1'use strict'; 2 3const common = require('../common'); 4const http = require('http'); 5const net = require('net'); 6const assert = require('assert'); 7 8// Verify that invalid chunk extensions cannot be used to perform HTTP request 9// smuggling attacks. 10 11const server = http.createServer(common.mustCall((request, response) => { 12 assert.notStrictEqual(request.url, '/admin'); 13 response.end('hello world'); 14}), 1); 15 16server.listen(0, common.mustCall(start)); 17 18function start() { 19 const sock = net.connect(server.address().port); 20 21 sock.write('' + 22 'GET / HTTP/1.1\r\n' + 23 'Host: localhost:8080\r\n' + 24 'Transfer-Encoding: chunked\r\n' + 25 '\r\n' + 26 '2;\n' + 27 'xx\r\n' + 28 '4c\r\n' + 29 '0\r\n' + 30 '\r\n' + 31 'GET /admin HTTP/1.1\r\n' + 32 'Host: localhost:8080\r\n' + 33 'Transfer-Encoding: chunked\r\n' + 34 '\r\n' + 35 '0\r\n' + 36 '\r\n' 37 ); 38 39 sock.resume(); 40 sock.on('end', common.mustCall(function() { 41 server.close(); 42 })); 43} 44