Response headers affectation #323

furanzujin · 2023-04-24T08:35:34Z

Hello,

We encountered a crash of the HTTP gateway during the assignment of the response headers.
This error occurred because of invalid characters in one of the header keys.

Several ways have been identified to avoid this crash:

sanitizing the keys/values at assignment time in the $responseHeaders variable
sanitizing the keys/values through the onAfterCall hook

However, we believe that crashes could be avoided more globally by securing the sendResponse and sendError processes.

Do you want us to propose a change to the moleculer-web component to implement these operations?
If so, we would like to include a log (warn or error) and skip the assignment of the problematic header.

Would this be acceptable to you?

The text was updated successfully, but these errors were encountered:

icebob · 2023-05-01T11:21:45Z

Yeah, please create a PR with your proposed fix.

* fixes [Issue moleculerjs#323](moleculerjs#323)

furanzujin · 2023-08-28T07:23:57Z

Hello @icebob,

Sorry for the delay; you'll find a pull request here to avoid process crashes on invalid header character assignments.

furanzujin added a commit to furanzujin/moleculer-web that referenced this issue Aug 28, 2023

fix: secure header assignment to avoid process crash

0e07cd1

* fixes [Issue moleculerjs#323](moleculerjs#323)

furanzujin mentioned this issue Aug 28, 2023

fix: secure header assignment to avoid process crash #330

Merged

icebob closed this as completed in #330 Sep 18, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Response headers affectation #323

Response headers affectation #323

furanzujin commented Apr 24, 2023

icebob commented May 1, 2023

furanzujin commented Aug 28, 2023

Response headers affectation #323

Response headers affectation #323

Comments

furanzujin commented Apr 24, 2023

icebob commented May 1, 2023

furanzujin commented Aug 28, 2023