Whitespace between start-line and first HTTP header not properly handled

[zeyu2001]

Issue transferred over from HackerOne.

According to RFC7230 section 3:

A recipient that receives whitespace between the
start-line and the first header field MUST either reject the message
as invalid or consume each whitespace-preceded line without further
processing of it (i.e., ignore the entire line, along with any
subsequent lines preceded by whitespace, until a properly formed
header field is received or the header section is terminated).

However, the parser does not adhere to this and accepts a first header with a leading whitespace.

GET / HTTP/1.1
 Host: foo

Server code used for testing:

const http = require('http');

http.createServer((request, response) => {
   let body = [];
   request.on('error', (err) => {
      response.end("error while reading body: " + err)
   }).on('data', (chunk) => {
      body.push(chunk);
   }).on('end', () => {
   body = Buffer.concat(body).toString();
   
   response.on('error', (err) => {
      response.end("error while sending response: " + err)
   });

   response.end(JSON.stringify({
         "URL": request.url,
         "Headers": request.headers,
         "Length": body.length,
         "Body": body,
      }) + "\n");
   });
}).listen(80);

Request:

GET / HTTP/1.1
 Host: foo

Expected result: As per the RFC, either return a 400 Bad Request or ignore the header entirely.

Actual result: The header is processed as host (with a leading whitespace).

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2022 17:34:47 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 59

{"URL":"/","Headers":{" host":"foo"},"Length":0,"Body":""}

References:

• See a similar issue in Go's HTTP parser that has been fixed.