d5cf3787f444029601 +Author: Fedor Indutny +Date: Sat Oct 10 19:56:01 2020 -0700 + + http: unset `F_CHUNKED` on new `Transfer-Encoding` + + Duplicate `Transfer-Encoding` header should be a treated as a single, + but with original header values concatenated with a comma separator. In + the light of this, even if the past `Transfer-Encoding` ended with + `chunked`, we should be not let the `F_CHUNKED` to leak into the next + header, because mere presence of another header indicates that `chunked` + is not the last transfer-encoding token. + +diff --git a/src/llhttp/http.ts b/src/llhttp/http.ts +index f4f1a6e..0a0c365 100644 +--- a/src/llhttp/http.ts ++++ b/src/llhttp/http.ts +@@ -460,11 +460,19 @@ export class HTTP { + .match([ ' ', '\t' ], n('header_value_discard_ws')) + .otherwise(checkContentLengthEmptiness); + ++ // Multiple `Transfer-Encoding` headers should be treated as one, but with ++ // values separate by a comma. ++ // ++ // See: https://tools.ietf.org/html/rfc7230#section-3.2.2 ++ const toTransferEncoding = this.unsetFlag( ++ FLAGS.CHUNKED, ++ 'header_value_te_chunked'); ++ + n('header_value_start') + .otherwise(this.load('header_state', { + [HEADER_STATE.UPGRADE]: this.setFlag(FLAGS.UPGRADE, fallback), + [HEADER_STATE.TRANSFER_ENCODING]: this.setFlag( +- FLAGS.TRANSFER_ENCODING, 'header_value_te_chunked'), ++ FLAGS.TRANSFER_ENCODING, toTransferEncoding), + [HEADER_STATE.CONTENT_LENGTH]: n('header_value_content_length_once'), + [HEADER_STATE.CONNECTION]: n('header_value_connection'), + }, 'header_value')); +@@ -847,6 +855,11 @@ export class HTTP { + return span.start(span.end(this.node(next))); + } + ++ private unsetFlag(flag: FLAGS, next: string | Node): Node { ++ const p = this.llparse; ++ return p.invoke(p.code.and('flags', ~flag), this.node(next)); ++ } ++ + private setFlag(flag: FLAGS, next: string | Node): Node { + const p = this.llparse; + return p.invoke(p.code.or('flags', flag), this.node(next)); +diff --git a/test/request/transfer-encoding.md b/test/request/transfer-encoding.md +index a7d1681..b0891d6 100644 +--- a/test/request/transfer-encoding.md ++++ b/test/request/transfer-encoding.md +@@ -353,6 +353,38 @@ off=106 headers complete method=3 v=1/1 flags=200 content_length=0 + off=106 error code=15 reason="Request has invalid `Transfer-Encoding`" + ``` + ++## POST with `chunked` and duplicate transfer-encoding ++ ++ ++```http ++POST /post_identity_body_world?q=search#hey HTTP/1.1 ++Accept: */* ++Transfer-Encoding: chunked ++Transfer-Encoding: deflate ++ ++World ++``` ++ ++```log ++off=0 message begin ++off=5 len=38 span[url]="/post_identity_body_world?q=search#hey" ++off=44 url complete ++off=54 len=6 span[header_field]="Accept" ++off=61 header_field complete ++off=62 len=3 span[header_value]="*/*" ++off=67 header_value complete ++off=67 len=17 span[header_field]="Transfer-Encoding" ++off=85 header_field complete ++off=86 len=7 span[header_value]="chunked" ++off=95 header_value complete ++off=95 len=17 span[header_field]="Transfer-Encoding" ++off=113 header_field complete ++off=114 len=7 span[header_value]="deflate" ++off=123 header_value complete ++off=125 headers complete method=3 v=1/1 flags=200 content_length=0 ++off=125 error code=15 reason="Request has invalid `Transfer-Encoding`" ++``` ++ + ## POST with `chunked` before other transfer-coding (lenient) + + TODO(indutny): should we allow it even in lenient mode? (Consider disabling -- 2.31.0