http: disallow sending obviously invalid status codes

[mscdex]

Checklist

• tests and code linting passes
• a test and/or benchmark is included
• the commit message follows commit guidelines

Affected core subsystem(s)

• http

Description of change

Disallows sending of invalid status codes.

[mscdex]

/cc @nodejs/http

CI: https://ci.nodejs.org/job/node-test-pull-request/2333/

[jasnell]

This should likely also catch anything less than 100 and greater than 599

[mscdex]

@jasnell True, but I was aiming to be as backwards compatible as possible with this. Who knows if anyone out there is using custom/unofficial status codes.

[mscdex]

Tagging this for possible backporting to v4.x, feel free to remove if you think it shouldn't be. I see this as a bug fix though.

[jasnell]

Anyone using anything less than 100 likely has other problems to deal with
as there are parsers that will die completely if there aren't three digits.
It's conceivable that someone is using numbers higher than 599. Perhaps
catch anything that's not 3-digits? 100 <= n <= 999?
On Apr 19, 2016 6:02 PM, "Brian White" notifications@github.com wrote:

@jasnell https://github.com/jasnell True, but I was aiming to be as
backwards compatible as possible with this. Who knows if anyone out there
is using custom/unofficial status codes.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#6291 (comment)

[mscdex]

If we're going to validate the numerical value, I would lean more towards a 3-digit check.

What do other @nodejs/collaborators think?

[indutny]

What's the reason for introduction of this patch at this point? Is there any open issue about it?

[mscdex]

@indutny https://twitter.com/bengl/status/722571972790476800

[indutny]

Alright, thank you!

[thefourtheye]

Why not Number.isInteger?

[mscdex]

Number.isInteger() would return false for strings of valid numbers.

[mscdex]

Ok, I've modified it to check the number of digits now.

CI: https://ci.nodejs.org/job/node-test-pull-request/2335/
New CI: https://ci.nodejs.org/job/node-test-pull-request/2336/

[jasnell]

LGTM if CI is green

[thefourtheye]

I am okay with this. LGTM. semver major?

[mscdex]

@thefourtheye Possibly, but it is a bug fix shrug.

[thefourtheye]

Nit: I am not sure if this really matters but the expected port range is just 100-599 http://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml

[mscdex]

Yes, @jasnell mentioned this already. However I think it might be better to be a bit more lenient in case of custom/unofficial/whatever status codes out in the wild.

[thefourtheye]

Oh, sorry. I didn't read the comments completely.

[jasnell]

I think if we keep it at any three digit code we can easily justify landing
it as a patch.
On Apr 19, 2016 7:47 PM, "Brian White" notifications@github.com wrote:

@thefourtheye https://github.com/thefourtheye Probably, but it is a
bug fix shrug.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#6291 (comment)

[ChALkeR]

LGTM

[bengl]

Perhaps also have a case for a non-numeric string?

[jasnell]

+1 ... null, 'this is not invalid, [], true, etc could all be included in the tests here, just to be overly careful ;-)

[mscdex]

Suggested tests added.

[indutny]

LGTM

[benjamingr]

LGTM, I like this change.

[cjihrig]

Should this be a RangeError?

[mscdex]

Changed.

[ChALkeR]

Should passing 'NotAStatusCode' cause a RangeError?

[mscdex]

@ChALkeR It's debatable, but since statusCode is ultimately coerced to an integer value (e.g. 0 for non-numeric values) I thought maybe RangeError would fit better since 0 < 100. shrug

[ChALkeR]

Ok, that works for me =).

[cjihrig]

LGTM with a comment.

[jasnell]

Just one additional minor comment on the tests. Otherwise still LGTM

[MylesBorins]

I'm adding this to v4.x-staging and to the v4.4.5 release candidate.

if anyone objects or if we see any weird regressions I will back it out

[rmg]

Code that would previously run and happily dish out invalid status codes will now die from unhandled exceptions. Isn't that sort of the definition of a breaking change? Upgrading from v4.4.4 to v4.4.5 shouldn't require people to modify their code.

[rmg]

It's too late now, and that I have the advantage of hindsight...

If this PR was 2 commits, with the first one adding the (semver-patch) statusCode |= 0 line and the second adding the (semver-major) strict range check, then we could have pulled in only part of the change for LTS.

[Fishrock123]

I was also quite surprised to see this backported.

[nfriedly]

The closing parenthesis for common.mustCall() is misplaced here and on the other lines. It should read:

}), /invalid status code/i);

With the current code, the RegExp is passed to mustCall as the expected paramater, and then silently replaced with 1 because it's non-numeric. Then the assert.throws call doesn't validate the error message and passes the test as long as any error is thrown.

I'll fix this along with my patch for #9027 unless you'd prefer to see it in a separate PR.

[aivus]

Thank you, guys, we got broken app after patch-upgrade👏

FYI, http://semver.org/

PATCH version when you make backwards-compatible bug fixes.