Skip to content

The application crashes when setting an invalid cookie value #4527

New issue
New issue
Open
Open
The application crashes when setting an invalid cookie value#4527
Labels
bugBug or defect
@Hydrock

Description

@Hydrock
Hydrock
opened on Aug 28, 2024

Runtime

node.js

Runtime version

v18.20.0 / LTS

Module version

21.3.2

Last module version without issue

No response

Used with

No response

Any other relevant information

When the server tries to set an invalid cookie value, the server crashes with an error:

node:_http_outgoing:662
  validateHeaderValue(name, value);
  ^

TypeError [ERR_INVALID_CHAR]: Invalid character in header content ["set-cookie"]
    at ServerResponse.setHeader (node:_http_outgoing:662:3)
    at internals.writeHead (/project/workspace/node_modules/@hapi/hapi/lib/transmit.js:336:21)
    at internals.transmit (/project/workspace/node_modules/@hapi/hapi/lib/transmit.js:104:15)
    at internals.fail (/project/workspace/node_modules/@hapi/hapi/lib/transmit.js:68:22)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Request._reply (/project/workspace/node_modules/@hapi/hapi/lib/request.js:456:9) {
  code: 'ERR_INVALID_CHAR',
  isBoom: true,
  isServer: true,
  data: null,
  output: {
    statusCode: 500,
    payload: {
      statusCode: 500,
      error: 'Internal Server Error',
      message: 'An internal server error occurred'
    },
    headers: {}
  }
}

Slack chat discussion: https://hapihour.slack.com/archives/C6CEEUE06/p1724861065721169

Problem example: https://codesandbox.io/p/devbox/hapi-cookie-test-forked-t2g89w?workspaceId=6ecda139-50d1-4062-98aa-206f54ef133e

What are you trying to achieve or the steps to reproduce?

Problem example: https://codesandbox.io/p/devbox/hapi-cookie-test-forked-t2g89w?workspaceId=6ecda139-50d1-4062-98aa-206f54ef133e

Just start the server at the address "/" and you will immediately see the server crash. This is because of the line:

// INVALID cookie
.state("cookieName2", "тест");

in slack's chat, a user under the nickname "yoannma" wrote the following:

I think I found why node crash :
- hapi try to serialize the hapi.response header to node.response in writeHead (https://github.com/hapijs/hapi/blob/master/lib/transmit.js#L336)
- node throw an error because of the bad characters
- hapi catch it, remove the headers, throw a boomify error (https://github.com/hapijs/hapi/blob/master/lib/transmit.js#L345)
- hapi try to send the 500 response (https://github.com/hapijs/hapi/blob/master/lib/transmit.js#L33)
- hapi reuse response.request._route._marshalCycle which contains the set-cookie declaration (https://github.com/hapijs/hapi/blob/master/lib/transmit.js#L40)
- hapi try send the 500 response which end up throwing
- hapi does not catch it this time

What was the result you got?

From my example above, it is clear that when the server tries to set an invalid value as - node, js crashes

What result did you expect?

If the cookie value is invalid, I expect that the application and nodejs will not crash, but simply an error will be thrown.

Ideally, enable validation of the values as on the server when installing [them.](url)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugBug or defect

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions