http-party/node-http-proxy

Add blacklist headers to protect against DoS attack

bytehope opened this issue · 1 comments

bytehope commented

Hello, I have tried everything to contact the maintainers, nobody answer to me, there is my last try.

  1. There is populate headers into outgoing request from incoming:
    https://github.com/http-party/node-http-proxy/blob/master/lib/http-proxy/common.js#L43

  2. if then add Trailer header with any value into the incoming request, that header will be handled by the internal nodejs http lib. For a GET-request, processing that header will trigger unhandled error ERR_HTTP_TRAILER_INVALID. https://github.com/nodejs/node/blob/38cc53845307fdb81dd50cfb7bcfc8c7b83b947c/lib/_http_outgoing.js#L538

  3. An unhandled error will cause nodejs shutdown.

If any other project uses node-http-proxy package and just proxy any "user" request, all of them are vulneranilty to DoS attack

mhassan1 commented

I think the right thing to do would be to report the vulnerability to Snyk (link), which will assign it a CVE.