From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id cB+XM7jMYmBY6gAAgWs5BA (envelope-from ) for ; Tue, 30 Mar 2021 09:01:12 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id aOliLbjMYmCeGwAAbx9fmQ (envelope-from ) for ; Tue, 30 Mar 2021 07:01:12 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3CF9F15725 for ; Tue, 30 Mar 2021 09:01:12 +0200 (CEST) Received: from localhost ([::1]:51818 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lR8ND-0000Ld-4S for larch@yhetil.org; Tue, 30 Mar 2021 03:01:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58046) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lR8N4-0000JC-DE for guix-patches@gnu.org; Tue, 30 Mar 2021 03:01:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:38681) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lR8N4-0004eP-5u for guix-patches@gnu.org; Tue, 30 Mar 2021 03:01:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lR8N4-0000hi-46 for guix-patches@gnu.org; Tue, 30 Mar 2021 03:01:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47282] [PATCH v2 12/13] gnu: Add llhttp-bootstrap. Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 30 Mar 2021 07:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47282 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Timothy Sample Cc: Jelle Licht , 47282@debbugs.gnu.org Received: via spool by 47282-submit@debbugs.gnu.org id=B47282.16170876441755 (code B ref 47282); Tue, 30 Mar 2021 07:01:02 +0000 Received: (at 47282) by debbugs.gnu.org; 30 Mar 2021 07:00:44 +0000 Received: from localhost ([127.0.0.1]:50227 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lR8Mg-0000MO-Vj for submit@debbugs.gnu.org; Tue, 30 Mar 2021 03:00:44 -0400 Received: from flashner.co.il ([178.62.234.194]:37574) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lR8Mc-0000Ck-BK for 47282@debbugs.gnu.org; Tue, 30 Mar 2021 03:00:38 -0400 Received: from localhost (unknown [31.210.177.71]) by flashner.co.il (Postfix) with ESMTPSA id 2394340088; Tue, 30 Mar 2021 07:00:28 +0000 (UTC) Date: Tue, 30 Mar 2021 09:59:53 +0300 From: Efraim Flashner Message-ID: References: <87k0pprz6n.fsf@ngyro.com> <20210330052743.575-12-samplet@ngyro.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="h2N13T+O8YXooalw" Content-Disposition: inline In-Reply-To: <20210330052743.575-12-samplet@ngyro.com> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617087672; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post; bh=lqgqrHKgP4QnjXTAHD1GgX3y10I0QAPeTLg66gbqwQU=; b=I2qaUf0z0L7vVFrvCpUrhJMhaxTFc0wNuA4wzFOahFI1nKRQMbWAEMkrANHy0Llu+rk1pO WuZ88nlgs1578ctEmOu7XQa3q4on8Mzg6UJzX9l69ziwG6wm19GZvbBDMhuT0n/JYC6lKI kFQLoRZtrk2hMaBYOGL4jqvuJr7XijKFU88OlDpBEwa9a9rArRYhzC8BXDk0MgP9llyceY QSuG/fCr+Y6W77sKcoJGCq/uXKPEQb8pZev7VDdLbbQQ0FHPuRM3RISJYV1KczbeEETrgG gZ6fntE6MBGL5Dp+R9LLes8RVrda0prwfZwrn7zXD9PYfQLoQZBUQfqqu/6/LA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617087672; a=rsa-sha256; cv=none; b=mGOHHJp2RUtvUk2ephyJWKOrI0fcPWZsitVG7isj47UpGoIWYi2qo9mDy3D/E02Vk1tR1Y wacFCq+vFAuXeSELvI5rXihuhRGfq1SjRYYrPxfuRq2g+r/p/v6WAwfWfOB/rCmvthCEkl yBP/Z2WLql+k+FFIJNSM6tCIWQhRO3ESFr0wpJTc7Gm1B+cEP/b43u5a67A8IgpB8rrDGk fvsvI1SsOuWE8OkbEB7fPZHzhIL36xvlb88XqjCpL5E5mW5y3gXCXgA75sViOUbDXTGlJD omqvMufgKM5LLmpdTM3hn1aP8W2p59LcwnlP/SSC2fs9YafE7+q9znPiPATKJA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -4.02 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 3CF9F15725 X-Spam-Score: -4.02 X-Migadu-Scanner: scn0.migadu.com X-TUID: WVUOoFg2o6fX --h2N13T+O8YXooalw Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 30, 2021 at 01:27:42AM -0400, Timothy Sample wrote: > From: Jelle Licht >=20 > * gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/node.scm (llhttp-bootstrap): New variable. > --- > gnu/local.mk | 1 + > gnu/packages/node.scm | 70 ++++++++++++ > .../llhttp-bootstrap-CVE-2020-8287.patch | 100 ++++++++++++++++++ > 3 files changed, 171 insertions(+) > create mode 100644 gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.p= atch >=20 > diff --git a/gnu/local.mk b/gnu/local.mk > index 52a021c2a3..5959a563d1 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -1366,6 +1366,7 @@ dist_patch_DATA =3D \ > %D%/packages/patches/linux-pam-no-setfsuid.patch \ > %D%/packages/patches/lirc-localstatedir.patch \ > %D%/packages/patches/lirc-reproducible-build.patch \ > + %D%/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch \ > %D%/packages/patches/llvm-3.5-fix-clang-build-with-gcc5.patch \ > %D%/packages/patches/llvm-9-fix-bitcast-miscompilation.patch \ > %D%/packages/patches/llvm-9-fix-lpad-miscompilation.patch \ > diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm > index 5336012e43..45e5f8feca 100644 > --- a/gnu/packages/node.scm > +++ b/gnu/packages/node.scm > @@ -510,6 +510,76 @@ Node.js and web browsers.") > parser definition into a C output.") > (license license:expat))) > =20 > +(define-public llhttp-bootstrap > + (package > + (name "llhttp") > + (version "2.1.3") > + (source (origin > + (method git-fetch) > + (uri (git-reference > + (url "https://github.com/nodejs/llhttp.git") > + (commit (string-append "v" version)))) > + (file-name (git-file-name name version)) > + (sha256 > + (base32 > + "0pqj7kyyzr1zs4h9yzn5rdxnxspm3wqgsv00765dd42fszlmrmk8")) > + (patches (search-patches "llhttp-bootstrap-CVE-2020-8287.p= atch")) > + (modules '((guix build utils))) > + (snippet > + '(begin > + ;; Fix imports for esbuild. > + ;; https://github.com/evanw/esbuild/issues/477 > + (substitute* "src/llhttp/http.ts" > + (("\\* as assert") "assert")) > + (substitute* "Makefile" > + (("npx ts-node bin/generate.ts") > + "node bin/generate.js")) > + #t)))) > + (build-system gnu-build-system) > + (arguments > + `(#:tests? #f ; no tests > + #:make-flags (list "CLANG=3Dgcc" This should probably be cc-for-target > + (string-append "DESTDIR=3D" (assoc-ref %output= s "out")) > + "PREFIX=3D") And normally DESTDIR is empty and PREFIX is %out. Does it need to be switched here? > + #:phases > + (modify-phases %standard-phases > + (replace 'configure > + (lambda* (#:key inputs #:allow-other-keys) > + (let ((esbuild (string-append (assoc-ref inputs "esbuild") > + "/bin/esbuild"))) > + (invoke esbuild > + "--platform=3Dnode" > + "--outfile=3Dbin/generate.js" > + "--bundle" "bin/generate.ts")))) > + (add-before 'install 'create-install-directories > + (lambda* (#:key outputs #:allow-other-keys) > + (let ((out (assoc-ref