http: validate headers in writeEarlyHints

Add validateHeaderName/validateHeaderValue checks for non-link
headers and checkInvalidHeaderChar for the Link value in HTTP/1.1
writeEarlyHints, closing a CRLF injection gap where header names
and values were concatenated into the raw response without
validation.

Also tighten linkValueRegExp to reject CR/LF inside the <...>
URL portion of Link header values.

PR-URL: #61897
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Tim Perry <pimterry@gmail.com>

Author: rsclarke

lib/_http_server.js

@@ -53,6 +53,8 @@ const {
   kUniqueHeaders,
   parseUniqueHeadersOption,
   OutgoingMessage,
+  validateHeaderName,
+  validateHeaderValue,
 } = require('_http_outgoing');
 const {
   kOutHeaders,
@@ -331,13 +333,20 @@ ServerResponse.prototype.writeEarlyHints = function writeEarlyHints(hints, cb) {
     return;
   }
 
+  if (checkInvalidHeaderChar(link)) {
+    throw new ERR_INVALID_CHAR('header content', 'Link');
+  }
+
   head += 'Link: ' + link + '\r\n';
 
   const keys = ObjectKeys(hints);
   for (let i = 0; i < keys.length; i++) {
     const key = keys[i];
     if (key !== 'link') {
-      head += key + ': ' + hints[key] + '\r\n';
+      validateHeaderName(key);
+      const value = hints[key];
+      validateHeaderValue(key, value);
+      head += key + ': ' + value + '\r\n';
     }
   }
 

lib/internal/validators.js

@@ -509,7 +509,7 @@ function validateUnion(value, name, union) {
   (not necessarily a valid URI reference) followed by zero or more
   link-params separated by semicolons.
 */
-const linkValueRegExp = /^(?:<[^>]*>)(?:\s*;\s*[^;"\s]+(?:=(")?[^;"\s]*\1)?)*$/;
+const linkValueRegExp = /^(?:<[^>\r\n]*>)(?:\s*;\s*[^;"\s]+(?:=(")?[^;"\s]*\1)?)*$/;
 
 /**
  * @param {any} value

test/parallel/test-http-early-hints-invalid-argument.js

@@ -47,3 +47,44 @@ const testResBody = 'response content\n';
     req.on('information', common.mustNotCall());
   }));
 }
+
+{
+  const server = http.createServer(common.mustCall((req, res) => {
+    debug('Server sending early hints with CRLF injection...');
+
+    assert.throws(() => {
+      res.writeEarlyHints({
+        'link': '</styles.css>; rel=preload; as=style',
+        'X-Custom': 'valid\r\nSet-Cookie: session=evil',
+      });
+    }, (err) => err.code === 'ERR_INVALID_CHAR');
+
+    assert.throws(() => {
+      res.writeEarlyHints({
+        'link': '</styles.css>; rel=preload; as=style',
+        'X-Custom\r\nSet-Cookie: session=evil': 'value',
+      });
+    }, (err) => err.code === 'ERR_INVALID_HTTP_TOKEN');
+
+    assert.throws(() => {
+      res.writeEarlyHints({
+        link: '</styles.css\r\nSet-Cookie: session=evil>; rel=preload; as=style',
+      });
+    }, (err) => err.code === 'ERR_INVALID_ARG_VALUE');
+
+    debug('Server sending full response...');
+    res.end(testResBody);
+    server.close();
+  }));
+
+  server.listen(0, common.mustCall(() => {
+    const req = http.request({
+      port: server.address().port, path: '/'
+    });
+
+    req.end();
+    debug('Client sending request...');
+
+    req.on('information', common.mustNotCall());
+  }));
+}