outputs "out"))) > + (for-each (lambda (dir) > + (mkdir-p (string-append out dir))) > + (list "/lib" "/include" "/src")) > + #t))) > + (add-after 'install 'install-src > + (lambda* (#:key outputs #:allow-other-keys) > + (let* ((out (assoc-ref outputs "out")) > + (src-dir (string-append out "/src"))) > + (install-file "build/c/llhttp.c" src-dir) > + (install-file "src/native/api.c" src-dir) > + (install-file "src/native/http.c" src-dir) > + #t)))))) > + (native-inputs > + `(("esbuild" ,esbuild) > + ("node" ,node-bootstrap) > + ("node-semver" ,node-semver-bootstrap) > + ("node-llparse-bootstrap" ,node-llparse-bootstrap))) > + (home-page "https://github.com/nodejs/llhttp") > + (properties '((hidden? . #t))) > + (synopsis "Parser for HTTP messages") > + (description "This is a rewrite of > +@url{https://github.com/nodejs/http-parser, http-parser} using > +@url{https://github.com/nodejs/llparse, llparse} to generate the C > +source files.") > + (license license:expat))) > + > (define-public libnode > (package/inherit node > (name "libnode") > diff --git a/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch b/= gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch > new file mode 100644 > index 0000000000..215c920e53 > --- /dev/null > +++ b/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch > @@ -0,0 +1,100 @@ > +This patch comes from upstream. It corresponds to a patch applied to > +the generated C source code for llhttp included in Node.js 14.16.0 > +(see commit 641f786bb1a1f6eb1ff8750782ed939780f2b31a). That commit > +fixes CVE-2020-8287. With this patch, the output of our > +llhttp-bootstrap package matches the files included in Node.js 14.16.0 > +exactly. > + > +commit e9b36ea64709c35ca66094d5cf3787f444029601 > +Author: Fedor Indutny > +Date: Sat Oct 10 19:56:01 2020 -0700 > + > + http: unset `F_CHUNKED` on new `Transfer-Encoding` > + =20 > + Duplicate `Transfer-Encoding` header should be a treated as a single, > + but with original header values concatenated with a comma separator.= In > + the light of this, even if the past `Transfer-Encoding` ended with > + `chunked`, we should be not let the `F_CHUNKED` to leak into the next > + header, because mere presence of another header indicates that `chun= ked` > + is not the last transfer-encoding token. > + > +diff --git a/src/llhttp/http.ts b/src/llhttp/http.ts > +index f4f1a6e..0a0c365 100644 > +--- a/src/llhttp/http.ts > ++++ b/src/llhttp/http.ts > +@@ -460,11 +460,19 @@ export class HTTP { > + .match([ ' ', '\t' ], n('header_value_discard_ws')) > + .otherwise(checkContentLengthEmptiness); > +=20 > ++ // Multiple `Transfer-Encoding` headers should be treated as one, b= ut with > ++ // values separate by a comma. > ++ // > ++ // See: https://tools.ietf.org/html/rfc7230#section-3.2.2 > ++ const toTransferEncoding =3D this.unsetFlag( > ++ FLAGS.CHUNKED, > ++ 'header_value_te_chunked'); > ++ > + n('header_value_start') > + .otherwise(this.load('header_state', { > + [HEADER_STATE.UPGRADE]: this.setFlag(FLAGS.UPGRADE, fallback), > + [HEADER_STATE.TRANSFER_ENCODING]: this.setFlag( > +- FLAGS.TRANSFER_ENCODING, 'header_value_te_chunked'), > ++ FLAGS.TRANSFER_ENCODING, toTransferEncoding), > + [HEADER_STATE.CONTENT_LENGTH]: n('header_value_content_length_o= nce'), > + [HEADER_STATE.CONNECTION]: n('header_value_connection'), > + }, 'header_value')); > +@@ -847,6 +855,11 @@ export class HTTP { > + return span.start(span.end(this.node(next))); > + } > +=20 > ++ private unsetFlag(flag: FLAGS, next: string | Node): Node { > ++ const p =3D this.llparse; > ++ return p.invoke(p.code.and('flags', ~flag), this.node(next)); > ++ } > ++ > + private setFlag(flag: FLAGS, next: string | Node): Node { > + const p =3D this.llparse; > + return p.invoke(p.code.or('flags', flag), this.node(next)); > +diff --git a/test/request/transfer-encoding.md b/test/request/transfer-e= ncoding.md > +index a7d1681..b0891d6 100644 > +--- a/test/request/transfer-encoding.md > ++++ b/test/request/transfer-encoding.md > +@@ -353,6 +353,38 @@ off=3D106 headers complete method=3D3 v=3D1/1 flags= =3D200 content_length=3D0 > + off=3D106 error code=3D15 reason=3D"Request has invalid `Transfer-Encod= ing`" > + ``` > +=20 > ++## POST with `chunked` and duplicate transfer-encoding > ++ > ++ > ++```http > ++POST /post_identity_body_world?q=3Dsearch#hey HTTP/1.1 > ++Accept: */* > ++Transfer-Encoding: chunked > ++Transfer-Encoding: deflate > ++ > ++World > ++``` > ++ > ++```log > ++off=3D0 message begin > ++off=3D5 len=3D38 span[url]=3D"/post_identity_body_world?q=3Dsearch#hey" > ++off=3D44 url complete > ++off=3D54 len=3D6 span[header_field]=3D"Accept" > ++off=3D61 header_field complete > ++off=3D62 len=3D3 span[header_value]=3D"*/*" > ++off=3D67 header_value complete > ++off=3D67 len=3D17 span[header_field]=3D"Transfer-Encoding" > ++off=3D85 header_field complete > ++off=3D86 len=3D7 span[header_value]=3D"chunked" > ++off=3D95 header_value complete > ++off=3D95 len=3D17 span[header_field]=3D"Transfer-Encoding" > ++off=3D113 header_field complete > ++off=3D114 len=3D7 span[header_value]=3D"deflate" > ++off=3D123 header_value complete > ++off=3D125 headers complete method=3D3 v=3D1/1 flags=3D200 content_lengt= h=3D0 > ++off=3D125 error code=3D15 reason=3D"Request has invalid `Transfer-Encod= ing`" > ++``` > ++ > + ## POST with `chunked` before other transfer-coding (lenient) > +=20 > + TODO(indutny): should we allow it even in lenient mode? (Consider disab= ling > --=20 > 2.31.0 >=20 >=20 >=20 >=20 --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --h2N13T+O8YXooalw Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmBizGYACgkQQarn3Mo9 g1FxFBAApap4rY86TCrFjdQCaQ/dYc5jQW+020JTEL3zBGndnn6npUkJNs0H/6i2 d43aoXdRnqMKECFSUPFczv9ft/hZi6uDjpeXs/8Zurxeq6S5TqyiYKbya80lyYot NQGFtLOmH3JNaymFwDRoELyfA7FXDj79Bb7WvW7X9Y/0dAUswxck+6sy08m6OhTY Q2mGty7eG8jTSpbQNae6HFODnmGg6+uIW55vDIhDBaXyT5Gqvkw6Ip6ZcdVOYhAx rPxqc28/MNWWn3Q9n9BxZMfhwVfj5tByVsXOwDHZRJGUb8JzMiiWXvxp5kqRpdJy Ncf5Vl73b4TUkijGT/RfWSnx7H9rNy7vyylWD/vE5rSwJKPLR/wn82vK0v3ZJqj4 wxUclA2sBl+pXW9vQsAvE/cfG4ySlZaM29R94H8Yq7mIv2pu9jNTftcv9rftKE58 10n1eN37F4++ImNZtwK3rpXELj2r3MLevCMX4c5/SX8YhHAmd+18obosBGX4zE+w ktntmsdntV6GLMnnZ20Acseez3P1LN+g85tEhpwzv8cE+1uz2xOutfI9GHJlAhGO BltJhA2ZgFBfsJ028zDKBw1ngzIl9O6smRW4pXpmshFLWRZnvZFhU04N5QvGf3uz MIAOjzolMy1OwO9dNpkDeqHeROco2MKP1x5FZXnygAG6aAFjhQY= =yTbP -----END PGP SIGNATURE----- --h2N13T+O8YXooalw--